New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CIPP-US Questions and Answers

Question # 6

Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

A.

Research (such as information for understanding consumer trends).

B.

Risk mitigation (such as information that may reduce the risk of fraud).

C.

Location of individuals (such as identifying an individual from partial information).

D.

Marketing (such as appending data to customer information that a marketing company already has).

Full Access
Question # 7

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company’s directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company’s customer data,including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees’ access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers’ financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company’s executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta’s guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

Based on the problems with the company’s privacy security that Roberta identifies, what is the most likely cause of the breach?

A.

Mishandling of information caused by lack of access controls.

B.

Unintended disclosure of information shared with a third party.

C.

Fraud involving credit card theft at point-of-service terminals.

D.

Lost company property such as a computer or flash drive.

Full Access
Question # 8

Which of the following best describes private-sector workplace monitoring in the United States?

A.

Employers have broad authority to monitor their employees

B.

U.S. federal law restricts monitoring only to industries for which it is necessary

C.

Judgments in private lawsuits have severely limited the monitoring of employees

D.

Most employees are protected from workplace monitoring by the U.S. Constitution

Full Access
Question # 9

Which authority supervises and enforces laws regarding advertising to children via the Internet?

A.

The Office for Civil Rights

B.

The Federal Trade Commission

C.

The Federal Communications Commission

D.

The Department of Homeland Security

Full Access
Question # 10

Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?

A.

The consent must be in writing, must state the times when calls can be made to the consumer and must be signed

B.

The consent must be in writing, must contain the number to which calls can be made and must have an end date

C.

The consent must be in writing, must contain the number to which calls can be made and must be signed

D.

The consent must be in writing, must have an end data and must state the times when calls can be made

Full Access
Question # 11

Read this notice:

Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.

What type of legal choice does not notice provide?

A.

Mandatory

B.

Implied consent

C.

Opt-in

D.

Opt-out

Full Access
Question # 12

Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

A.

The Office of the Comptroller of the Currency

B.

The Consumer Financial Protection Bureau

C.

The Department of Health and Human Services

D.

The Federal Trade Commission

Full Access
Question # 13

Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?

A.

Delete their personal information.

B.

Correct their personal information.

C.

Disclose their personal information to them.

D.

Refrain from selling their personal information to third parties.

Full Access
Question # 14

Who has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA)?

A.

State Attorneys General

B.

The Federal Trade Commission

C.

The Department of Commerce

D.

The Consumer Financial Protection Bureau

Full Access
Question # 15

A company based in United States receives information about its UK subsidiary’s employees in connection with the centralized HR service it provides.

How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?

A.

By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.

B.

By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.

C.

By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.

D.

By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.

Full Access
Question # 16

What role does the U.S. Constitution play in the area of workplace privacy?

A.

It provides enforcement resources to large employers, but not to small businesses

B.

It provides legal precedent for physical information security, but not for electronic security

C.

It provides contractual protections to members of labor unions, but not to employees at will

D.

It provides significant protections to federal and state governments, but not to private-sector employment

Full Access
Question # 17

Within what time period must a commercial message sender remove a recipient’s address once they have asked to stop receiving future e-mail?

A.

7 days

B.

10 days

C.

15 days

D.

21 days

Full Access
Question # 18

What type of material is exempt from an individual’s right to disclosure under the Privacy Act?

A.

Material requires by statute to be maintained and used solely for research purposes.

B.

Material reporting investigative efforts to prevent unlawful persecution of an individual.

C.

Material used to determine potential collaboration with foreign governments in negotiation of trade deals.

D.

Material reporting investigative efforts pertaining to the enforcement of criminal law.

Full Access
Question # 19

All of the following organizations are specified as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) EXCEPT?

A.

Healthcare information clearinghouses

B.

Pharmaceutical companies

C.

Healthcare providers

D.

Health plans

Full Access
Question # 20

Which of the following laws is NOT involved in the regulation of employee background checks?

A.

The Civil Rights Act.

B.

The Gramm-Leach-Bliley Act (GLBA).

C.

The U.S. Fair Credit Reporting Act (FCRA).

D.

The California Investigative Consumer Reporting Agencies Act (ICRAA).

Full Access
Question # 21

What is a key way that the Gramm-Leach-Bliley Act (GLBA) prevents unauthorized access into a person’s back account?

A.

By requiring immediate public disclosure after a suspected security breach.

B.

By requiring the amount of customer personal information printed on paper.

C.

By requiring the financial institutions limit the collection of personal information.

D.

By restricting the disclosure of customer account numbers by financial institutions.

Full Access
Question # 22

Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.

Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

A.

Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.

B.

Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual’s personal information upon request constitutes an unfair practice.

C.

The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.

