Ch. 12 - Workplace Privacy Quiz Flashcards
Which of the following is not a key attribute of security?
A. Confidentiality
B. Integrity
C. Delivery
D. Availability
C. Delivery
Which type of security controls can be considered in developing a security strategy?
A. Physical, administrative, technical
B. Practice, reactive, distortive
C. Detective, cumulative, reactive
D. Physical, cosmetic, digital
A. Physical, administrative, technical. In the context of security. The controls are most often physical, administrative, technical
What is the best fitting description of a data breach?
A break into security measures resulting in the unauthorized access of data for a breach, just remember that something must have gone wrong either malicious or incidental, where something didn’t work the way it should have worked (w/ exception depending on the definitions in the specific legislation.
When a consent decree is published, what has happened?
The FTC and the other party entered in an agreement to stop a certain conduct, and the information is published for other organizations to see.
How can the Federal Trade Commission be best described?
A part of the executive branch w/ rulemaking powers
Selfie Shenanigans is planning to implement its newest feature in US (only). It will analyze all uploaded photos for visible signs of health issues. The data is sold to the user’s health insurer which law would least possibly be broken?
A. HIPAA
B. Children’s Online Privacy Protection Act
C. GDPR
D. HITECH
C. GDPR only applies to Europe this was in the US only
Selfie Shenanigans. You find out the website has a privacy notice that is shown before users sign up. What needs to happen?
A check whether the new practice is allowed for, according to the privacy notice, needs to be performed
For which law does the FTC have specific authority?
A. GDPR
B. Children’s Online Privacy Protection Act
C. The APEC Privacy Framework
D. Fair Information Practices
B. Children’s Online Privacy Protection Act. Only US law, otherwise Fair Information Practices are mentioned.
What safeguard is often put in place by researchers when using medical data for research?
The data is de-identified. De-identification lowers the risk of recognition.
To what kind of institutions does the Family Educational Rights and Privacy Act apply?
Educational institutions that receive federal funding
Which type of information is still allowed to be disclosed under the Family Educational Right & Privacy Act?
A. Grade point average
B. Directory information
C. Home address students
D. Health insurance coverage
B. Directory information - is allowed to be disclosed. Whether the other three fall under FERPA can be debatable perhaps to some extent
Due to the 2007 revisions to the Federal Rules of Civil Procedures what is now required?
Redacting sensitive personal information
Which of the following is not required of a subpoena according to the Federal Rule of Civil Procedure 45?
A. State the court from which it is issued
B. State the title of the action and its civil action number
C. Take photographic evidence of the receipt of the subpoena
D. Mention a person’s right to challenge or modify the subpoena
C. Take photographic evidence of the subpoena, A, B, and D are explicitly required
How can courts prohibit the disclosure of personal information used or generated in litigation?
A. The court can issue a protective order
B. The court can issue a restrictive order
C. The court can issue a reactive order
D. The court can issue a national security letter
A. The court can issue a protective order
In 2016 the FBI was quarreling with Apple. What was the quarrel about?
A. new firmware slowing down phones
B. helping gain access to the data on a seized phone
C. the tablets in the Federal Bureau of Investigation’s office could not fit the micro-SD required for the investigation
D. a cloud security breach exposing pictures of celebrities
B. Helping gain access to the data on a seized phone
Which of the following is most accurate regarding workplace privacy?
A. Workplace privacy is the same in every state
B. US privacy protection at the workplace is the strictest in the world
C. Workers have a high level of influence in workplace practices
D. There is no law that covers privacy specifically
D. There is no law that covers privacy specifically
Which of the following is not a source of protection for employees?
A. State labor laws
B. Contract and tort law
C. Overarching employment privacy law
D. Certain federal laws
C. Overarching employment privacy laws
What is the most accurate comparison between US and EU workplace privacy?
A. the US inspired the EU legislation
B. the EU has no law that is applicable to the workplace
C. the US had cubicles, whereas in the EU cubicles are forbidden because of privacy concerns
D. EU employees data falls under the scope of the General Data Protection Regulation and offers more protection
D. EU employees data falls under the scope of the General Data Protection Regulation and offers more protection
What can be said about the constitution’s Fourth Amendment?
A. it provides protection from employers
B. it provides protection from government employers
C. it doesn’t concern privacy
D. it only protects against the king of England
B. it provides protection from government employers
In the US, it is employment at will. What is the consequence of this?
A. all legislation is rendered invalid
B. you can buy privacy
C. many aspects, covered by laws in other continents, are at the discretion of the employer
D. employees have no rights
C. many aspects, covered by laws in other continents, are at the discretion of the employer
Which of the following is not tort that can be relied on as an employee in a privacy case?
A. intrusion upon seclusion
B. publicity given to private life
C. defamation
D. intellectual property
D. intellectual property
Of the following laws, which does not have employment privacy implications?
A. The Children’s Online Privacy Protection Act
B. The Employee Retirement Income Security Act
C. HIPAA
D. The Fair Labor Standards Act
A. The Children’s Online Privacy Protection Act
At which state of employment do employers need to take into account workplace privacy considerations
A. before employment
B. before, during, and after employment
C. during employment
D. after employment
B. before, during, and after employment
What is true about Bring Your Own Device policies?
A. only company-issued equipment is allowed to be used
B. it brings along security risks and requires reconsideration of the level of monitoring
C. employees surrender their data when a Bring Your Own Device policy is in place
D. Bring Your Own Device practices are illegal
B. it brings along security risks and requires reconsideration of the level of monitoring
Which of the following is a consequence of the Employee Polygraph Protection Act?
A. only grade A and B type polygraphs are allowed to be used
B. an employer cannot use a polygraph test to screen an applicant
C. a statement of sincerity is required to substitute a polygraph
D. employers cannot screen applicants
B. an employer cannot use a polygraph test to screen an applicant
Which of the following agencies is not responsible for privacy enforcement?
A. The FTC
B. Department of Education
C. FCC
D.Certain agencies of the executive branch
B. Department of Education
What is true of the FTC?
A. The FTC is an independent agency
B. The FTC falls under direct control of the president
C. The FTC focuses solely on privacy
D. The FTC focuses solely on security
A. The FTC is an independent agency
What was the issue in the Designerware, LLC
case?
A. the leaking of a large amount of credit card numbers
B. key loggers, unexpected screenshots and photographs
C. a break-in on one of the servers that stored social security numbers
D. unauthorized disclosure of collected sensitive data
B. key loggers, unexpected screenshots and photographs
When is a data breach to be reported?
A. above 200 persons
B. above 100 persons
C. if minors are involved
D. depends on the state and breach size
D. depends on the state and breach size
Is ransomware a data breach?
A. always
B. never
C. depends on whether unauthorized access has been established
D. not if the information was backed up
C. depends on whether unauthorized access has been established
Ransomware - (a type of malware)
(1) locks a user’s operating system, restricting the user’s access to their data &/ or device, or
(2) encrypts the data so that the user is prevented from accessing his or her files
Certain national laws preempt state law. Out of the following choices, how can preempting best be described?
