March Sale Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

IAPP CIPP-US Dumps

Page: 1 / 13
Total 168 questions

Certified Information Privacy Professional/United States (CIPP/US) Questions and Answers

Question 1

In which situation would a policy of “no consumer choice” or “no option” be expected?

Options:

A.

When a job applicant’s credit report is provided to an employer

B.

When a customer’s financial information is requested by the government

C.

When a patient’s health record is made available to a pharmaceutical company

D.

When a customer’s street address is shared with a shipping company

Question 2

Which of the following statements is most accurate in regard to data breach notifications under federal and

state laws:

Options:

A.

You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.

B.

When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.

C.

When you are required to provide an individual with notice of a data breach under any state’s law, you must provide the individual with an offer for free credit monitoring.

D.

The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

Question 3

SCENARIO

Please use the following to answer the next QUESTION:

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo’s business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement securitymeasures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals – ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach

and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual’s ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient’s attorney has submitted a discovery request for the ePHI exposed in the breach.

What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?

Options:

A.

Training on techniques for identifying phishing attempts

B.

Training on the terms of the contractual agreement with HealthCo

C.

Training on the difference between confidential and non-public information

D.

Training on CloudHealth’s HR policy regarding the role of employees involved data breaches

Question 4

What privacy concept grants a consumer the right to view and correct errors on his or her credit report?

Options:

A.

Access.

B.

Notice.

C.

Action.

D.

Choice.

Question 5

In what way does the “Red Flags Rule” under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

Options:

A.

It mandates the use of updated technology for securing credit records

B.

It requires the owner to implement an identity theft warning system

C.

It is not usually enforced in the case of a small financial institution

D.

It does not apply because the owner is not a creditor

Question 6

Which of the following does Title VII of the Civil Rights Act prohibit an employer from asking a job applicant?

Options:

A.

Questions about age

B.

Questions about a disability

C.

Questions about a national origin

D.

Questions about intended pregnancy

Question 7

What is the main purpose of the CAN-SPAM Act?

Options:

A.

To diminish the use of electronic messages to send sexually explicit materials

B.

To authorize the states to enforce federal privacy laws for electronic marketing

C.

To empower the FTC to create rules for messages containing sexually explicit content

D.

To ensure that organizations respect individual rights when using electronic advertising

Question 8

Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.

Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

Options:

A.

Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.

B.

Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual’s personal information upon request constitutes an unfair practice.

C.

The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.

D.

The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act requires that businesses under New York’s jurisdiction must delete customers’ personal information upon request.

Question 9

Although an employer may have a strong incentive or legal obligation to monitor employees’ conduct or behavior, some excessive monitoring may be considered an intrusion on employees’ privacy? Which of the following is the strongest example of excessive monitoring by the employer?

Options:

A.

An employer who installs a video monitor in physical locations, such as a warehouse, to ensure employees are performing tasks in a safe manner and environment.

B.

An employer who installs data loss prevention software on all employee computers to limit transmission of confidential company information.

C.

An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment.

D.

An employer who records all employee phone calls that involve financial transactions with customers completed over the phone.

Question 10

What is a key way that the Gramm-Leach-Bliley Act (GLBA) prevents unauthorized access into a person’s back account?

Options:

A.

By requiring immediate public disclosure after a suspected security breach.

B.

By requiring the amount of customer personal information printed on paper.

C.

By requiring the financial institutions limit the collection of personal information.

D.

By restricting the disclosure of customer account numbers by financial institutions.

Question 11

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company’s directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company’s customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees’ access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers’ financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company’s executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta’s guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company’s privacy program?

Options:

A.

Consumers have a right to exercise control over how companies use their personal data.

B.

Consumers have a right to reasonable limits on the personal data that a company retains.

C.

Consumers have a right to easily accessible information about privacy and security practices.

D.

Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.

Question 12

SCENARIO

Please use the following to answer the next QUESTION

Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.

Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station’s network and was able to steal data relating to employees in the company’s Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.

The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.

What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for the HR data?

Options:

A.

