CIPP Class Questions

Question 1

True or false? The word privacy is not mentioned in the U.S. Constitution

Answer 1

True

Question 2

Which of the following sources of law affect privacy for private-sector employees? Select all that apply.

A. Federal constitutional law B. Contract law
C. Torts
D. Statutes

Answer 2

B. Contract law
C. Torts
D. Statutes

Question 3

True or false?

Federal law mandates substance use testing for certain positions.

Answer 3

True

Question 4

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:

2. School Instruction Improvement Company, Inc. accesses school records to verify the demographics of the student body.

Answer 4

Disclosure allowed: Disclosing information to organizations on the behalf of schools for test development, student aid programs or instruction improvement is acceptable.

Question 5

What are the advantages and disadvantages of BYOD programs in the workplace?

Answer 5

Advantages:
• Same home/work technology
• More flexibility • Efficiency and productivity
• Employer increased accessibility to employee

• Disadvantages:
• Lack of employer control
• Exposure of organization to security vulnerabilities and threats

Question 6

In addition to the Americans with Disabilities Act, which federal laws* prohibit discrimination in the workplace?

Answer 6

Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin
• The Equal Pay Act of 1963 bars wage disparity based on sex
• The Age Discrimination Act bars discrimination against individuals over 40
• The Discrimination Act bars discrimination due to pregnancy, childbirth and related medical conditions
• The Americans with Disabilities Act of 1990 bars discrimination against qualified individuals with disabilities
• The Genetic Information Nondiscrimination Act of 2008 bars discrimination based on individuals’ genetic information
• The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have filed for bankruptcy
• Some ambiguity on whether the statute applies to discrimination prior to the extension of an offer of employment; courts have read the statute both ways

Question 7

True or false?

Health insurance providers may, under some circumstances, implement higher premiums based on genetic information.

Answer 7

False

Question 8

What is COIT?

Answer 8

Consumerization of information technology (COIT): Use of personal computing devices in the workplace and online services (webmail, cloud storage, social media)

Question 9

Which act was passed as part of the ECPA to address interception of electronic communications in facilities where electronic communication service is provided?

A. Privacy Protection Act (PPA)

B. Stored Communications Act (SCA)

C. Communications Assistance to Law Enforcement Act (CALEA)

D. Electronic Communications Privacy Act (ECPA)

Answer 9

B. Stored Communications Act (SCA)

Question 10

Which act requires giving a privacy notice to subscribers at the time of the initial agreement (and annually thereafter) including the nature of personal information collected, how it is used, and retention period, as well as how to access and correct information?

A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
B. Telecommunications Act
C. Cable Communications Policy Act
D. Video Privacy Protection Act (VPPA)

Answer 10

C. Cable Communications Policy Act

Question 11

Which of the following terms specifically means removing or blocking information from court documents?

A. Protective order
B. Protecting publicly available information (PPAI)
C. Electronic discovery
D. Redaction

Answer 11

D. Redaction

Question 12

Which of the following are required for an entity to be considered a “business” under the California Consumer Privacy Act? Select all that apply.

A. An entity that makes $10 million in annual revenue

B. An entity that holds the personal information of 50,000 people, households or devices

C. An entity that makes at least half of its revenue from the sale of personal information

Answer 12

B. An entity that holds the personal information of 50,000 people, households or devices

C. An entity that makes at least half of its revenue from the sale of personal information

Question 13

Which are exceptions to state breach notification laws? Select all that apply.

A. Entities subject to other, more stringent data breach notification laws

B. Entities that already follow breach notification procedures that are compatible with state law

C. Entities enrolled in self-certification programs that meet industry security standards

Answer 13

A. Entities subject to other, more stringent data breach notification laws

B. Entities that already follow breach notification procedures that are compatible with state law

Question 14

True or false?

Technology companies that provide free teaching materials are subject to the laws and regulations of FERPA, PPRA and NCLBA.

