Chapter 9 Siedel Flashcards
Katie is assessing her organizations privacy practices and determines that the organization previously collected customer addresses for the purpose of shipping goods and is now using those addresses to mail promotional materials. If this possibility was not previously disclosed, what privacy principle is the organization most likely violating?
A. Quality
B. Management
C. Notice
D. Security
C. Notice
Explanation:
One of the provisions of the notice principle is that organizations shoudl provide notice to data subjects before they use information for a purpose other than those that were previously disclosed
Kara is the chief privacy officer of an organization that maintains a database of customer information for marketing purposes. What term best describes the role of Kara’s organization with respect to that database?
A. Data subject
B. Data custodian
C. Data controller
D. Data processor
C. Data controller
Explanation:
Kara’s organization is collecting and processing this information for its own business needs. Therefore, it is best described as the data controller
Richard would like to use an industry standard reference for designing his organizations privacy controls. Which one of the following standards is best suited for this purpose?
A. ISO 27001
B. ISO 27002
C. ISO 27701
D. ISO 27702
C. ISO 27701
Explanation:
ISO 27701 covers best practices for implementing privacy controls. ISO 27001 and ISO 27002 relate to an organizations information security program. ISO 27702 does not yet exist
When designing privacy controls, an organization should be infomred by the results of what type of analysis?
A. Impact analysis
B. Gap analysis
C. Business analysis
D. Authorization analysis
B. Gap analysis
Explanation:
The gap anbalysis is the formal process of identifying deficiencies that prevent an organization from achieving its privacy objectives. The results of the gap analysis may be used to design new controls
State data breach notification laws may require organizations to notify which of the following parties?
A. Consumers impacted by the breach
B. State regulatory authorities
C. National credit reporting agencies
D. All of the above
D. All of the above
Explanation:
While they vary by state, breach notification laws may require notification to consumers, state regulators, and credit reporting agencies
Which of the following is not a potential consequence an organization may face under state law following a breach?
A. An obligation to provide free credit monitoring to affected consumers
B. Enforcement actions, including penalties, from state attorneys general
C. Civil actions brought by consumers udner a private right of action
D. Criminal prosecution of company employees who allowed the breach to occur
D. Criminal prosecution of compan employees who allowed the breach to occur
Explanation:
Whilke not all statets impose all of these penalties, free credit monitoring, penalties south by an attorney general, and civil cuits arising from a private right of action are potential consequences for an organizaton. Unless some other criminal act has occurred, criminal prosecution of employees is highly unlikely
MediRecs Co provides secure server space to help healthcare providers store medical records. MediRecs would be best described under HIPAA as which of the following?
A. Service provider
B. Business Associate
C. Covered partner
D. Covered entity
B. Business Associate
Explanation:
Under HIPAA, business associates are third party firms that participate in the handling of PHI for a covered entity. Covered entities are required to have a business associate agreement (BAA) with such companies that confer responsibility for HIPAA compliance on the third party
Dimitri cashed a paycheck at County Bank three months ago, but he doesnt have an account there and hasnt been back since. Under GLBA, County Bank should consider Dimitri as which of the followiing?
A. Customer
B. Consumner
C. Visitor
D. No relationship with the bank
B. Consumner
Explanation:
GLBA distinguishes between customers and consumers. Customers are people like account holders who have ongoing relationships with the bank. COnsumers may only conduct isolated transactions with the bank. this is important because the bank has fewer obligations to Dimitri under GLBA because he is not technically a customer
Which amendment to the US Constitution explicitly grnats individuals the right to privacy?
A. First Amendment
B. Fourth Amendment
C. Fifth Amendment
D. None of the above
D. None of the above
Explanation:
The Fourth Amendment has been interpreted to provide indivuduals with some privacy rights, but it does not explicitly establish a right to privacy. The word privacy appears nowhere in the text of the constitution
What source contains much of the administrative law created by the US governemtn?
A. US Code
B. Bill of Rights
C. Code of Federal Regulations
D. US Constitution
C. Code of Federal Regulations
Explanation:
Administrative law is commonly documented in the Code of Federal Regulations. (CFR). The US Code contains legislative law. The US Constitution and its amendments (including the Bill of Rights) contain constitutional law
During a negligence lawsuite, the court determined that the respondent was not at fault because the plaintiff did not present evidence that they suffered some for of harm. What element of negligence was missing from this case?
A. Duty of care
B. Breach of duty
C. Causation
D. Damages
D. Damages
Explanation:
In order to prevail on a negligence claim, the plaintiff must establish that there were damages involved, meaning that they suffiered some type of financial, physical, emotional or reputational harm
Which of the following elements is not always required for the creation of a legal contract?
A. An offer
B. Acceptance of an offer
C. Written agreement
D. Consideration
C. Written agreement
Explanation:
Many states do have laws requiring that some contracts be in written form, but there is no universal requirement that a contractual agreement take place in writing, although written contracts are clearly preferable. The conditions that must be met for a contract to be enforceable include that each party to the contract must have the capacity to agree to the contract, an offer must be made by one party and accepted by the other, consideration must be given, and there must be mutual intent to be bound
What category of law best describes the HIPAA Privacy Rule?
A. Constitutional Law
B. Common Law
C. Legislative Law
D. Administrative Law
D. Administrative Law
Explanation:
HIPAA is legislation passed by Congress. However, the HIPAA Privacy Rule and HIPAA Security Rule did not go through legislative process. They are examples of administrative law created by the Department of Health and Human Service to implement the requirements of HIPAA
Which statute addresses security and privacy matters in the US financial industry?
A. GLBA
B. FERPA
C. SOX
D. HIPAA
A. GLBA
Explanation:
The Gramm Leach Biley Act governs the security and privacy of personal information in the financial industy. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes Oxley Act (SOX) governs the records of publicly traded corportations. HIPAA applies to healthcare providers, health insurers and health information clearinghouses
The right to be forgotten refers to which of the following?
A. The right to no longer pay taxes
B. Erasing criminal history
C. The right to have all of a data subjects data erased
D. Masking
C. The right to have all of a data subjects data erased
Explanation:
The right to be forgotten was first established under the European Unions General Data Protection Regulation (GDPR). It requires that, in many circumstances, companies delete personal information maintained about an individual at that individuals request
