Data Privacy Flashcards

Question 1

Q

How long after a valid request does an educational institution have to provide access to education records of a student?

Answer

A

A “reasonable” time, not to exceed 45 days.

Question 2

Q

After a consumer disputes the accuracy of information in a consumer report, how long does a consumer reporting agency have to re-investigate the information?

Question 3

Q

The California Consumer Privacy Act is an example of what type of privacy protection?

Answer

A

A comprehensive model.

Question 4

Q

How many days does an organization have to cure a violation of the CCPA before it may be subject to fines or a private cause of action?

Question 5

Q

All of the following are best practices in obtaining consumer consent, except:

Answer

A

Companies should obtain a separate consent specifically applicable to third-party data processors.

Question 6

Q

Under which of the following pieces of legislation are data brokers required to comply with a one-stop mechanism that allows data subjects to request the deletion of their personal data?

Answer

A

California’s Delete Act.

Question 7

Q

According to the Supreme Court’s decision in Société Nationale Industrielle Aerospaciale, all of the following should be considered in a comity analysis, except:

Answer

A

Whether the parties have domestic subsidiaries in the United States.

Question 8

Q

What is the most common phrase used in state-level data breach notification laws to describe when notice must be provided to affected individuals?

Answer

A

At the most expeditious time possible and without unreasonable delay.

Question 9

Q

What is the standard utilized by FISC to determine whether an application for a surveillance order should be granted?

Answer

A

Whether there is probable cause to believe that that the person being monitored is either a foreign power or an agent of a foreign power.

Question 10

Q

Who is responsible for enforcement under the Payment Card Industry Data Security Standard?

Answer

A

Individual payment card brands.

Question 11

Q

What change to the use of National Security Letters was implemented by the USA-PATRIOT Act?

Answer

A

An NSL may now be issued if relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.

Question 12

Q

If a third party accidently accesses protected health information without authorization, which of the following is accurate?

Answer

A

A breach is presumed unless a risk assessment establishes that there was a low probability that PHI has been compromised.

Question 13

Q

As defined under the Fair Credit Reporting Act, which of the following is least likely to be considered an “employment purpose” for which a consumer report may be obtained?

Answer

A

Determining whether an employee is entitled to a raise.

Question 14

Q

Which of the following most accurately states whether a data processor experiencing a data breach must disclose to a data controller that a breach occurred under state-level breach notification laws?

Answer

A

Every state requires that a data processor notify a data controller when a breach occurs.

Question 15

Q

All of the following are benefits of data flow mapping, except:

Answer

A

It may limit the amount of data disclosed in the event of a data breach.

Question 16

Q

Which of the following best describes the enforcement of CAN-SPAM at the federal level?

Answer

A

The FTC enforces CAN-SPAM according to its “unfair and deceptive” trade practices authority but shares enforcement authority with prudential regulators.

Question 17

Q

In addition to “unfair” and “deceptive” trade practices, state UDAP laws also commonly prohibit what other type of act or practice?

Answer

A

“Unconscionable” acts or practices.

Question 18

Q

Which is the most accurate advice that Jackson can provide to BotVoice about its compliance obligations under HIPAA?

Answer

A

HIPAA does not apply because the health information provided by children is not made in connection with a covered transaction.

Question 19

Q

CAN-SPAM-Act prohibits communication after how many days of opting out

Answer

A

more than 10 days

Question 20

Q

OP-Out Consent is

Answer

A

A passive form, where consent is implied, processing occurs unless you opt-out

Question 21

Q

Information privacy focuses on what

Question 22

Q

Information security focuses on what

Answer

A

Protection of data from unauthorized access

Question 23

Q

Privacy focuses on what type of data

Answer

A

Personal information

Question 24

Q

Security focuses on what type of information

Answer

A

Confidential information

Question 25

Q

CIA triad stands for what

Answer

A

Confidentiality, Integrity, Availability

Question 26

Q

Security controls do what

Answer

A

Limit damage, loss, modification, and unauthorized access

Question 27

Q

Purposes of seurity controls

Answer

A

Preventative, Detective, Corrective

Question 28

Q

Preventive controls

Answer

A

Prevent an incident

Question 29

Q

Detective controls

Answer

A

Identify an incident

Question 30

Q

Corrective controls

Answer

A

Fix or limit the damage of an incident

Question 31

Q

Types of controls

Answer

A

Physical, Administrative, Technical

Question 32

Q

OMB 7 step breach response

Answer

A

Breach response team. 2. Privacy docs. 3. Sharing breach information. 4. Reporting. 5. Assess the risk. 6. Mitigating risk. 7. Notification.

Question 33

Q

FTC 4 step breach response

Answer

A

Confirm the breach. Then, 1. Secure Operations / Contain. 2. Analyze and fix vulnerabilities. 3. Notify. 4. Proactive steps to avoid future breaches

Question 34

Q

Breach Response: An important part of Analyze and fix vulnerabilities

Answer

A

Re-evaluate 3rd party service providers

Question 35

Q

Breach Response: Notify appropriate parties. Who must be notified?