Answer 14

True

Question 15

Is there an overarching employment privacy law in the U.S.?

Answer 15

EXAMPLE ANSWER: There is no overarching law for employment privacy.

• Some constitutional, federal, state, tort and statutory laws impact privacy
• Contracts between employer and employee may impact privacy agreements
• There is considerable local variation and complexity on employment privacy issues
• Many U.S. labor laws mandate employee data collection and management practices, such as conducting background checks and ensuring and documenting a safe workplace environment
• Organizations also have incentives to gather information about employees and monitor the workplace to reduce the risk of being sued for negligent hiring or supervision

Question 16

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules:

5. Anystate University is putting together a financial aid proposal for a student who applied to the school and reviews their records to determine if the student is eligible for an academic scholarship.

Answer 16

ANSWER: Disclosure allowed: As it’s in connection with financial aid for which the student has applied.

Question 17

Which state data security law is generally considered the most prescriptive in the nation?

A. California AB 1950 (2004)
B. Massachusetts 201 CMR 17
C. Washington state security law, HB 1149

Answer 17

B. Massachusetts 201 CMR 17

Question 18

Under the Fair Credit Reporting Act (FCRA), which are employer requirements for obtaining a consumer report on an applicant? Select all that apply.

A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency
F. Provide notice to the credit reporting agency outlining the intended purpose of the report
G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action

Answer 18

A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency

G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action

Question 19

What are the four steps involved in the development of a privacy program?

A. Discover, build, communicate, evolve
B. Research, design, build, audit
C. Brainstorm, propose, implement, follow-through
D. Test, learn, revise, monitor

Answer 19

A. Discover, build, communicate, evolve

Question 20

Which authorities oversee privacy-related issues in the U.S.? Select all that apply.

A. The Federal Trade Commission (FTC)
B. State attorneys general
C. The national data protection authority
D. Federal financial regulators

Answer 20

A. The Federal Trade Commission (FTC)
B. State attorneys general

D. Federal financial regulator

Question 21

Under what circumstances do limitations and exceptions to the HIPAA Privacy Rule apply?

Answer 21

De-identification: Information does not identify an individual via:
1. Removing data elements listed in the rule (name, address)

2. An expert certifying that the risk of re-identifying is small

• Research: Can occur with the consent of the individual or without consent if an authorized entity approves it
• Other: Public health activities, such as reporting abuse or neglect, judicial and administrative proceedings, specialized government functions
• Entity must release PHI to the individual to whom it pertains or their rep. and to the secretary of HHS

Question 22

Which is a provision of the Cybersecurity Information Sharing Act (CISA)? Select all that apply.

A. Companies must remove personal information before sharing

B. Companies are protected from liability for monitoring activities

C. Companies that process the personal information of 100,000 individuals or more are required to participate

D. Sharing information with the federal government does not waive privileges

E. Shared information is exempt from federal and state Freedom of Information laws

Answer 22

A. Companies must remove personal information before sharing

B. Companies are protected from liability for monitoring activities

D. Sharing information with the federal government does not waive privileges

E. Shared information is exempt from federal and state Freedom of Information laws

Question 23

Rules that govern the collection and handling of personal information regarding internet activity can be categorized as what type of privacy?

Answer 23

Information privacy

Question 24

True or false?

Most U.S. states have laws limiting the use of Social Security numbers.

Answer 24

True

Question 25

True or false? When federal laws do not provide a consumer protection that a state believes is necessary, the state may enact a law to provide the protection for its citizens.

Answer 25

True

Question 26

Which of the following federal laws ensures that employee benefits programs are created fairly and administered properly? A. The Health Insurance Portability and Accountability Act (HIPAA) B. The Consolidated Omnibus Budget Reconciliation Act (COBRA) C. The Employee Retirement Income Security Act (ERISA) D. The Family and Medical Leave Act (FMLA)

Answer 26

C. The Employee Retirement Income Security Act (ERISA)

Question 27

What are the DPO’s responsibilities?