A. privacy notice, under many circumstances, can be overruled by state law
B. laws of an inferior government can be superseded by those of a superior government
C. if a state has no law, it is preempted by national law
D. federal judges can preempt the president and a large part of the executive branch
B. laws of an inferior government can be superseded by those of a superior government
Although there are many actions an individual can take to battle injustice, which of the following most accurately describes the private right of action?
A. to carry a concealed weapon and use it protect your privacy when someone attempts to enter your domicile
B. to start a lawsuit when a law is violated
C. to enforce the binding rules of a privacy notice
D. to forbid organizations from processing the data of minors that you are the legal guardian of
B. to start a lawsuit when a law is violated
If an agency has authority, there are two types of authority that agency can have. Which type of authority does the FTC have?
A. general authority
B. specific authority
C. general authority as well as specific authority
D. operational authority
C. general authority as well as specific authority
Many references to privacy can be found all throughout recorded history. When looking at laws regarding Personal Information, which class of privacy does law concerning Personal Information pertain to?
A. bodily privacy
B. territorial privacy
C. communications privacy
D. information privacy
D. information privacy
Which of the following is not (yet) part of the Fair Information Practices?
A. notice
B. choice and consent
C. disclosure
D. legal basis
D. legal basis
All over the world, different models of privacy protection are adopted. Which of the following is true regarding models of privacy protection?
A. in the US there is a sectoral model, and in the EU there is a comprehensive model
B. the US only uses the co-regulatory model
C. Europe has a strong focus on the self-regulatory model
D. the laws in the US fall under the comprehensive model
A. in the US there is a sectoral model, and in the EU there is a comprehensive model
Which of the following best describes the relationship between case law and common law?
A. common law needs case law to exist
B. common law is based on principles
C. case law is solely the judge’s opinion
D. case law is fluid and allows for presidential intervention
A. common law needs case law to exist
When can an organization most likely most likely be in trouble for violating contract law?
A. when someone provided their data based on the practices mentioned in the privacy notice
B. when a data subject disagrees with a privacy notice
C. when a privacy notice is not in the local language
D. when a privacy notice is not on the organization’s website
A. when someone provided their data based on the practices mentioned in the privacy notice
How can Personal Information best be described?
A. any information relating to a natural person
B. this depends on the field and even state law
C. directory information
D. information of value
B. this depends on the field and even state law
Which comprehensive privacy laws there in the US?
A. the Children’s Online Privacy Protection Act
B. HIPAA
C. None, there are no comprehensive privacy laws in the US
D. GDPR
C. None, there are no comprehensive privacy laws in the US
Of the following, which are three different tort categories?
A. negligence, notice breach, intrusion
B. intrusion upon seclusion, strict liability
C. intentional, negligent, strict liability
D. privacy notice breach, wrongful intrusion, defamation
C. intentional, negligent, strict liability
Which of the following is most restrictive for employers in the US in relation to privacy?
A. HIPAA
B. Children’s Online Privacy Protection Act
C. Fourth Amendment
D. Fair and Accurate Credit Transactions
C. Fourth Amendment
What is the most likely purpose for which an organization creates a data inventory?
A. showing the public which data is stored
B. creating an overview of data, helpful for creating a compliance and security approach
C. complying with a US legal requirement
D. identifying storage size requirements
B. creating an overview of data, helpful for creating a compliance and security approach
Which of the following statements is not true regarding data classification?
A. organizations are free to classify data elements a certain way to place it inside or outside of the scope of certain laws
B. data classification can help identify applicable laws
C. to assist in creating a security strategy
D. help breach response
A. organizations are free to classify data elements a certain way to place it inside or outside of the scope of certain laws
What is not the result of an organization starting a privacy program?
A. awareness amongst employees
B. reduced risk of compliance issues
C. an increase in breach detection rate and breach response time
D. full future proof of compliance with privacy legislation
D. full future proof of compliance with privacy legislation
What is the name of the guidelines developed by the Asia-Pacific Economic Cooperation?
A. the OECD guidelines
B. The IT Act
C. The Fair Information Practices
D. The APEC Privacy framework
D. The APEC Privacy framework
True or false? The word privacy is not mentioned in the U.S. Constitution
True
Which of the following sources of law affect privacy for private-sector employees? Select all that apply.
A. Federal constitutional law B. Contract law
C. Torts
D. Statutes
B. Contract law
C. Torts
D. Statutes
True or false?
Federal law mandates substance use testing for certain positions.
True
Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:
- School Instruction Improvement Company, Inc. accesses school records to verify the demographics of the student body.
Disclosure allowed: Disclosing information to organizations on the behalf of schools for test development, student aid programs or instruction improvement is acceptable.
What are the advantages and disadvantages of BYOD programs in the workplace?
Advantages:
• Same home/work technology
• More flexibility • Efficiency and productivity
• Employer increased accessibility to employee
- Disadvantages:
- Lack of employer control
- Exposure of organization to security vulnerabilities and threats
In addition to the Americans with Disabilities Act, which federal laws* prohibit discrimination in the workplace?
Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin
• The Equal Pay Act of 1963 bars wage disparity based on sex
• The Age Discrimination Act bars discrimination against individuals over 40
• The Discrimination Act bars discrimination due to pregnancy, childbirth and related medical conditions
• The Americans with Disabilities Act of 1990 bars discrimination against qualified individuals with disabilities
• The Genetic Information Nondiscrimination Act of 2008 bars discrimination based on individuals’ genetic information
• The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have filed for bankruptcy
• Some ambiguity on whether the statute applies to discrimination prior to the extension of an offer of employment; courts have read the statute both ways
True or false?
Health insurance providers may, under some circumstances, implement higher premiums based on genetic information.
False
What is COIT?
Consumerization of information technology (COIT): Use of personal computing devices in the workplace and online services (webmail, cloud storage, social media)
Which act was passed as part of the ECPA to address interception of electronic communications in facilities where electronic communication service is provided?
A. Privacy Protection Act (PPA)
B. Stored Communications Act (SCA)
C. Communications Assistance to Law Enforcement Act (CALEA)
D. Electronic Communications Privacy Act (ECPA)
B. Stored Communications Act (SCA)
Which act requires giving a privacy notice to subscribers at the time of the initial agreement (and annually thereafter) including the nature of personal information collected, how it is used, and retention period, as well as how to access and correct information?
A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
B. Telecommunications Act
C. Cable Communications Policy Act
D. Video Privacy Protection Act (VPPA)
C. Cable Communications Policy Act
Which of the following terms specifically means removing or blocking information from court documents?
A. Protective order
B. Protecting publicly available information (PPAI)
C. Electronic discovery
D. Redaction
D. Redaction
Which of the following are required for an entity to be considered a “business” under the California Consumer Privacy Act? Select all that apply.
A. An entity that makes $10 million in annual revenue
B. An entity that holds the personal information of 50,000 people, households or devices
C. An entity that makes at least half of its revenue from the sale of personal information
B. An entity that holds the personal information of 50,000 people, households or devices
C. An entity that makes at least half of its revenue from the sale of personal information
Which are exceptions to state breach notification laws? Select all that apply.