Request that the Board sign off in a written document on the choice of cloud provider.

B.

Ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit.

C.

Obtain express consent from employees for storing the HR data in the cloud and keep a record of the employee consents.

D.

Negotiate a Business Associate Agreement with the cloud provider to protect any health-related data employees might share with Filtration Station.

Question 13

California’s SB 1386 was the first law of its type in the United States to do what?

Options:

A.

Require commercial entities to disclose a security data breach concerning personal information about the state’s residents

B.

Require notification of non-California residents of a breach that occurred in California

C.

Require encryption of sensitive information stored on servers that are Internet connected

D.

Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices

Question 14

All of the following organizations are specified as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) EXCEPT?

Options:

A.

Healthcare information clearinghouses

B.

Pharmaceutical companies

C.

Healthcare providers

D.

Health plans

Question 15

What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?

Options:

A.

The ability to receive reports from multiple credit reporting agencies.

B.

The ability to appeal negative credit-based decisions.

C.

The ability to correct inaccurate credit information.

D.

The ability to investigate incidents of identity theft.

Question 16

What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

Options:

A.

A large amount of money may have to be sent on improved technology and security

B.

Industries may not be strict enough in the creation and enforcement of rules

C.

A new business owner may not understand the regulations

D.

Human rights may be disregarded for the sake of privacy

Question 17

When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

Options:

A.

When the operational structures of its divisions are not transparent

B.

When the goods and services sold by its divisions are very similar

C.

When a call is not the result of an error or other unforeseen cause

D.

When the entity manages user preferences through multiple platforms

Question 18

What is the main purpose of the Global Privacy Enforcement Network?

Options:

A.

To promote universal cooperation among privacy authorities

B.

To investigate allegations of privacy violations internationally

C.

To protect the interests of privacy consumer groups worldwide

D.

To arbitrate disputes between countries over jurisdiction for privacy laws

Question 19

Which federal act does NOT contain provisions for preempting stricter state laws?

Options:

A.

The CAN-SPAM Act

B.

The Children’s Online Privacy Protection Act (COPPA)

C.

The Fair and Accurate Credit Transactions Act (FACTA)

D.

The Telemarketing Consumer Protection and Fraud Prevention Act

Question 20

An organization self-certified under Privacy Shield must, upon request by an individual, do what?

Options:

A.

Suspend the use of all personal information collected by the organization to fulfill its original purpose.

B.

Provide the identities of third parties with whom the organization shares personal information.

C.

Provide the identities of third and fourth parties that may potentially receive personal information.

D.

Identify all personal information disclosed during a criminal investigation.

Question 21

When designing contact tracing apps in relation to COVID-19 or any other diagnosed virus, all of the following privacy measures should be considered EXCEPT?

Options:

A.

Data retention.

B.

Use limitations.

C.

Opt-out choice.

D.

User confidentiality.

Question 22

Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?

Options:

A.

A bill of rights for individuals seeking access to their personal information.

B.

A code of responsibilities for medical establishments to uphold privacy laws.

C.

An international court ruling on personal information held in the commercial sector.

D.

A baseline of marketers’ minimum responsibilities for providing opt-out mechanisms.

Question 23

Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

Options:

A.

Research (such as information for understanding consumer trends).

B.

Risk mitigation (such as information that may reduce the risk of fraud).

C.

Location of individuals (such as identifying an individual from partial information).

D.

Marketing (such as appending data to customer information that a marketing company already has).

Question 24

The use of cookies on a website by a service provider is generally not deemed a ‘sale’ of personal information by CCPA, as long as which of the following conditions is met?

Options:

A.

The third party stores personal information to trigger a response to a consumer’s request to exercise their right to opt in.

B.

The analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.

C.

The service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.

D.

The information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.

Question 25

Based on the 2012 Federal Trade Commission report “Protecting Consumer Privacy in an Era of Rapid Change”, which of the following directives is most important for businesses?

Options:

A.

Announcing the tracking of online behavior for advertising purposes.

B.

Integrating privacy protections during product development.

C.