Answer 27

``` To monitor compliance with the GDPR • Advise controller and processors • Manage risk • Cooperate with supervisory authorities • Communicate with data subjects and supervisory authorities • Exercise professional secrecy ```

Question 28

examples of business activities that would cause a U.S. organization to fall under the scope of the GDPR

Answer 28

U.S. company offers a consumer cloud service in the EU * U.S. company expresses its intention to deal with EU users (e.g., offering services via a European domain, local currency payment, shipment to the EU, local telephone hotline numbers) * “U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1.” * The processor is a sub-processor of a principal processor based in the EU

Question 29

Which of the examples of personal information may qualify as sensitive personal information? Select all that apply. A. Social Security number B. Bank account number C. Driver’s license number D. Home phone number E. Professional membership F. Medical history G. Business email address

Answer 29

A. Social Security number B. Bank account number C. Driver’s license number F. Medical history

Question 30

Which are provisions of the Fair Credit Reporting Act (FCRA)? Select all that apply. A. Consumers have the ability to access and correct their information B. Consumers may request annual updates and alerts C. Use of consumer reports is limited to “permissible purposes” D. Use of consumer reports is limited to three instances per six months

Answer 30

A. Consumers have the ability to access and correct their information C. Use of consumer reports is limited to “permissible purposes

Question 31

True or false? An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR.

Answer 31

False

Question 32

you must respond to requests of information in connection with criminal investigations and litigation, which laws did you have to comply when responding to such requests .

Answer 32

EXAMPLE ANSWERS: • Acts involving the access of financial data * The Electronic Communications Privacy Act (ECPA) * The Communications Assistance to Law Enforcement Act (CALEA)

Question 33

How do the CCPA and GDPR different?

Answer 33

* Definitions of key terms and concepts (e.g., controller) * No definition of sensitive data under the CCPA * No private right of action—except for data breaches—under the CCPA

Question 34

What is a pen register? A. A list of consumers who have requested to be notified if their personal information is shared with law enforcement B. A list of law enforcement personnel who may obtain sensitive personal information without a court order C. Records kept by financial institutions on certain financial transactions D. A device that records the telephone numbers of all outgoing calls

Answer 34

D. A device that records the telephone numbers of all outgoing calls

Question 35

Which legislation provides rights to parents of minors regarding sensitive information from students via surveys? A. Family Educational Rights and Privacy Act (FERPA) B. Protection of Pupil Rights Amendment (PPRA) C. Children’s Online Privacy Protection Act (COPPA)

Answer 35

B. Protection of Pupil Rights Amendment (PPRA)

Question 36

Under the Right to Financial Privacy Act (RFPA), which of the following may allow a government authority access to customer financial records? Select all that apply. A. Appropriate formal written request from an authorized government authority B. Appropriate administrative subpoena or summons C. Qualified search warrant D. Legitimate interest of an authorized government authority E. Customer authorization F. Appropriate judicial subpoena

Answer 36

A. Appropriate formal written request from an authorized government authority B. Appropriate administrative subpoena or summons C. Qualified search warrant E. Customer authorization F. Appropriate judicial subpoena

Question 37

Which are requirements under HIPAA’s Privacy Rule? Select all that apply. A. A detailed privacy notice provided at the date of first service delivered B. Opt-out authorization for use or disclosure of personal health information outside of HIPAA guidelines C. Limited use and disclosure of personal health information for business associates, such as billing companies D. Safeguards in place to protect the confidentiality and integrity of all personal health information

Answer 37

A. A detailed privacy notice provided at the date of first service delivered C. Limited use and disclosure of personal health information for business associates, such as billing companies D. Safeguards in place to protect the confidentiality and integrity of all personal health information

Question 38

From the standpoint of a privacy professional, how was the collection and storage of personal information impacted by the Snowden revelations?

Answer 38

The case study of Edward Snowden illustrates that further reforms were necessary.Snowden’s revelations led to reforms enacted via the USA FREEDOM Act.

Question 39

What actions can an organization take to proactively protect personal information in the event it is required to turn over electronic data for litigation?

Answer 39

* Place limits on using company email for personal use * Discourage conducting company business on personal devices * Implement policies and practices for when an employee leaves the organization

Question 40

What is a Data Protection Officer (DPO)?

Answer 40

A staff member or contractor tasked with ensuring and demonstrating compliance with EU data protection law; an expert in data protection law and practices.

Question 41

True or false? | Materials submitted to courts during trials are usually publicly available

