CTO CTO Regulatory Compliance & Legal

Question 1

Under GDPR, which role is responsible for ensuring technology systems process personal data lawfully, and what is their primary obligation?

Accepted Answer

The Data Protection Officer (DPO), who oversees compliance and advises on data protection obligations

Answer

The CTO, who must personally approve every data processing request

Answer

The CISO, who encrypts all personal data by default

Answer

The CEO, who signs all data processing agreements

Question 2

A US-based healthcare technology company must ensure its platform complies with patient data privacy requirements. Which regulation is primarily applicable?

Accepted Answer

HIPAA (Health Insurance Portability and Accountability Act)

Answer

SOX (Sarbanes-Oxley Act)

Answer

FERPA (Family Educational Rights and Privacy Act)

Answer

CAN-SPAM Act

Question 3

What is a Software Bill of Materials (SBOM) and why is it increasingly required by US regulators for technology vendors?

Accepted Answer

A formal inventory of software components and dependencies used in a product, required to identify supply chain vulnerabilities

Answer

A financial statement of software licensing costs

Answer

A list of approved software vendors for government contracts

Answer

A project plan for software development milestones

Question 4

The Sarbanes-Oxley Act (SOX) Section 404 has significant implications for CTOs of publicly traded US companies. What does it primarily require?

Accepted Answer

Management to assess and report on the effectiveness of internal controls over financial reporting, including IT controls

Answer

Annual security penetration testing of all systems

Answer

Third-party audits of software development practices

Answer

Encryption of all financial data at rest

Question 5

A CTO is launching a product that collects personal data from California residents. Which state privacy law must the product comply with?

Accepted Answer

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Answer

New York SHIELD Act

Answer

Illinois Biometric Information Privacy Act (BIPA)

Answer

Texas Data Privacy and Security Act

Question 6

What is the purpose of a Data Processing Agreement (DPA) between a technology company and its cloud provider?

Accepted Answer

To define the legal obligations of the processor when handling personal data on behalf of the controller

Answer

To set service level agreements for uptime and performance

Answer

To negotiate pricing for cloud infrastructure services

Answer

To establish intellectual property ownership of data stored in the cloud