A. Entities subject to other, more stringent data breach notification laws
B. Entities that already follow breach notification procedures that are compatible with state law
C. Entities enrolled in self-certification programs that meet industry security standards
A. Entities subject to other, more stringent data breach notification laws
B. Entities that already follow breach notification procedures that are compatible with state law
True or false?
Technology companies that provide free teaching materials are subject to the laws and regulations of FERPA, PPRA and NCLBA.
True
Is there an overarching employment privacy law in the U.S.?
EXAMPLE ANSWER: There is no overarching law for employment privacy.
- Some constitutional, federal, state, tort and statutory laws impact privacy
- Contracts between employer and employee may impact privacy agreements
- There is considerable local variation and complexity on employment privacy issues
- Many U.S. labor laws mandate employee data collection and management practices, such as conducting background checks and ensuring and documenting a safe workplace environment
- Organizations also have incentives to gather information about employees and monitor the workplace to reduce the risk of being sued for negligent hiring or supervision
Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:
- Anystate University is putting together a financial aid proposal for a student who applied to the school and reviews their records to determine if the student is eligible for an academic scholarship.
ANSWER: Disclosure allowed: As it’s in connection with financial aid for which the student has applied.
Which state data security law is generally considered the most prescriptive in the nation?
A. California AB 1950 (2004)
B. Massachusetts 201 CMR 17
C. Washington state security law, HB 1149
B. Massachusetts 201 CMR 17
Under the Fair Credit Reporting Act (FCRA), which are employer requirements for obtaining a consumer report on an applicant? Select all that apply.
A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency
F. Provide notice to the credit reporting agency outlining the intended purpose of the report
G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action
A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency
G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action
What are the four steps involved in the development of a privacy program?
A. Discover, build, communicate, evolve
B. Research, design, build, audit
C. Brainstorm, propose, implement, follow-through
D. Test, learn, revise, monitor
A. Discover, build, communicate, evolve
Which authorities oversee privacy-related issues in the U.S.? Select all that apply.
A. The Federal Trade Commission (FTC)
B. State attorneys general
C. The national data protection authority
D. Federal financial regulators
A. The Federal Trade Commission (FTC)
B. State attorneys general
D. Federal financial regulator
Under what circumstances do limitations and exceptions to the HIPAA Privacy Rule apply?
De-identification: Information does not identify an individual via:
1. Removing data elements listed in the rule (name, address)
- An expert certifying that the risk of re-identifying is small
- Research: Can occur with the consent of the individual or without consent if an authorized entity approves it
- Other: Public health activities, such as reporting abuse or neglect, judicial and administrative proceedings, specialized government functions
- Entity must release PHI to the individual to whom it pertains or their rep. and to the secretary of HHS
Which is a provision of the Cybersecurity Information Sharing Act (CISA)? Select all that apply.
A. Companies must remove personal information before sharing
B. Companies are protected from liability for monitoring activities
C. Companies that process the personal information of 100,000 individuals or more are required to participate
D. Sharing information with the federal government does not waive privileges
E. Shared information is exempt from federal and state Freedom of Information laws
A. Companies must remove personal information before sharing
B. Companies are protected from liability for monitoring activities
D. Sharing information with the federal government does not waive privileges
E. Shared information is exempt from federal and state Freedom of Information laws
Rules that govern the collection and handling of personal information regarding internet activity can be categorized as what type of privacy?
Information privacy
True or false?
Most U.S. states have laws limiting the use of Social Security numbers.
True
True or false?
When federal laws do not provide a consumer protection that a state believes is necessary, the state may enact a law to provide the protection for its citizens.
True
Which of the following federal laws ensures that employee benefits programs are created fairly and administered properly?
A. The Health Insurance Portability and Accountability Act (HIPAA)
B. The Consolidated Omnibus Budget Reconciliation Act (COBRA)
C. The Employee Retirement Income Security Act (ERISA)
D. The Family and Medical Leave Act (FMLA)
C. The Employee Retirement Income Security Act (ERISA)
What are the DPO’s responsibilities?
To monitor compliance with the GDPR • Advise controller and processors • Manage risk • Cooperate with supervisory authorities • Communicate with data subjects and supervisory authorities • Exercise professional secrecy
examples of business activities that would cause a U.S. organization to fall under the scope of the GDPR
U.S. company offers a consumer cloud service in the EU
- U.S. company expresses its intention to deal with EU users (e.g., offering services via a European domain, local currency payment, shipment to the EU, local telephone hotline numbers)
- “U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1.”
- The processor is a sub-processor of a principal processor based in the EU
Which of the examples of personal information may qualify as sensitive personal information? Select all that apply.
A. Social Security number
B. Bank account number
C. Driver’s license number D. Home phone number
E. Professional membership F. Medical history
G. Business email address
A. Social Security number
B. Bank account number
C. Driver’s license number
F. Medical history
Which are provisions of the Fair Credit Reporting Act (FCRA)?
Select all that apply.
A. Consumers have the ability to access and correct their information
B. Consumers may request annual updates and alerts
C. Use of consumer reports is limited to “permissible purposes”
D. Use of consumer reports is limited to three instances per six months
A. Consumers have the ability to access and correct their information
C. Use of consumer reports is limited to “permissible purposes
True or false? An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR.
False
you must respond to requests of information in connection with criminal investigations and litigation, which laws did you have to comply when responding to such requests .
EXAMPLE ANSWERS:
• Acts involving the access of financial data
- The Electronic Communications Privacy Act (ECPA)
- The Communications Assistance to Law Enforcement Act (CALEA)
How do the CCPA and GDPR different?
- Definitions of key terms and concepts (e.g., controller)
- No definition of sensitive data under the CCPA
- No private right of action—except for data breaches—under the CCPA
What is a pen register?
A. A list of consumers who have requested to be notified if their personal information is shared with law enforcement
B. A list of law enforcement personnel who may obtain sensitive personal information without a court order
C. Records kept by financial institutions on certain financial transactions
D. A device that records the telephone numbers of all outgoing calls
D. A device that records the telephone numbers of all outgoing calls
Which legislation provides rights to parents of minors regarding sensitive information from students via surveys?
A. Family Educational Rights and Privacy Act (FERPA)
B. Protection of Pupil Rights Amendment (PPRA)
C. Children’s Online Privacy Protection Act (COPPA)
B. Protection of Pupil Rights Amendment (PPRA)
Under the Right to Financial Privacy Act (RFPA), which of the following may allow a government authority access to customer financial records?
Select all that apply.
A. Appropriate formal written request from an authorized government authority
B. Appropriate administrative subpoena or summons
C. Qualified search warrant
D. Legitimate interest of an authorized government authority
E. Customer authorization
F. Appropriate judicial subpoena
A. Appropriate formal written request from an authorized government authority
B. Appropriate administrative subpoena or summons
C. Qualified search warrant
E. Customer authorization
F. Appropriate judicial subpoena
Which are requirements under HIPAA’s Privacy Rule? Select all that apply.