Allowing consumers to opt in before collecting any data.

D.

Mitigating harm to consumers after a security breach.

Question 26

SCENARIO

Please use the following to answer the next QUESTION:

Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop. “Doing your network?” Matt asked hopefully.

“No,” the boy said. “I’m filling out a survey.”

Matt looked over his son’s shoulder at his computer screen. “What kind of survey?” “It’s asking Questions about my opinions.”

“Let me see,” Matt said, and began reading the list of Questions that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”

Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.

How could the marketer have best changed its privacy management program to meet COPPA “Safe Harbor” requirements?

Options:

A.

By receiving FTC approval for the content of its emails

B.

By making a COPPA privacy notice available on website

C.

By participating in an approved self-regulatory program

D.

By regularly assessing the security risks to consumer privacy

Question 27

When developing a company privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?

Options:

A.

Relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.

B.

Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizational program.

C.

Relationships with company leaders responsible for approving, implementing, and periodically reviewing the corporate privacy program.

D.

Relationships with individuals across company departments and at different levels in the organization’s hierarchy.

Question 28

According to FERPA, when can a school disclose records without a student’s consent?

Options:

A.

If the disclosure is not to be conducted through email to the third party

B.

If the disclosure would not reveal a student’s student identification number

C.

If the disclosure is to practitioners who are involved in a student’s health care

D.

If the disclosure is to provide transcripts to a school where a student intends to enroll

Question 29

Which of the following best describes how federal anti-discrimination laws protect the privacy of private-sector employees in the United States?

Options:

A.

They prescribe working environments that are safe and comfortable.

B.

They limit the amount of time a potential employee can be interviewed.

C.

They promote a workforce of employees with diverse skills and interests.

D.

They limit the types of information that employers can collect about employees.

Question 30

SuperMart is a large Nevada-based business that has recently determined it sells what constitutes “covered information” under Nevada’s privacy law, Senate Bill 260. Which of the following privacy compliance steps would best help SuperMart comply with the law?

Options:

A.

Providing a mechanism for consumers to opt out of sales.

B.

Implementing internal protocols for handling access and deletion requests.

C.

Preparing a notice of financial incentive for any loyalty programs offered to its customers.

D.

Reviewing its vendor contracts to ensure that the vendors are subject to service provider restrictions.

Question 31

U.S. federal laws protect individuals from employment discrimination based on all of the following EXCEPT?

Options:

A.

Age.

B.

Pregnancy.

C.

Marital status.

D.

Genetic information.

Question 32

Which of the following federal agencies does NOT have regulatory authority related to privacy?

Options:

A.

Consumer Financial Protection Bureau.

B.

U.S. Department of Transportation.

C.

U.S. Department of Commerce.

D.

Federal Reserve

Question 33

What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

Options:

A.

Where one of the parties has given consent

B.

Where state law permits such interception

C.

If an organization intercepts an employee’s purely personal call

D.

Only if all parties have given consent

Question 34

Which jurisdiction must courts have in order to hear a particular case?

Options:

A.

Subject matter jurisdiction and regulatory jurisdiction

B.

Subject matter jurisdiction and professional jurisdiction

C.

Personal jurisdiction and subject matter jurisdiction

D.

Personal jurisdiction and professional jurisdiction

Question 35

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

At this stage of the investigation, what should the data privacy leader review first?

Options:

A.

Available data flow diagrams

B.

The text of the original complaint

C.

The company’s data privacy policies

D.

Prevailing regulation on this subject

Question 36

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the GDPR, the complainant’s request regarding her personal information is known as what?

Options:

A.

Right of Access

B.

Right of Removal

C.

Right of Rectification

D.

Right to Be Forgotten

Question 37

The Cable Communications Policy Act of 1984 requires which activity?

Options:

A.

Delivery of an annual notice detailing how subscriber information is to be used

B.

Destruction of personal information a maximum of six months after it is no longer needed

C.

Notice to subscribers of any investigation involving unauthorized reception of cable services

D.