Answer 41

True

Question 42

Which act was passed during the Cold War to enable national security to track the activities of agents of the Soviet Union and its foreign allies? A. USA PATRIOT Act B. Foreign Intelligence Surveillance Act (FISA) C. Cybersecurity Information Sharing Act (CISA) D. USA FREEDOM Act

Answer 42

B. Foreign Intelligence Surveillance Act (FISA)

Question 43

Which of the following has provided standards and best practices for managing electronic discovery compliance through data retention policies? A. “E-discovery” rules B. The Hague Convention on the Taking of Evidence C. The Sedona Conference D. The GDPR

Answer 43

C. The Sedona Conference

Question 44

What are the key privacy protections of HIPAA’s Privacy Rule?

Answer 44

The HIPAA Privacy Rule was developed in 2000, revised in 2002 and modified in 2013 to implement amendments under HITECH (discussed further in this module) 1. • Covered entities must provide detailed privacy notice at the date of first service delivery * Uses or disclosures outside of HIPAA’s guidelines require opt-in authorization * Use and disclosure of PHI for situations other than treatment is limited * Individuals have the right to access and copy their own PHI from a covered entity and to amend their PHI

Question 45

True or false? Data destruction requirements are often built into state data security laws

Answer 45

False

Question 46

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules: 3. A late afternoon structural fire has blocked access to a road where several students reside, making it unsafe for them to return to their homes after school until the situation has been resolved. A parent volunteer at the school assists in accessing school records to determine which students are affected so that alternative arrangements can be made for their safety.

Answer 46

ANSWER: Disclosure allowed: As threat of harm is articulable and significant, information can be disclosed to any individual with the ability to assist in the situation

Question 47

How does the CCPA define a “consumer”? Select all that apply. A. A natural person who is a California resident B. Every individual who is in California for other than a temporary or transitory purpose C. Every individual who is domiciled in California who is outside the state for a temporary or transitory purpose

Answer 47

A. A natural person who is a California resident B. Every individual who is in California for other than a temporary or transitory purpose C. Every individual who is domiciled in California who is outside the state for a temporary or transitory purpose

Question 48

What types of risk should an organization consider when designing and administering a privacy program? Select all that apply. ``` A. Legal B. Reputational C. Operational D. Investment E. Resources ```

Answer 48

A. Legal B. Reputational C. Operational D. Investment

Question 49

Who is responsible for enforcing HIPAA’s Privacy and Security Rules? A. Office for Civil Rights (OCR) B. Office of Compliance (OOC) C. Agency for Healthcare Research and Quality (AHRQ) D. Health Resources and Services Administration (HRSA)

Answer 49

A. Office for Civil Rights (OCR)

Question 50

The EU-U.S. Privacy Shield is what type of cross-border data transfer mechanism? A. Binding corporate rule B. Code of conduct C. Standard contractual clause D. Adequacy decision

Answer 50

D. Adequacy decision

Question 51

What U.S. laws and guidelines address data subject privacy preferences?

Answer 51

EXAMPLE ANSWERS: • Opt-in • COPPA • HIPAA • Fair Credit Reporting Act • Some email marketers (double opt-in) * Opt-out • GLBA • CAN-SPAM • Do Not Call rules * Access • HIPAA (medical records) • Fair Credit Reporting Act (credit reports) • Statements of fair information practices (e.g., OECD Guidelines, APEC Principles, Privacy Shield)

Question 52

The CCPA allows consumers to request and receive records of what personal information? Select all that apply. A. The types of PI an organization holds about the requestor B. Dates and times that the organization collected PI from the requestor C. The sources of PI an organization holds about the requestor D. The specific PI an organization holds about the requestor E. Information about what’s being done with the related data in terms of both business use and third-party sharing

Answer 52

A. The types of PI an organization holds about the requestor C. The sources of PI an organization holds about the requestor D. The specific PI an organization holds about the requestor E. Information about what’s being done with the related data in terms of both business use and third-party sharing E. Information about what’s being done with the related data in terms of both business use and third-party sharing

Question 53

What are the pros of monitoring in the workplace? Select all that apply. ``` A. OSHA compliance B. Employee morale C. Physical security and cybersecurity D. Training E. Quality assurance ```

Answer 53

A. OSHA compliance C. Physical security and cybersecurity D. Training E. Quality assurance

Question 54

List additional high-profile FTC consent decrees.

Answer 54

* Eli Lilly and Company (2002) * Nomi (2005) * DesignerWare (2013) * LabMD (2013)

Question 55

True or false? Some internet services fall within the scope of the Communications Assistance to Law Enforcement Act (CALEA).

Answer 55

True

Question 56

The Civil Rights Act bars discrimination due to what? Select all that apply. ``` A. Race B. Color C. Religion D. Disabilities E. Sex F. National origin G. Genetic information ```

Answer 56

