{
  "question_text": "Under Rapido Facil Exchange Co.'s incident response procedures, if a security breach affects 500 or more Florida residents, what action must be completed within 30 days of breach determination?",
  "options": [
    "Notify the Florida Department of Legal Affairs",
    "Engage legal counsel to evaluate notification obligations",
    "File a SAR with the appropriate federal regulator",
    "Apply all critical security patches to affected systems"
  ],
  "correct_answer": "Notify the Florida Department of Legal Affairs",
  "correct_response": "Correct. When a breach affects 500 or more Florida residents, Rapido Facil Exchange Co. must notify the Florida Department of Legal Affairs within 30 days of breach determination. Legal counsel must be engaged within 24 hours — a separate, earlier requirement.",
  "incorrect_response": "When a breach affects 500 or more Florida residents, the Florida Department of Legal Affairs must be notified within 30 days of breach determination. Engaging legal counsel is required within 24 hours of discovering any incident — that is a separate obligation with a shorter deadline.",
  "unsure_response": null,
  "question_bank": [
    {
      "question_text": "A security incident involving nonpublic personal information is discovered. Under Rapido Facil Exchange Co.'s incident response procedures, within what timeframe must legal counsel be engaged?",
      "options": [
        "Within 24 hours of discovery",
        "Within 72 hours of discovery",
        "Within 30 days of breach determination",
        "Within 5 business days of the incident"
      ],
      "correct_answer": "Within 24 hours of discovery",
      "correct_response": "Correct. Legal counsel must be engaged within 24 hours of discovering a security incident. This is separate from the 30-day notification deadline that applies when 500 or more Florida residents are affected.",
      "incorrect_response": "Legal counsel must be engaged within 24 hours of discovering a security incident — not 72 hours, not 30 days. The 30-day deadline applies to notifying the Florida Department of Legal Affairs when 500 or more residents are affected.",
      "unsure_response": null
    },
    {
      "question_text": "A security breach at Rapido Facil Exchange Co. involved exploitation of customer accounts to facilitate financial crime. In addition to breach notification obligations, what additional action is required?",
      "options": [
        "File a SAR",
        "Notify the Florida Department of Legal Affairs within 24 hours",
        "Suspend all customer accounts pending investigation",
        "Retain documentation for three years"
      ],
      "correct_answer": "File a SAR",
      "correct_response": "Correct. When a breach involves exploitation of customer accounts to facilitate financial crime, Rapido Facil Exchange Co. must file a SAR in addition to completing all standard breach notification and documentation requirements.",
      "incorrect_response": "When a breach involves customer accounts being exploited for financial crime, a SAR must be filed. The Florida Department of Legal Affairs notification is required when 500 or more residents are affected — but the SAR obligation arises specifically from the financial crime nexus.",
      "unsure_response": null
    }
  ],
  "enrichment_content": "<p><strong>Breach notification has two separate timelines:</strong></p><ul><li>Engage legal counsel within <strong>24 hours</strong> of discovering any security incident involving nonpublic personal information.</li><li>Notify the <strong>Florida Department of Legal Affairs within 30 days</strong> of breach determination when 500 or more Florida residents are affected.</li><li>If the breach involved exploitation of customer accounts to facilitate financial crime, a <strong>SAR must also be filed</strong>.</li><li>All incident documentation must be retained for <strong>five years</strong>.</li></ul>"
}