A. A detailed privacy notice provided at the date of first service delivered
B. Opt-out authorization for use or disclosure of personal health information outside of HIPAA guidelines
C. Limited use and disclosure of personal health information for business associates, such as billing companies
D. Safeguards in place to protect the confidentiality and integrity of all personal health information
A. A detailed privacy notice provided at the date of first service delivered
C. Limited use and disclosure of personal health information for business associates, such as billing companies
D. Safeguards in place to protect the confidentiality and integrity of all personal health information
From the standpoint of a privacy professional, how was the collection and storage of personal information impacted by the Snowden revelations?
The case study of Edward Snowden illustrates that further reforms were necessary.Snowden’s revelations led to reforms enacted via the USA FREEDOM Act.
What actions can an organization take to proactively protect personal information in the event it is required to turn over electronic data for litigation?
- Place limits on using company email for personal use
- Discourage conducting company business on personal devices
- Implement policies and practices for when an employee leaves the organization
What is a Data Protection Officer (DPO)?
A staff member or contractor tasked with ensuring and demonstrating compliance with EU data protection law; an expert in data protection law and practices.
True or false?
Materials submitted to courts during trials are usually publicly available
True
Which act was passed during the Cold War to enable national security to track the activities of agents of the Soviet Union and its foreign allies?
A. USA PATRIOT Act
B. Foreign Intelligence Surveillance Act (FISA)
C. Cybersecurity Information Sharing Act (CISA)
D. USA FREEDOM Act
B. Foreign Intelligence Surveillance Act (FISA)
Which of the following has provided standards and best practices for managing electronic discovery compliance through data retention policies?
A. “E-discovery” rules
B. The Hague Convention on the Taking of Evidence
C. The Sedona Conference
D. The GDPR
C. The Sedona Conference
What are the key privacy protections of HIPAA’s Privacy Rule?
The HIPAA Privacy Rule was developed in 2000, revised in 2002 and modified in 2013 to implement amendments under HITECH (discussed further in this module)
- • Covered entities must provide detailed privacy notice at the date of first service delivery
- Uses or disclosures outside of HIPAA’s guidelines require opt-in authorization
- Use and disclosure of PHI for situations other than treatment is limited
- Individuals have the right to access and copy their own PHI from a covered entity and to amend their PHI
True or false?
Data destruction requirements are often built into state data security laws
False
Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:
- A late afternoon structural fire has blocked access to a road where several students reside, making it unsafe for them to return to their homes after school until the situation has been resolved. A parent volunteer at the school assists in accessing school records to determine which students are affected so that alternative arrangements can be made for their safety.
ANSWER: Disclosure allowed: As threat of harm is articulable and significant, information can be disclosed to any individual with the ability to assist in the situation
How does the CCPA define a “consumer”? Select all that apply.
A. A natural person who is a California resident
B. Every individual who is in California for other than a temporary or transitory purpose
C. Every individual who is domiciled in California who is outside the state for a temporary or transitory purpose
A. A natural person who is a California resident
B. Every individual who is in California for other than a temporary or transitory purpose
C. Every individual who is domiciled in California who is outside the state for a temporary or transitory purpose
What types of risk should an organization consider when designing and administering a privacy program? Select all that apply.
A. Legal B. Reputational C. Operational D. Investment E. Resources
A. Legal
B. Reputational
C. Operational
D. Investment
Who is responsible for enforcing HIPAA’s Privacy and Security Rules?
A. Office for Civil Rights (OCR)
B. Office of Compliance (OOC)
C. Agency for Healthcare Research and Quality (AHRQ)
D. Health Resources and Services Administration (HRSA)
A. Office for Civil Rights (OCR)
The EU-U.S. Privacy Shield is what type of cross-border data transfer mechanism?
A. Binding corporate rule
B. Code of conduct
C. Standard contractual clause
D. Adequacy decision
D. Adequacy decision
What U.S. laws and guidelines address data subject privacy preferences?
EXAMPLE ANSWERS: • Opt-in • COPPA • HIPAA • Fair Credit Reporting Act • Some email marketers (double opt-in)
- Opt-out • GLBA • CAN-SPAM • Do Not Call rules
- Access • HIPAA (medical records) • Fair Credit Reporting Act (credit reports) • Statements of fair information practices (e.g., OECD Guidelines, APEC Principles, Privacy Shield)
The CCPA allows consumers to request and receive records of what personal information? Select all that apply.
A. The types of PI an organization holds about the requestor
B. Dates and times that the organization collected PI from the requestor
C. The sources of PI an organization holds about the requestor
D. The specific PI an organization holds about the requestor
E. Information about what’s being done with the related data in terms of both business use and third-party sharing
A. The types of PI an organization holds about the requestor
C. The sources of PI an organization holds about the requestor
D. The specific PI an organization holds about the requestor E. Information about what’s being done with the related data in terms of both business use and third-party sharing
E. Information about what’s being done with the related data in terms of both business use and third-party sharing
What are the pros of monitoring in the workplace? Select all that apply.
A. OSHA compliance B. Employee morale C. Physical security and cybersecurity D. Training E. Quality assurance
A. OSHA compliance
C. Physical security and cybersecurity
D. Training
E. Quality assurance
List additional high-profile FTC consent decrees.
- Eli Lilly and Company (2002)
- Nomi (2005)
- DesignerWare (2013)
- LabMD (2013)
True or false?
Some internet services fall within the scope of the Communications Assistance to Law Enforcement Act (CALEA).
True
The Civil Rights Act bars discrimination due to what?
Select all that apply.
A. Race B. Color C. Religion D. Disabilities E. Sex F. National origin G. Genetic information
A. Race B. Color C. Religion E. Sex F. National origin
When a customer calls a company’s service support line and hears a recorded message that the call may be recorded for quality purposes, this qualifies as a legal exception to which act prohibiting the wiretapping of telephone calls?
A. Omnibus Crime Control and Safe Streets Act
B. Electronic Communications Privacy Act (ECPA)
C. Stored Communication Act (SCA)
D. Privacy Protection Act (PPA)
A. Omnibus Crime Control and Safe Streets Act
Which federal agency oversees “the welfare of the job seekers, wage earners, and retirees of the United States”?
A. Federal Trade Commission (FTC)
B. Department of Labor (DOL)
C. National Labor Relations Board (NLRB)
D. Occupational Safety and Health Act (OSHA)
E. Securities and Exchange Commission (SEC)
F. Equal Employment Opportunity Commission (EEOC)
B. Department of Labor (DOL)
What are the elements of the test that a court will apply in deciding whether to grant a protective order request? Select all that apply.
A. Resisting party must show information is confidential
B. Requesting party must show information is relevant
C. Court must weigh the harm of disclosure against the need for the information
A. Resisting party must show information is confidential
B. Requesting party must show information is relevant
C. Court must weigh the harm of disclosure against the need for the information
When is the DPO a required role?
When the core activities of the controller or processor are:
• Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
• Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale”
• Processing by public bodies, other than courts acting in judicial capacity
A DPO appointed voluntarily is still subject to GDPR requirements
True or false? Restrictions on the processing of personal information may differ, depending on the source of the information.
True
Job candidate background screenings are required for what types of jobs? Select all that apply.