``` A. Race B. Color C. Religion E. Sex F. National origin ```

Question 57

When a customer calls a company’s service support line and hears a recorded message that the call may be recorded for quality purposes, this qualifies as a legal exception to which act prohibiting the wiretapping of telephone calls? A. Omnibus Crime Control and Safe Streets Act B. Electronic Communications Privacy Act (ECPA) C. Stored Communication Act (SCA) D. Privacy Protection Act (PPA)

Answer 57

A. Omnibus Crime Control and Safe Streets Act

Question 58

Which federal agency oversees “the welfare of the job seekers, wage earners, and retirees of the United States”? A. Federal Trade Commission (FTC) B. Department of Labor (DOL) C. National Labor Relations Board (NLRB) D. Occupational Safety and Health Act (OSHA) E. Securities and Exchange Commission (SEC) F. Equal Employment Opportunity Commission (EEOC)

Answer 58

B. Department of Labor (DOL)

Question 59

What are the elements of the test that a court will apply in deciding whether to grant a protective order request? Select all that apply. A. Resisting party must show information is confidential B. Requesting party must show information is relevant C. Court must weigh the harm of disclosure against the need for the information

Answer 59

A. Resisting party must show information is confidential B. Requesting party must show information is relevant C. Court must weigh the harm of disclosure against the need for the information

Question 60

When is the DPO a required role?

Answer 60

When the core activities of the controller or processor are: • Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale” • Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale” • Processing by public bodies, other than courts acting in judicial capacity A DPO appointed voluntarily is still subject to GDPR requirements

Question 61

True or false? Restrictions on the processing of personal information may differ, depending on the source of the information.