D.

The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act requires that businesses under New York’s jurisdiction must delete customers’ personal information upon request.

Full Access
Question # 23

Under the Fair and Accurate Credit Transactions Act (FACTA), what is the most appropriate action for a car dealer holding a paper folder of customer credit reports?

A.

To follow the Disposal Rule by having the reports shredded

B.

To follow the Red Flags Rule by mailing the reports to customers

C.

To follow the Privacy Rule by notifying customers that the reports are being stored

D.

To follow the Safeguards Rule by transferring the reports to a secure electronic file

Full Access
Question # 24

Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?

A.

Being more closely scrutinized for any breaches of policy

B.

Getting accused of discriminatory practices

C.

Attracting skepticism from auditors

D.

Having a security system failure

Full Access
Question # 25

A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.

What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

A.

SCA

B.

ECPA

C.

CALEA

D.

USA Freedom Act

Full Access
Question # 26

If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

A.

The organization will still be in compliance with most sector-specific privacy and security laws.

B.

The impact of an organizational data breach will be more severe than if the data had been segregated.

C.

Temporary employees will be able to find the data necessary to fulfill their responsibilities.

D.

The organization will be able to address legal discovery requests efficiently without producing more information than necessary.

Full Access
Question # 27

Why was the Privacy Protection Act of 1980 drafted?

A.

To respond to police searches of newspaper facilities

B.

To assist prosecutors in civil litigation against newspaper companies

C.

To assist in the prosecution of white-collar crimes

D.

To protect individuals from personal privacy invasion by the police

Full Access
Question # 28

In 2011, the FTC announced a settlement with Google regarding its social networking service Google Buzz. The FTC alleged that in the process of launching the service, the company did all of the following EXCEPT?

A.

Violated its own privacy policies.

B.

Engaged in deceptive trade practices.

C.

Failed to comply with Safe Harbor principles.

D.

Failed to employ sufficient security safeguards.

Full Access
Question # 29

Although an employer may have a strong incentive or legal obligation to monitor employees’ conduct or behavior, some excessive monitoring may be considered an intrusion on employees’ privacy? Which of the following is the strongest example of excessive monitoring by the employer?

A.

An employer who installs a video monitor in physical locations, such as a warehouse, to ensure employees are performing tasks in a safe manner and environment.

B.

An employer who installs data loss prevention software on all employee computers to limit transmission of confidential company information.

C.

An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment.

D.

An employer who records all employee phone calls that involve financial transactions with customers completed over the phone.

Full Access
Question # 30

Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?

A.

Financial institutions must avoid collecting a customer’s sensitive personal information

B.

Financial institutions must help ensure a customer’s understanding of products and services

C.

Financial institutions must use a prescribed level of encryption for most types of customer records

D.

Financial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing

Full Access
Question # 31

All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?

A.

Facilitating participation across departments and levels

B.

Developing a process for review and update of privacy policies

C.

Deciding how aggressive to be in the use of personal information

D.

Understanding the laws that regulate a company’s collection of information

Full Access
Question # 32

U.S. federal laws protect individuals from employment discrimination based on all of the following EXCEPT?

A.

Age.

B.

Pregnancy.

C.

Marital status.

D.

Genetic information.

Full Access
Question # 33

Under the Driver’s Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?

A.

Law enforcement agencies performing investigations.

B.

Insurance companies needing to investigate claims.

C.

Attorneys gathering information related to lawsuits.

D.

Marketers wishing to distribute bulk materials.

Full Access
Question # 34

More than half of U.S. states require telemarketers to?

A.

Identify themselves at the beginning of a call

B.

Obtain written consent from potential customers

C.

Register with the state before conducting business

D.

Provide written contracts for customer transactions

Full Access
Question # 35

SCENARIO

Please use the following to answer the next QUESTION:

Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer’s privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.

Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.

After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.

Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.

Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.

What is the most likely risk of Fitness Coach, Inc. adopting Janice’s first draft of the privacy policy?

A.

Leaving the company susceptible to violations by setting unrealistic goals

B.

Failing to meet the needs of customers who are concerned about privacy

C.

Showing a lack of trust in the organization’s privacy practices

D.

Not being in standard compliance with applicable laws

Full Access
Question # 36

SuperMart is a large Nevada-based business that has recently determined it sells what constitutes “covered information” under Nevada’s privacy law, Senate Bill 260. Which of the following privacy compliance steps would best help SuperMart comply with the law?

A.

Providing a mechanism for consumers to opt out of sales.

B.

Implementing internal protocols for handling access and deletion requests.

C.

Preparing a notice of financial incentive for any loyalty programs offered to its customers.

D.

Reviewing its vendor contracts to ensure that the vendors are subject to service provider restrictions.

