Quiz 01S — Emerging Cyber Law: AI/LLM Security Research, Supply Chain, Cyber Insurance | LawZeee

Question 1

In Van Buren v. United States (2021), the Supreme Court held that "exceeds authorized access" under the CFAA requires what specific condition?

AViolating the platform's terms of service in any material wayBCrossing a technical gate to access an area of a system the user was not permitted to accessCAccessing any data that the user was not explicitly assigned to reviewDUsing an account for a purpose that the account owner did not intend

Question 2

Under the Van Buren technical gate analysis applied to AI systems, which scenario presents the LOWEST CFAA criminal risk for a security researcher?

AContinuing to probe an AI API after the vendor explicitly revoked the researcher's API keyBAccessing an AI system using stolen credentials obtained from another userCSending adversarial prompts (jailbreak attempts) to a publicly accessible AI API using a valid API key, without bypassing any authentication mechanismDUsing a colleague's API credentials to run model inversion experiments without their knowledge

Question 3

HackerOne launched its AI Security Research Safe Harbor in January 2026. Which of the following activities does the safe harbor explicitly cover that standard bug bounty safe harbors typically do not?

AAutomated credential stuffing attacks against AI login portalsBAdversarial ML techniques including prompt injection, jailbreaking, model extraction, and membership inference attacksCVulnerability research on AI companies' physical office networksDPublishing training data extracted from AI models without any retention restrictions

Question 4

A security researcher uses a valid API key to send thousands of carefully crafted prompts to a commercial LLM and successfully causes it to reproduce verbatim passages of what appears to be proprietary training data. The researcher retains a large dataset of this extracted material. Which statute presents the most serious and underappreciated legal risk for retaining this extracted data?

AThe Stored Communications Act (18 U.S.C. § 2701)BThe Wire Fraud statute (18 U.S.C. § 1343)CThe Economic Espionage Act (18 U.S.C. §§ 1831–1839)DThe Digital Millennium Copyright Act (17 U.S.C. § 1201)

Question 5

Following Van Buren, what is the legal status of an AI security researcher who violates an AI vendor's terms of service by running adversarial tests, but does not bypass any technical authentication mechanism and holds a valid API key throughout?

AThe researcher is automatically guilty of criminal CFAA violation because the ToS violation transforms authorized access into unauthorized accessBToS violations alone do not trigger criminal CFAA liability under Van Buren, though the vendor may have a civil breach of contract claimCThe researcher is immune from all civil and criminal liability under the Computer Fraud and Abuse Act regardless of the damage causedDThe researcher faces criminal liability only if the testing causes measurable financial loss to the AI company exceeding $5,000

Question 6

A downstream customer of SolarWinds suffered $15 million in remediation costs after the 2020 Orion supply chain attack. Under current U.S. law, which doctrine most directly bars the customer from recovering those costs through a negligence claim against SolarWinds?

AThe statute of limitations for computer fraud claimsBThe economic loss rule, which bars negligence recovery for pure economic losses absent physical injury or property damage in most U.S. jurisdictionsCThe filed rate doctrine, which applies to software licensed under regulated pricing structuresDThe first sale doctrine, which limits manufacturer liability after software is sold

Question 7

In Merck & Co. v. ACE American Insurance Co. (NJ Superior Court, January 2023), the court ruled on Merck's $1.4 billion insurance claim for NotPetya losses. What was the court's core reasoning for rejecting the war exclusion?

ANotPetya was not actually attributable to a nation-state, so the exclusion could not applyBThe war exclusion only applies to losses in the physical territory where armed conflict is occurringCThe war exclusion was drafted for traditional armed conflict between sovereign nations, and Merck's reasonable expectation as a policyholder was that commercial cyber losses were covered — policy exclusions must be interpreted narrowly against the insurerDMerck had purchased a special cyber war endorsement that superseded the standard exclusion language

Question 8

Following the Merck and Mondelez NotPetya outcomes, Lloyd's of London issued Market Bulletin Y5381 (November 2022), requiring new cyber war exclusion language. What problem did the new language create for policyholders?

AIt eliminated all coverage for ransomware attacks by state-sponsored actorsBIt replaced one ambiguity (old "hostile or warlike action" language too broad) with a different ambiguity — the new distinction between "cyber war" (excluded) and "cyber operations" (covered) requires a geopolitical factual determination policyholders cannot make at time of lossCIt mandated that all cyber claims be arbitrated in London under English lawDIt required policyholders to prove within 30 days that an attack was not state-sponsored in order to preserve coverage

Question 9

Under the EU Cyber Resilience Act (2024), which statement most accurately describes the Act's territorial reach and liability structure?

AIt applies only to software companies headquartered within EU member statesBIt creates a private right of action allowing downstream supply chain victims to sue compromised software vendors in EU courtsCIt applies to any manufacturer selling "products with digital elements" into EU markets regardless of where the manufacturer is based, with civil penalties up to €15 million or 2.5% of global annual revenue, enforced by market surveillance authorities (not private suits)DIt applies only to open source software distributed without warranty in EU markets

Question 10

A hospital network suffers a ransomware attack. The IR team determines the attacker is likely affiliated with ALPHV/BlackCat (OFAC-designated February 2024). The hospital's cyber insurance policy requires written insurer consent before any ransom payment. The hospital's CISO authorizes a $3 million payment without obtaining consent, believing speed is critical to restore patient care. What are the TWO most significant legal risks created by this sequence of events?

AThe hospital faces HIPAA criminal penalties for the payment; the CISO faces personal CFAA liability for using company fundsBThe hospital may have committed a sanctions violation by paying a designated entity regardless of intent (OFAC strict liability for civil penalties), AND the insurer may deny the claim because the policy's consent-to-pay requirement was violated before payment was authorizedCThe hospital faces wire fraud charges for the cryptocurrency transfer; the insurer must pay because emergency circumstances waive the consent requirementDThe CISO personally owes restitution to OFAC; the hospital's HIPAA coverage automatically extends to ransom payments under the HITECH Act