A. Those who work with children
B. Those who work with the elderly
C. Those who work with students (this is a little confusing—what if the students are children under a certain age?
D. Those who work with disabled individuals
A. Those who work with children
B. Those who work with the elderly
D. Those who work with disabled individuals
Which is a component of the Privacy Protection Act (PPA)? Select all that apply.
A. Provides an extra layer of protection for members of the media and media organizations from government searches or seizures
B. Prohibits government officials engaged in criminal investigations from searches or seizures of media work products or documentary materials
C. Applies to government officers or employees at all levels of government
A. Provides an extra layer of protection for members of the media and media organizations from government searches or seizures
B. Prohibits government officials engaged in criminal investigations from searches or seizures of media work products or documentary materials
C. Applies to government officers or employees at all levels of government
Which federal agency administers Privacy Shield?
A. State Department
B. Department of Commerce
C. Office of Management and Budget
D. Office for Civil Rights (HHS)
B. Department of Commerce
True or false?
Under the CCPA, a business may be required to include a “Do Not Sell My Personal Information” button on its website.
True
Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:
- An independent occupational therapist has been contracted by Anytown High School to provide services to five students. He shares one student’s educational history with a former colleague to develop a plan of action to better fit this student’s needs.
Disclosure not allowed: While the school contracted employee has access, sharing it with a third party without consent does not comply.
True or false? Under the GDPR, both controllers and processors have record-keeping obligations.
True
Under the GLBA Privacy Rule, what must a privacy notice include? Select all that apply.
A. What is collected
B. With whom information is being shared
C. How information will be safeguarded
D. How consumers can opt out
A. What is collected
B. With whom information is being shared
C. How information will be safeguarded
D. How consumers can opt out
If the PPA prohibits government officials from searching or seizing media work products or documentary materials, how could law enforcement obtain evidence from those engaged in these First Amendment activities
Law enforcement would need to rely on subpoenas or voluntary cooperation from the media.
True or false?
For data breach notification, state laws require email notice to be the default mode of communication.
False
Briefly summarize the FTC’s powers.
Preventing unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce,
seeking monetary redress and other relief for conduct injurious to consumers,
prescribing trade regulation rules, defining with specificity acts or practices that are unfair or deceptive,
establishing requirements designed to prevent such acts or practices.
True or false? At the state level, the FTC brings a variety of privacy-related enforcement actions pursuant to state laws prohibiting unfair and deceptive practices.
False. State attorneys general enforce state privacy-related laws.
True or false?
The Telephone Consumer Protection Act (TCPA) implements the Telemarketing Sales Rule (TSR).
False
True or false?
FISA was amended in 2008 because the flexible legal limits provided by the USA PATRIOT Act led to major legal, public relations and civil liberties issues
True
True or false?
HIPAA preempts stricter state laws.
False
True or false?
All state laws regarding data breaches require third-party notification and notification to the state attorney general.
True
Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:
- A subpoena has been granted to a local law enforcement officer to access a student’s records in connection with a criminal matter. While at the school, she hears that another student may be involved and asks to see that person’s records as well, since she’s already there, in order to save time and paperwork.
ANSWER: Disclosure not allowed: While the subpoena grants the officer access to a specific student’s records, she may not have the authority and/or enough information to justify accessing another student’s records.
Which act regulates financial institutions and their management of nonpublic personal information?
A. Fair Credit Reporting Act (FCRA)
B. Fair and Accurate Credit Transactions Act (FACTA)
C. Gramm-Leach-Bliley Act (GLBA)
D. Dodd-Frank Wall Street Reform and Consumer Protection Act
C. Gramm-Leach-Bliley Act (GLBA)
Which U.S. statutes provide the FTC with additional enforcement authority over privacy issues?
The Children’s Online Privacy Protection Act (COPPA),
the Fair Credit Reporting Act (FCRA),
the Gramm-Leach Bliley Act (GLBA),
the CAN-SPAM Act
What does NSL stand for?
A. National security landscape
B. National security letter
C. National security law
D. National security liability
B. National security letter
Under FERPA, how often should students receive notice of their rights?
A. Once, upon enrollment
B. Every six months
C. Annually
D. Only upon request
C. Annually
What are the key components of the Family Educational Rights and Privacy Act (FERPA)?
A. Compliance, monitoring, reporting and auditing
B. Notice, consent, access and correction, and security and accountability
C. Individual rights, transparency, consent, training and safeguards
D. Administrative, policy and technical controls to protect student personal information
B. Notice, consent, access and correction, and security and accountability
Which act restricts accessing, using and disclosing customer proprietary network information (CPNI)?
A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
B. Telecommunications Act
C. Cable Communications Policy Act
D. Video Privacy Protection Act (VPPA)
B. Telecommunications Act
Which step in the process for developing an incident response program involves permitting affected systems back into the production environment and ensuring no threat remains?
A. Containment
B. Eradication
C. Recovery
D. Lessons learned
C. Recovery
What privacy concerns might arise as employers follow federal laws for employee benefits management in the workplace?
EXAMPLE ANSWERS:
- The collection or continued maintenance of employee data when maintaining COBRA coverage
- The types of data that might be collected and maintained when complying with FMLA
Which procedures should be considered regarding the termination of employment? Select all that apply.
A. Have a secure method to deactivate physical access badges, keys and smartcards
B. Disable access to computer accounts
C. Design IT systems to minimize disruption
D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems
A. Have a secure method to deactivate physical access badges, keys and smartcards
B. Disable access to computer accounts
C. Design IT systems to minimize disruption
D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems
Which of the following is an agreement or settlement that resolves a dispute between two parties without admission of guilt or liability?
A. Common law
B. Tort law
C. Contract law
D. Consent decree
D. Consent decree
Under the U.S. National Do Not Call (DNC) Registry, how often must telemarketers update their call lists?
A. Annually
B. Every 31 days
C. Every two months
D. Semi-annually
B. Every 31 days
True or false?
The USA PATRIOT Act was passed in response to the Edward Snowden revelations.
False
True or false?
The Fair Credit Reporting Act (FCRA) amended the Fair and Accurate Credit Transactions Act (FACTA).
False
Who may need privacy training? Select all that apply.
A. Customer service representatives B. Leaders at the executive level C. Marketing managers D. Sales executives E. IT staff
A. Customer service representatives B. Leaders at the executive level C. Marketing managers D. Sales executives E. IT staff
Consumer Reporting Agencies (CRAs) reasons for compiling personal records.
The “big three” are Equifax, TransUnion and Experian, but there are thousands of smaller CRAs that compile personal records, such as criminal records and driving histories, for other consumer reporting purposes, such as preemployment screening.
What does CRA stand for?
A. Credit Reform Act
B. Consumer reporting agency
C. Cooperate retail authorities
D. Confirmed right of access
B. Consumer reporting agency
Which of the following are data subject rights under the GDPR? Select all that apply.
A. Data portability
B. Rectification of inaccurate or incomplete personal data C. Erasure
D. Restriction of processing
A. Data portability
B. Rectification of inaccurate or incomplete personal data
C. Erasure
D. Restriction of processing
What does Section 5(a) under the FTC Act prohibit?