Answer 61

True

Question 62

Job candidate background screenings are required for what types of jobs? Select all that apply. A. Those who work with children B. Those who work with the elderly C. Those who work with students (this is a little confusing—what if the students are children under a certain age? D. Those who work with disabled individuals

Answer 62

A. Those who work with children B. Those who work with the elderly D. Those who work with disabled individuals

Question 63

Which is a component of the Privacy Protection Act (PPA)? Select all that apply. A. Provides an extra layer of protection for members of the media and media organizations from government searches or seizures B. Prohibits government officials engaged in criminal investigations from searches or seizures of media work products or documentary materials C. Applies to government officers or employees at all levels of government

Answer 63

A. Provides an extra layer of protection for members of the media and media organizations from government searches or seizures B. Prohibits government officials engaged in criminal investigations from searches or seizures of media work products or documentary materials C. Applies to government officers or employees at all levels of government

Question 64

Which federal agency administers Privacy Shield? A. State Department B. Department of Commerce C. Office of Management and Budget D. Office for Civil Rights (HHS)

Answer 64

B. Department of Commerce

Question 65

True or false? Under the CCPA, a business may be required to include a “Do Not Sell My Personal Information” button on its website.

Answer 65

True

Question 66

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules: 1. An independent occupational therapist has been contracted by Anytown High School to provide services to five students. He shares one student’s educational history with a former colleague to develop a plan of action to better fit this student’s needs.

Answer 66

Disclosure not allowed: While the school contracted employee has access, sharing it with a third party without consent does not comply.

Question 67

True or false? Under the GDPR, both controllers and processors have record-keeping obligations.

Answer 67

True

Question 68

Under the GLBA Privacy Rule, what must a privacy notice include? Select all that apply. A. What is collected B. With whom information is being shared C. How information will be safeguarded D. How consumers can opt out

Answer 68

A. What is collected B. With whom information is being shared C. How information will be safeguarded D. How consumers can opt out

Question 69

If the PPA prohibits government officials from searching or seizing media work products or documentary materials, how could law enforcement obtain evidence from those engaged in these First Amendment activities

Answer 69

Law enforcement would need to rely on subpoenas or voluntary cooperation from the media.

Question 70

True or false? For data breach notification, state laws require email notice to be the default mode of communication.

Answer 70

False

Question 71

Briefly summarize the FTC’s powers.

Answer 71

Preventing unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce, seeking monetary redress and other relief for conduct injurious to consumers, prescribing trade regulation rules, defining with specificity acts or practices that are unfair or deceptive, establishing requirements designed to prevent such acts or practices.

Question 72

True or false? At the state level, the FTC brings a variety of privacy-related enforcement actions pursuant to state laws prohibiting unfair and deceptive practices.

Answer 72

False. State attorneys general enforce state privacy-related laws.

Question 73

True or false? The Telephone Consumer Protection Act (TCPA) implements the Telemarketing Sales Rule (TSR).

Answer 73

False

Question 74

True or false? FISA was amended in 2008 because the flexible legal limits provided by the USA PATRIOT Act led to major legal, public relations and civil liberties issues

Answer 74

True

Question 75

True or false? HIPAA preempts stricter state laws.

Answer 75

False

Question 76

True or false? All state laws regarding data breaches require third-party notification and notification to the state attorney general.

Answer 76

True

Question 77

Read the scenario and determine if it qualifies as an exception or non-exception to FERPA’s non-consensual disclosure rules: 4. A subpoena has been granted to a local law enforcement officer to access a student’s records in connection with a criminal matter. While at the school, she hears that another student may be involved and asks to see that person’s records as well, since she’s already there, in order to save time and paperwork.

Answer 77

ANSWER: Disclosure not allowed: While the subpoena grants the officer access to a specific student’s records, she may not have the authority and/or enough information to justify accessing another student’s records.

Question 78

Which act regulates financial institutions and their management of nonpublic personal information? A. Fair Credit Reporting Act (FCRA) B. Fair and Accurate Credit Transactions Act (FACTA) C. Gramm-Leach-Bliley Act (GLBA) D. Dodd-Frank Wall Street Reform and Consumer Protection Act

Answer 78

C. Gramm-Leach-Bliley Act (GLBA)

Question 79

Which U.S. statutes provide the FTC with additional enforcement authority over privacy issues?