Obtaining subscriber consent for disseminating any personal information necessary to render cable services

Question 38

The CFO of a pharmaceutical company is duped by a phishing email and discloses many of the company’s employee personnel files to an online predator. The files include employee contact information, job applications, performance reviews, discipline records, and job descriptions.

Which of the following state laws would be an affected employee’s best recourse against the employer?

Options:

A.

The state social security number confidentiality statute.

B.

The state personnel record review statute.

C.

The state data destruction statute.

D.

The state UDAP statute.

Question 39

Federal laws establish which of the following requirements for collecting personal information of minors under the age of 13?

Options:

A.

Implied consent from a minor’s parent or guardian, or affirmative consent from the minor.

B.

Affirmative consent from a minor’s parent or guardian before collecting the minor’s personal information online.

C.

Implied consent from a minor’s parent or guardian before collecting a minor’s personal information online, such as when they permit the minor to use the internet.

D.

Affirmative consent of a parent or guardian before collecting personal information of a minor offline (e.g., in person), which also satisfies any requirements for online consent.

Question 40

SCENARIO

Please use the following to answer the next QUESTION:

Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop. “Doing your network?” Matt asked hopefully.

“No,” the boy said. “I’m filling out a survey.”

Matt looked over his son’s shoulder at his computer screen. “What kind of survey?” “It’s asking Questions about my opinions.”

“Let me see,” Matt said, and began reading the list of Questions that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”

Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include what violation?

Options:

A.

Intruding upon the privacy of a family with young children.

B.

Collecting information from a child under the age of thirteen.

C.

Failing to notify of a breach of children’s private information.

D.

Disregarding the privacy policy of the children’s marketing industry.

Question 41

The “Consumer Privacy Bill of Rights” presented in a 2012 Obama administration report is generally based on?

Options:

A.

The 1974 Privacy Act

B.

Common law principles

C.

European Union Directive

D.

Traditional fair information practices

Question 42

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company’s directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company’s customer data,including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees’ access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers’ financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company’s executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta’s guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

Based on the problems with the company’s privacy security that Roberta identifies, what is the most likely cause of the breach?

Options:

A.

Mishandling of information caused by lack of access controls.

B.

Unintended disclosure of information shared with a third party.

C.

Fraud involving credit card theft at point-of-service terminals.

D.

Lost company property such as a computer or flash drive.

Question 43

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

Options:

A.

A consent decree

B.

Stare decisis decree

C.

A judgment rider

D.

Common law judgment

Question 44

Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?

Options:

A.

The entity must conduct business in the state

B.

The entity must have employees in the state

C.

The entity must be registered in the state

D.

The entity must be an information broker

Question 45

A company based in United States receives information about its UK subsidiary’s employees in connection with the centralized HR service it provides.

How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?

Options:

A.

By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.

B.

By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.

C.

By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.

D.

By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.

Question 46

Which authority supervises and enforces laws regarding advertising to children via the Internet?

Options:

A.

The Office for Civil Rights

B.

The Federal Trade Commission

C.

The Federal Communications Commission

D.

The Department of Homeland Security

Question 47

Which of the following best describes what a “private right of action” is?

Options:

A.

The right of individuals to keep their information private.

B.

The right of individuals to submit a request to access their information.

C.

The right of individuals harmed by data processing to have their information deleted.

D.

The right of individuals harmed by a violation of a law to file a lawsuit against the violation.

Question 48

What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?

Options:

A.

Describing the policy changes on its website.

B.

Obtaining affirmative consent from its customers.

C.

Publicizing the policy changes through social media.

D.

Reassuring customers of the security of their information.

Question 49

Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

Options:

A.

The Office of the Comptroller of the Currency

B.

The Consumer Financial Protection Bureau

C.

The Department of Health and Human Services

D.

The Federal Trade Commission

Question 50

Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?

Options:

A.

A local nonprofit charity’s fundraiser

B.

An online merchant’s free shipping offer

C.

A national bank’s no-fee checking promotion

D.

A city bus system’s frequent rider program

Page: 1 / 13
Total 168 questions