“Unfair or deceptive acts or practices in or affecting commerce.”
True or false?
All U.S. state laws preempt federal laws.
False
Which amendment to the United States Constitution articulates many of the fundamental concepts used by privacy professionals in the U.S.?
A. First Amendment
B. Second Amendment
C. Third Amendment
D. Fourth Amendment
D. Fourth Amendment
In the event of a data breach, Connecticut’s breach notification law defines personal information as the first name (or initial) and last name in combination with one or more what? Select all that apply.
A. Social Security number B. Driver’s license number C. Mailing address D. Phone number E. Bank account or card number in combination with a security or access code
A. Social Security number
B. Driver’s license number
E. Bank account or card number in combination with a security or access code
How are the CCPA and GDPR similar?
- Broad applicability beyond physical jurisdictions
- Potential for large fines for violations
- Data subject right of access
Which federal agency is the most visible proponent of privacy concerns in the U.S.?
A. Department of Commerce (DOC)
B. Department of Homeland Security (DHS)
C. Office for Civil Rights (HHS)
D. Federal Trade Commission (FTC)
D. Federal Trade Commission (FTC)
What are the organization’s responsibilities in relation to the DPO role?
Communication with/involvement of the DPO in all issues related to personal data protection
• DPO access to personal data and processing operations
• Resources to help carry out tasks
• Safeguards to enable the DPO to perform tasks independently
• DPO reports to the highest levels of management
True or false?
The FACTA Disposal Rule requires any entity that uses a consumer report for a business purpose to dispose of it in a way that prevents unauthorized access and misuse of the data.
True
What qualifies as individually identifiable health information?
EXAMPLE ANSWERS: Name, address, phone number
True or false?
The No Child Left Behind Act (NCLBA) broadened the Protection of Pupil Rights Amendment (PPRA).
True
What additional technologies or areas that may be of concern to the FTC now or in the near future?
A few are listed below:
• Algorithms
• Artificial intelligence
• Predictive analytics
Which act is intended to expedite the research process for medical devices and prescription drugs?
A. Health Insurance Portability and Accountability Act (HIPAA)
B. Health Information Technology for Economic and Clinical Health Act (HITECH)
C. 21st Century Cures Act
D. Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act
C. 21st Century Cures Act
What does MSCM stand for?
A. Multi-storage cached media
B. Microdata sets for customer metrics
C. Mobile service commercial message
D. Model for secure cyber metadata
C. Mobile service commercial message
What are the key privacy provisions found in Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999?
Financial institutions must:
• Respect their customers’ privacy
• Keep their customers’ nonpublic personal information secure
• “Establish appropriate administrative, technical, and physical safeguard standards”
• Store personal information in a secure manner
• Provide notice of their sharing policies • Provide consumers an option to opt out of third-party sharing
What theory of legal liability is described as the absence of or failure to exercise proper or ordinary care?
A. Defamation
B. Negligence
C. Breach of warranty
D. Strict tort liability
B. Negligence
True or false?
The Employee Polygraph Protection Act (EPPA) prohibits employers from using lie detectors and taking adverse action against an employee who refuses to take a test.
True
During which decade did the FTC’s perspective evolve into a harm-based model?
A. 1980s
B. 1990s
C. 2000s
D. 2010s
C. 2000s
What are some major components of financial privacy? Select all that apply.
A. Confidentiality
B. Laws and regulations
C. Security
D. Anonymity
A. Confidentiality
B. Laws and regulations
C. Security
Which authority was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act?
A. Bureau of the Fiscal Service (Fiscal Service)
B. Consumer Financial Protection Bureau (CFPB)
C. Bureau of Consular Affairs (CA)
D. Federal Financing Bank (FFB)
B. Consumer Financial Protection Bureau (CFPB)
To what areas does the Americans with Disabilities Act apply?
A. employment
B. public transportation
C. public accommodations
D. telecommunications
A. employment
B. public transportation
C. public accommodations
D. telecommunications
The Americans with Disabilities Act (ADA) prohibits discrimination against people with disabilities in several areas, including employment, transportation, public accommodations, communications and access to state and local government’ programs and services.
True or false?
Federal law mandates substance use testing for certain positions.
True
In addition to the Americans with Disabilities Act, which federal laws* prohibit discrimination in the workplace?
Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin
- The Equal Pay Act of 1963 bars wage disparity based on sex
- The Age Discrimination Act bars discrimination against individuals over 40
- The Discrimination Act bars discrimination due to pregnancy, childbirth and related medical conditions
- The Americans with Disabilities Act of 1990 bars discrimination against qualified individuals with disabilities
- The Genetic Information Nondiscrimination Act of 2008 bars discrimination based on individuals’ genetic information
- The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have filed for bankruptcy
- Some ambiguity on whether the statute applies to discrimination prior to the extension of an offer of employment; courts have read the statute both ways
What is COIT?
Consumerization of information technology (COIT): Use of personal computing devices in the workplace and online services (webmail, cloud storage, social media)
Which of the following federal laws ensures that employee benefits programs are created fairly and administered properly?
A. The Health Insurance Portability and Accountability Act (HIPAA)
B. The Consolidated Omnibus Budget Reconciliation Act (COBRA)
C. The Employee Retirement Income Security Act (ERISA)
D. The Family and Medical Leave Act (FMLA)
C. The Employee Retirement Income Security Act (ERISA)
What are the pros of monitoring in the workplace? Select all that apply.
A. OSHA compliance B. Employee morale C. Physical security and cybersecurity D. Training E. Quality assurance
A. OSHA compliance
C. Physical security and cybersecurity
D. Training
E. Quality assurance
Which federal agency oversees “the welfare of the job seekers, wage earners, and retirees of the United States”?
A. Federal Trade Commission (FTC)
B. Department of Labor (DOL)
C. National Labor Relations Board (NLRB)
D. Occupational Safety and Health Act (OSHA)
E. Securities and Exchange Commission (SEC)
F. Equal Employment Opportunity Commission (EEOC)
B. Department of Labor (DOL)
Job candidate background screenings are required for what types of jobs? Select all that apply.
A. Those who work with children
B. Those who work with the elderly
C. Those who work with students (this is a little confusing—what if the students are children under a certain age?
D. Those who work with disabled individuals
A. Those who work with children
B. Those who work with the elderly
D. Those who work with disabled individuals
What privacy concerns might arise as employers follow federal laws for employee benefits management in the workplace?
EXAMPLE ANSWERS:
- The collection or continued maintenance of employee data when maintaining COBRA coverage
- The types of data that might be collected and maintained when complying with FMLA
Which procedures should be considered regarding the termination of employment? Select all that apply.
A. Have a secure method to deactivate physical access badges, keys and smartcards
B. Disable access to computer accounts
C. Design IT systems to minimize disruption
D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems
A. Have a secure method to deactivate physical access badges, keys and smartcards
B. Disable access to computer accounts
C. Design IT systems to minimize disruption
D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems
True or false?
The Employee Polygraph Protection Act (EPPA) prohibits employers from using lie detectors and taking adverse action against an employee who refuses to take a test.