Full Access
Question # 37

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A.

A consent decree

B.

Stare decisis decree

C.

A judgment rider

D.

Common law judgment

Full Access
Question # 38

What is the main purpose of requiring marketers to use the Wireless Domain Registry?

A.

To access a current list of wireless domain names

B.

To prevent unauthorized emails to mobile devices

C.

To acquire authorization to send emails to mobile devices

D.

To ensure their emails are sent to actual wireless subscribers

Full Access
Question # 39

Which of the following best describes an employer’s privacy-related responsibilities to an employee who has left the workplace?

A.

An employer has a responsibility to maintain a former employee’s access to computer systems and company data needed to support claims against the company such as discrimination.

B.

An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.

C.

An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.

D.

An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.

Full Access
Question # 40

Which of the following privacy rights is NOT available under the Colorado Privacy Act?

A.

The right to access sensitive data.

B.

The right to correct sensitive data.

C.

The right to delete sensitive data.

D.

The right to limit the use of sensitive data.

Full Access
Question # 41

All of the following common law torts are relevant to employee privacy under US law EXCEPT?

A.

Infliction of emotional distress.

B.

Intrusion upon seclusion.

C.

Defamation

D.

Conversion.

Full Access
Question # 42

Which of the following federal agencies does NOT have regulatory authority related to privacy?

A.

Consumer Financial Protection Bureau.

B.

U.S. Department of Transportation.

C.

U.S. Department of Commerce.

D.

Federal Reserve

Full Access
Question # 43

In 2012, the White House and the FTC both issued reports advocating a new approach to privacy enforcement that can best be described as what?

A.

Harm-based.

B.

Self-regulatory.

C.

Comprehensive.

D.

Notice and choice.

Full Access
Question # 44

SCENARIO

Please use the following to answer the next QUESTION

Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.

One potential employer, Arnie’s Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still

be sitting in the office, unsecured.

Two days ago, Noah got another interview for a position at Sam’s Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.

Regardless, the effect of Noah’s credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills – all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.

In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.

After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.

Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.

Consumers today are most likely protected from situations like the one Noah had buying stock because of which federal action or legislation?

A.

The rules under the Fair Debt Collection Practices Act.

B.

The creation of the Consumer Financial Protection Bureau.

C.

Federal Trade Commission investigations into “unfair and deceptive” acts or practices.

D.

Investigations of “abusive” acts and practices under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Full Access
Question # 45

SCENARIO

Please use the following to answer the next QUESTION:

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo’s business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement securitymeasures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals – ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach

and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual’s ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient’s attorney has submitted a discovery request for the ePHI exposed in the breach.

What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?

A.

Training on techniques for identifying phishing attempts

B.

Training on the terms of the contractual agreement with HealthCo

C.

Training on the difference between confidential and non-public information

D.

Training on CloudHealth’s HR policy regarding the role of employees involved data breaches

Full Access
Question # 46

SCENARIO

Please use the following to answer the next QUESTION:

Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop. “Doing your network?” Matt asked hopefully.

“No,” the boy said. “I’m filling out a survey.”

Matt looked over his son’s shoulder at his computer screen. “What kind of survey?” “It’s asking Questions about my opinions.”

“Let me see,” Matt said, and began reading the list of Questions that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”

Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.

How could the marketer have best changed its privacy management program to meet COPPA “Safe Harbor” requirements?

A.

By receiving FTC approval for the content of its emails

B.

By making a COPPA privacy notice available on website

C.

By participating in an approved self-regulatory program

D.

By regularly assessing the security risks to consumer privacy

Full Access
Question # 47

Which of the following statements is most accurate in regard to data breach notifications under federal and

state laws:

A.

You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.

B.

When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.

C.

When you are required to provide an individual with notice of a data breach under any state’s law, you must provide the individual with an offer for free credit monitoring.

D.

The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

Full Access
Question # 48

Which of these organizations would be required to provide its customers with an annual privacy notice?

A.

The Four Winds Tribal College.

B.

The Golden Gavel Auction House.

C.

The King County Savings and Loan.

D.

The Breezy City Housing Commission.

Full Access
Question # 49

Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

A.

If the data involved was encrypted.

B.

If the data involved was accessed but not exported.

C.

If the entity was subject to the GLBA Safeguards Rule.

D.

If the entity followed internal notification procedures compatible with state law.

Full Access
Question # 50

Once a breach has been definitively established, which task should be prioritized next?

A.

Involving law enforcement and state Attorneys General.

B.

Determining what was responsible for the breach and neutralizing the threat.

C.

Providing notice to the affected parties so they can take precautionary measures.

D.

Implementing remedial measures and evaluating how to prevent future breaches.

Full Access