Answer 79

The Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach Bliley Act (GLBA), the CAN-SPAM Act

Question 80

What does NSL stand for? A. National security landscape B. National security letter C. National security law D. National security liability

Answer 80

B. National security letter

Question 81

Under FERPA, how often should students receive notice of their rights? A. Once, upon enrollment B. Every six months C. Annually D. Only upon request

Answer 81

C. Annually

Question 82

What are the key components of the Family Educational Rights and Privacy Act (FERPA)? A. Compliance, monitoring, reporting and auditing B. Notice, consent, access and correction, and security and accountability C. Individual rights, transparency, consent, training and safeguards D. Administrative, policy and technical controls to protect student personal information

Answer 82

B. Notice, consent, access and correction, and security and accountability

Question 83

Which act restricts accessing, using and disclosing customer proprietary network information (CPNI)? A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) B. Telecommunications Act C. Cable Communications Policy Act D. Video Privacy Protection Act (VPPA)

Answer 83

B. Telecommunications Act

Question 84

Which step in the process for developing an incident response program involves permitting affected systems back into the production environment and ensuring no threat remains? A. Containment B. Eradication C. Recovery D. Lessons learned

Answer 84

C. Recovery

Question 85

What privacy concerns might arise as employers follow federal laws for employee benefits management in the workplace?

Answer 85

EXAMPLE ANSWERS: * The collection or continued maintenance of employee data when maintaining COBRA coverage * The types of data that might be collected and maintained when complying with FMLA

Question 86

Which procedures should be considered regarding the termination of employment? Select all that apply. A. Have a secure method to deactivate physical access badges, keys and smartcards B. Disable access to computer accounts C. Design IT systems to minimize disruption D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems

Answer 86

A. Have a secure method to deactivate physical access badges, keys and smartcards B. Disable access to computer accounts C. Design IT systems to minimize disruption D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems

Question 87

Which of the following is an agreement or settlement that resolves a dispute between two parties without admission of guilt or liability? A. Common law B. Tort law C. Contract law D. Consent decree

Answer 87

D. Consent decree

Question 88

Under the U.S. National Do Not Call (DNC) Registry, how often must telemarketers update their call lists? A. Annually B. Every 31 days C. Every two months D. Semi-annually

Answer 88

B. Every 31 days

Question 89

True or false? | The USA PATRIOT Act was passed in response to the Edward Snowden revelations.

Answer 89

False

Question 90

True or false? The Fair Credit Reporting Act (FCRA) amended the Fair and Accurate Credit Transactions Act (FACTA).

Answer 90

False

Question 91

Who may need privacy training? Select all that apply. ``` A. Customer service representatives B. Leaders at the executive level C. Marketing managers D. Sales executives E. IT staff ```