True
Business need, as related to an employee, is defined as:
A. the minimum number of employees needed to run a particular company
B. the activities performed by a company that require access to personal employee information
C. any expenses related to the creation of the product or service
D. the total amount of debt a company owns
B. the activities performed by a company that require access to personal employee information
Testing for changes in employee or applicant DNA to monitor the effects of exposure to hazardous work sites is called:
A. genetic screening
B. mandatory drug testing
C. mandatory DNA testing
D. genetic monitoring
D. genetic monitoring
Testing job applicants for genetic inheritable traits is called:
A. genetic screening
B. mandatory drug testing
C. mandatory DNA
D. genetic monitoring
A. genetic screening
Which of the following is most accurate regarding workplace privacy?
A. Workplace privacy is the same in every state
B. US privacy protection at the workplace is the strictest in the world
C. Workers have a high level of influence in workplace practices
D. There is no law that covers privacy specifically
D. There is no law that covers privacy specifically
<p>Which of the following is not a source of protection for employees?</p>
<p>A. State labor laws</p>
<p>B. Contract and tort law</p>
<p>C. Overarching employment privacy law</p>
<p>D. Certain federal laws</p>
C. Overarching employment privacy laws
What is the most accurate comparison between US and EU workplace privacy?
A. the US inspired the EU legislation
B. the EU has no law that is applicable to the workplace
C. the US had cubicles, whereas in the EU cubicles are forbidden because of privacy concerns
D. EU employees data falls under the scope of the General Data Protection Regulation and offers more protection
D. EU employees data falls under the scope of the General Data Protection Regulation and offers more protection
In the US, it is employment at will. What is the consequence of this?
A. all legislation is rendered invalid
B. you can buy privacy
C. many aspects, covered by laws in other continents, are at the discretion of the employer
D. employees have no rights
C. many aspects, covered by laws in other continents, are at the discretion of the employer
Of the following laws, which does not have employment privacy implications?
A. The Children’s Online Privacy Protection Act
B. The Employee Retirement Income Security Act
C. HIPAA
D. The Fair Labor Standards Act
A. The Children’s Online Privacy Protection Act
At which state of employment do employers need to take into account workplace privacy considerations
A. before employment
B. before, during, and after employment
C. during employment
D. after employment
B. before, during, and after employment
What is true about Bring Your Own Device policies?
A. only company-issued equipment is allowed to be used
B. it brings along security risks and requires reconsideration of the level of monitoring
C. employees surrender their data when a Bring Your Own Device policy is in place
D. Bring Your Own Device practices are illegal
B. it brings along security risks and requires reconsideration of the level of monitoring
<p>Job candidate background screenings are required for what types of jobs? Select all that apply.</p>
<p>A. Those who work with children</p>
<p>B. Those who work with the elderly</p>
<p>C. Those who work with students (this is a little confusing—what if the students are children under a certain age?</p>
<p>D. Those who work with disabled individuals</p>
A. Those who work with children
B. Those who work with the elderly
D. Those who work with disabled individuals
Which of the following is a consequence of the Employee Polygraph Protection Act?
A. only grade A and B type polygraphs are allowed to be used
B. an employer cannot use a polygraph test to screen an applicant
C. a statement of sincerity is required to substitute a polygraph
D. employers cannot screen applicants
B. an employer cannot use a polygraph test to screen an applicant
Which of the following is most restrictive for employers in the US in relation to privacy?
A. HIPAA
B. Children’s Online Privacy Protection Act
C. Fourth Amendment
D. Fair and Accurate Credit Transactions
C. Fourth Amendment
Which of the following sources of law affect privacy for private-sector employees?
A. Federal constitutional law
B. Contract law
C. Torts
D. Statutes
B. Contract law
C. Torts
D. Statutes
Which one of the following sources of personal information are U.S. employers permitted to access when conducting a background screening of prospective new hires?
A. Military discharge records.
B. Arrest records.
C. Credit reports with the person’s written consent.
D. None of the above.
C. Credit reports with the person’s written consent.
Under what circumstances is it permissible to monitor employees in the workplace?
A. In order to prevent a crime or act of violence in the workplace
B. In order to control the quality of products or service
C. In order to reduce absenteeism
D. All of the above are permissible reasons to monitor employees in the workplace
D. All of the above are permissible reasons to monitor employees in the workplace
Which laws govern employee rights in the United States?
A. The U.S. federal government has specific regulations about protecting employee privacy
B. Most state governments have specific regulations about protecting employee privacy
C. Common laws in the United States provide employees with specific legal remedies
D. Civil rights provide employees with specific remedies
C. Common laws in the United States provide employees with specific legal remedies
Which of the following statements is false regarding U.S. employee privacy policies generally?
A. Most organizations are required by law to have an employee privacy policy
B. Employees have a right to view all information contained in employment records at all times
C. Most organizations are required to keep a record that verifies employment status indefinitely
D. All of the above are false statements
B. Employees have a right to view all information contained in employment records at all times
What role can labor unions play in workplace monitoring?
A. According to the NLRB, labor unions must agree to any workplace monitoring conducted on its members
B. Labor unions can argue only against video surveillance
C. Labor unions can argue only against audio surveillance
D. Labor unions play no role in workplace monitoring
A. According to the NLRB, labor unions must agree to any workplace monitoring conducted on its members
Under what situation may postal mail addressed to an employee not be opened by other employees or the employer?
A. if the mail is marked “Personal” or “Confidential”
B. if the employee requests his mail not be opened
C. employee mail can always be opened by other employees or the employer D. employee mail can never be opened by other employees or the employer
A. if the mail is marked “Personal” or “Confidential”
How may employers track employees using GPS?
A. through GPS chips in company cell phones
B. through GPS in company cars
C. through GPS chips implanted in the employee’s skin
D. employers are not allowed to track employees with GPS
A. through GPS chips in company cell phones
B. through GPS in company cars
What information may employers track using GPS?
A. length of breaks
B. employee movements
C. speed at which employee is driving company car
D. employers are not allowed to track employees with GPS
A. length of breaks
B. employee movements
C. speed at which employee is driving company car
If an employee feels that an employer has violated his privacy rights, what should the employee do?
A. contact the state department of labor
B. contact an employment attorney
C. stay quiet
D. 1uit the job
A. contact the state department of labor
B. contact an employment attorney
What company task is commonly the responsibility of human rights management?
A. recruitment
B. payroll
C. training
D. performance evaluation
A. recruitment
B. payroll
C. training
D. performance evaluation
If a business operates in the United States, what data laws should it consult before determining data classification?
A. HIPAA
B. Sarbanes-Oxley Act
C. Gramm-Leach-Bliley Act
D. Basel II
A. HIPAA
B. Sarbanes-Oxley Act
C. Gramm-Leach-Bliley Act
If a business is operating internationally, what data laws should it consult before determining data classification?
A. HIPAA
B. Sarbanes-Oxley Act
C. Gramm-Leach-Bliley Act
D. Basel II
D. Basel II
About which of the following would an employer be legally able to ask a job applicant?
A. height and weight
B. religion
C. pregnancy status
D. the nature and severity of a disability or illness
A. height and weight
It is acceptable for an employer to ask a job applicant about all of the following, except:
A. If an applicant is prevented from being lawfully employed, due to visa or immigration status.
B. If an applicant can read, write and speak foreign languages, if it relates to job requirements.
C. If an applicant is a US citizen.
D. If an applicant will provide proof of a legal right to work in the country, after he/she is hired.
C. If an applicant is a US citizen.
It is acceptable for an employer to ask a job applicant about:
A. convictions made within the last year.
B. arrests or convictions made within the last five years.
C. convictions made within the last ten years.
D. arrests within the last ten years.
C. convictions made within the last ten years.
Which of the following statements is NOT true of workplace photograph practices?
A. Employers in the EU require employee consent for use of photographs.
B. Employers in the US may not request photographs from their employees, even if the submission is voluntary.
C. Posting photos on websites should be done with employee consent.
D. Employers are not permitted to request that applicants submit a photograph before they are hired.
B. Employers in the US may not request photographs from their employees, even if the submission is voluntary.
Which of the following statements is TRUE regarding the collection of SSN (social security numbers)?
A. There are very few state laws regarding the collection of SSNs.
B. The best practice is collection of SSNs from employees as soon as possible.
C. If SSN information is leaked, a security breach notification need not be released.
D. There are no laws that prohibit the collection of SSN prior to job offer.
D. There are no laws that prohibit the collection of SSN prior to job offer.
Personality, psychological and performance tests may be problematic, according to which of the following laws?
A. Americans with Disabilities Act
B. Civil Rights Act of 1964
C. Equal Opportunity Employment Act
D. Genetic Information Nondiscrimination Act
A. Americans with Disabilities Act
The Employee Polygraph Protection Act of 1998 (EPP) prohibits employers from doing all of the following EXCEPT:
A. Requesting that an applicant take a lie detector test.
B. Requiring a current employee to take a lie detector test.
C. Referring to or inquiring about test results.
D. Using licensed and bonded testing professionals to conduct polygraph tests in certain cases.
D. Using licensed and bonded testing professionals to conduct polygraph tests in certain cases.
Which of the following statements is NOT true about workplace drug and alcohol tests in the US?
A. Routine drug testing is permitted if employees are notified of this practice when they are hired.
B. Pre-employment screening to identify present addiction to illegal drugs is permitted.
C. Employers can use drug/alcohol tests as a condition for continued employment, if there is a reasonable suspicion.
D. In certain jurisdictions, random drug testing is prohibited.
B. Pre-employment screening to identify present addiction to illegal drugs is permitted.
Which of the following should not be included in an employee background check?
A. credit records
B. professional credentials
C. arrests
D. civil litigation history
C. arrests
Employee monitoring is done for which of the following reasons?
A. to prevent loss of intellectual property
B. to protect public health and safety
C. to ensure quality control
D. all of the above
D. all of the above
Monitoring of e-mail is permissible if:
A. the company has user consent.
B. the company has user consent or owns the equipment on which the email is stored.
C. the company monitors the email through an automated system.
D. none of the above; e-mail monitoring is not permissible under Federal laws.
B. the company has user consent or owns the equipment on which the email is stored.
Which of the following states have specific statues requiring notice prior to electronic monitoring in the workplace?
A. Delaware
B. Florida
C. California
D. Illinois
A. Delaware
Which of the following statements is NOT true of employee monitoring outside the US?
A. Monitoring must be proportionate to the practices it is to detect or prevent.
B. The results of workplace monitoring must be treated as highly sensitive data.
C. Monitoring practices may require the consent of authorities and works councils.
D. In many EU countries, employee monitoring is less regulated than in the US.
D. In many EU countries, employee monitoring is less regulated than in the US.
A company breaches a legal duty to safeguard sensitive information and as a result, individuals are harmed by this breach. The company would be liable on the basis of:
A. negligence
B. deceptive trade practices
C. unfair practices
D. all of the above
A. negligence
The board of the National Labor Relations Board is appointed by:
A. the President
B. the Senate
C. the President, with the Senate’s approval
D. elections
l
What is a workplace change that was brought about by OSHA?
A. guards covering moving parts when contact with humans may occur
B. permissible exposure limits for chemicals
C. personal protective equipment for workers
D. CAN-SPAM
l
These letters are sent to public companies from the SEC requesting comments on particular issues.
A. advisory letters
B. warnings
C. comment letters
D. memoranda
l
A proven case of negligence could entitle the injured party to compensation for:
A. bodily harm
B. property damage
C. mental health
D. finances
k
What condition is excluded from the Americans with Disabilities Act?
A. substance abuse problems
B. multiple sclerosis
C. vision problems that can be corrected by lenses
D. paralysis
l
Under the ADA, how is it determined if someone is disabled?
A. decision made on a case-by-case basis
B. there is a checklist of criteria
C. the person must be handicapped
D. the person must be on disability
l
The ADA definition of a disability states that the impairment must limit:
A. movement
B. sight
C. a major life activity
D. happiness
l
The Civil Rights Act of 1964 outlawed:
A. slavery
B. discrimination against the disabled
C. racial segregation
D. telemarketing fraud
l
The Equal Pay Act of 1963 prohibited wage differences based on:
A. race
B. religion
C. gender
D. sexuality
l
Employee exit management refers to a process during which an employee:
A. leaves of her own accord
B. leaves based on a mutual agreement
C. is terminated
D. receives a promotion
l
What is an issue a company might have to consider during an employee termination?
A. avoidance of litigation
B. protection of trade secrets
C. hiring a replacement
D. references
l
When an employee is “terminated without prejudice,” it means:
A. the company wishes him well in the future
B. the employee may be rehired for a job at that company in the future
C. the company considers the employee incompetent
D. the company will not provide references
l
What is a reason an employee may be terminated with prejudice?
A. incompetence
B. dishonesty
C. layoffs
D. insubordination
l
An employee fired for what reason could bring a wrongful termination lawsuit against the company?
A. employer discrimination
B. employee refusal to do something illegal for the employer
C. employer retaliation
D. employee incompetence
l
When an employer knows an employee is to be terminated, it should contact the Network Administrator for the company and terminate the employee’s access to:
A. the computer system
B. the telephone systems
C. building entry code
D. lockers
l
This type of discipline is a process in which an employee is warned about poor performance in an increasingly formal series of steps.
A. metric
B. progressive
C. instigating
D. termination
l
An employee termination meeting should include:
A. the employee
B. the employee’s direct supervisor
C. the employee’s spouse
D. lawyer
k
What is an action that may lead to immediate termination of employment with cause?
A. acts of violence
B. property theft
C. incompetence
D. no call, no show
l
Employers may be required to offer terminated employees information about this continuing health care coverage program.
A. HIPAA
B. AETNA
C. Humana
D. COBRA
k
What records should an employer generally keep for a year after an employee has
been terminated?
A. resume
B. application
C. employment test
D. payroll records
l
An employee termination meeting should include:
A. employee’s spouse
B. co-workers
C. HR representative
D. lawyer
l