Answer 91

``` A. Customer service representatives B. Leaders at the executive level C. Marketing managers D. Sales executives E. IT staff ```

Question 92

Consumer Reporting Agencies (CRAs) reasons for compiling personal records.

Answer 92

The “big three” are Equifax, TransUnion and Experian, but there are thousands of smaller CRAs that compile personal records, such as criminal records and driving histories, for other consumer reporting purposes, such as preemployment screening.

Question 93

What does CRA stand for? A. Credit Reform Act B. Consumer reporting agency C. Cooperate retail authorities D. Confirmed right of access

Answer 93

B. Consumer reporting agency

Question 94

Which of the following are data subject rights under the GDPR? Select all that apply. A. Data portability B. Rectification of inaccurate or incomplete personal data C. Erasure D. Restriction of processing

Answer 94

A. Data portability B. Rectification of inaccurate or incomplete personal data C. Erasure D. Restriction of processing

Question 95

What does Section 5(a) under the FTC Act prohibit?

Answer 95

“Unfair or deceptive acts or practices in or affecting commerce.”

Question 96

True or false? | All U.S. state laws preempt federal laws.

Answer 96

False

Question 97

Which amendment to the United States Constitution articulates many of the fundamental concepts used by privacy professionals in the U.S.? A. First Amendment B. Second Amendment C. Third Amendment D. Fourth Amendment

Answer 97

D. Fourth Amendment

Question 98

In the event of a data breach, Connecticut’s breach notification law defines personal information as the first name (or initial) and last name in combination with one or more what? Select all that apply. ``` A. Social Security number B. Driver’s license number C. Mailing address D. Phone number E. Bank account or card number in combination with a security or access code ```

Answer 98

A. Social Security number B. Driver’s license number E. Bank account or card number in combination with a security or access code

Question 99

How are the CCPA and GDPR similar?

Answer 99

* Broad applicability beyond physical jurisdictions * Potential for large fines for violations * Data subject right of access

Question 100

Which federal agency is the most visible proponent of privacy concerns in the U.S.? A. Department of Commerce (DOC) B. Department of Homeland Security (DHS) C. Office for Civil Rights (HHS) D. Federal Trade Commission (FTC)

Answer 100

D. Federal Trade Commission (FTC)

Question 101

What are the organization’s responsibilities in relation to the DPO role?

Answer 101

Communication with/involvement of the DPO in all issues related to personal data protection • DPO access to personal data and processing operations • Resources to help carry out tasks • Safeguards to enable the DPO to perform tasks independently • DPO reports to the highest levels of management

Question 102

True or false? The FACTA Disposal Rule requires any entity that uses a consumer report for a business purpose to dispose of it in a way that prevents unauthorized access and misuse of the data.

Answer 102

True

Question 103

What qualifies as individually identifiable health information?

Answer 103

EXAMPLE ANSWERS: Name, address, phone number

Question 104

True or false? The No Child Left Behind Act (NCLBA) broadened the Protection of Pupil Rights Amendment (PPRA).

Answer 104

True

Question 105

What additional technologies or areas that may be of concern to the FTC now or in the near future?

Answer 105

A few are listed below: • Algorithms • Artificial intelligence • Predictive analytics

Question 106

Which act is intended to expedite the research process for medical devices and prescription drugs? A. Health Insurance Portability and Accountability Act (HIPAA) B. Health Information Technology for Economic and Clinical Health Act (HITECH) C. 21st Century Cures Act D. Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act

Answer 106

C. 21st Century Cures Act

Question 107

What does MSCM stand for? A. Multi-storage cached media B. Microdata sets for customer metrics C. Mobile service commercial message D. Model for secure cyber metadata

Answer 107

C. Mobile service commercial message

Question 108

What are the key privacy provisions found in Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999?

Answer 108

Financial institutions must: • Respect their customers’ privacy • Keep their customers’ nonpublic personal information secure • “Establish appropriate administrative, technical, and physical safeguard standards” • Store personal information in a secure manner • Provide notice of their sharing policies • Provide consumers an option to opt out of third-party sharing

Question 109

What theory of legal liability is described as the absence of or failure to exercise proper or ordinary care? A. Defamation B. Negligence C. Breach of warranty D. Strict tort liability

Answer 109

B. Negligence

Question 110

True or false? The Employee Polygraph Protection Act (EPPA) prohibits employers from using lie detectors and taking adverse action against an employee who refuses to take a test.

Answer 110

True

Question 111

During which decade did the FTC’s perspective evolve into a harm-based model? A. 1980s B. 1990s C. 2000s D. 2010s

Answer 111

C. 2000s

Question 112

What are some major components of financial privacy? Select all that apply. A. Confidentiality B. Laws and regulations C. Security D. Anonymity

Answer 112

A. Confidentiality B. Laws and regulations C. Security

Question 113

Which authority was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act? A. Bureau of the Fiscal Service (Fiscal Service) B. Consumer Financial Protection Bureau (CFPB) C. Bureau of Consular Affairs (CA) D. Federal Financing Bank (FFB)

Answer 113

B. Consumer Financial Protection Bureau (CFPB)