Answer

A

Law enforcement, usually through Attorney’s General, if PHI then HHS and the media, Business partners if contracts say so, and Affected individuals

Question 36

Q

Breach Response: Notification, FTC Recommendations

Answer

A

Consult law enforcement so you don’t impede any investigation, Designate a communication person, a year of free credit monitoring

Question 37

Q

Breach Response: Notification Letter should contain

Answer

A

Clear description of what happened, Contact information of the organization, Steps an affected individual can take

Question 38

Q

Breach Response: Avoid future breaches

Answer

A

Employee training, Third party security audits, Analyze the entire breach

Question 39

Q

Benefit of inventorying and classifying data

Answer

A

Creating a privacy program, Incident response program, and Workforce training

Question 40

Q

Workforce training is…

Answer

A

Part of the accountability principle, lower costs of responding to breaches

Question 41

Q

HIPAA training requirements

Answer

A

All members on policies and procedures for PHI

Question 42

Q

GLBA training requirements

Answer

A

Identify reasonable and foreseeable internal and external risks, employee training and management

Question 43

Q

Red Flags Rule requirement

Answer

A

Establish an identity theft program

Question 44

Q

Who created the Red Flags Rule

Answer

A

the FTC uner authority of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)

Question 45

Q

Massachusetts safegaurd

Answer

A

Anyone owning or licensing information about a Massachusetts resident must have a secrutiy program and employee training

Question 46

Q

PCI-DSS requirement

Answer

A

A security awareness program to be in place

Question 47

Q

GDPR Article 5 Compliance

Answer

A

The data controller is responsible for compliance and demonstrates compliance through documentation

Question 48

Q

What is the Accountability Principle

Answer

A

Implementing technical and organization measures to demonstrate the handling of personal information is done in accordance with the law

Question 49

Q

Means to hold organizations accountable

Answer

A

Policies, Procedures, Governance, Monitoring, Training

Question 50

Q

How compliance for the Accountability Priciniple is up to

Answer

A

the Organization to determine

Question 51

Q

How long should you retain data

Answer

A

Only for so long as necessary to achieve it purpose

Question 52

Q

When data is no longer needed it should be

Answer

A

Destroyed or anonymized

Question 53

Q

Laws governing data retention

Answer

A

Fair and Accurate Credit Transaction Act (FACTA) for the Disposal Rule, and Fair Credit Reporting Act (FCRA) for Identity Theft

Question 54

Q

One of the best ways to limit risk

Answer

A

Limit the length of time data is retained

Question 55

Q

Server side languages

Question 56

Q

Browser side languages

Answer

A

HTML, CSS, XML, JavaScript

Question 57

Q

Explain Web Client, Web Server, Web Browser

Answer

A

Web client downloads files from the web server and the web browser interprets and displays them to the user

Question 58

Q

HTTP

Answer

A

How the web client and the web server communicate

Question 59

Q

TCP protocol

Answer

A

Breaks information into packets

Question 60

Q

IP protocol

Answer

A

Interfaces with the physical infrastructure

Question 61

Q

TCP/IP

Answer

A

Is the main commiunication protocol of the internet

Question 62

Q

TLS

Answer

A

transport layer security

Question 63

Q

IP Address

Answer

A

a unique number assigned to each device

Question 64

Q

URL

Answer

A

name and web address assigned to files

Answer 61

A

the phone book of the internet

Answer 62

A

intermediate web server

Answer 63

A

establishes an encrypted connection

Answer 64

A

IP Address, date and time of the page requested, URL of the file, broswer type, URL visited prior

Answer 65

A

content stored locally

Answer 66

A

Passive data collection

Answer 67

A

Active data collection

Answer 68

A

privacy notice done at the point of collection

Answer 69

A

purchased or licensed

Answer 70

A

a program contained wth a website

Answer 71

A

a web page imbedded into another one

Answer 72

A

unsolicited emails

Answer 73

A

malicious software

Answer 74

A

malware downloaded covertly

Answer 75

A

malware that locks or encrypts your operating system

Answer 76

A

communication designed to trick users

Answer 77

A

provide a dbase command to a web server

Answer 78

A

malicious code injected into a webpage

Answer 79

A

a cookie is modified to gain unauthorized access

Answer 80

A

access through fraudulent means

Answer 81

A

data conforms to requirements

Answer 82

A

removing harmful characters

Answer 83

A

manipulating a user to create a security vulnerability

Answer 84

A

advertising based upon information associated with an individual

Answer 85

A

Icon, consumers to exercise choice, Digital Advertisiing Alliance (DAA)

Answer 86

A

prevent cookie tracking without consent

Answer 87

A

map a user moving from a laptop to a mobile device

Answer 88

A

deterministic tracking, probabilistic tracking

Answer 89

A

track where ther person logs into

Answer 90

A

collects information from multiple devices and draws inferences based on probabilities

Answer 91

A

one pixel image stored on your computer

Answer 92

A

monitors users behavior

Answer 93

A

uses the devices GPS

Answer 94

A

signals sent rom a beconing device

Answer 95

A

automatically collect user data when you visit a webpage

Answer 96

A

text file placed on your hard drive by a web server

Answer 97

A

text file ony used while connected that web server

Answer 98

A

long lived cookie set to expire sometime in the future

Answer 99

A

owned by the host of the web server

Answer 100

A

owned by the someone other than the weber server host

Answer 101

A

cookie stored outside the browsers control, dangerous, respawn, zombie cookies

Answer 102

A

stored information should be encrypted, only use persistent cookies where necessary and should expire in a reasonable time, provide notice to cookie usage, disclose 3rd party cookie providers, provide an opt-out function, follow general FIPs

Answer 103

A

Childrens Online Privacy Protection, childeren under 13

Answer 104

A

Children under 16

Answer 105

A

California and Deleware, California Minors in the Digital World Act, Deleware Online and Personal Privacy Protection Act

Answer 106

A

California Consumer Privacy Act, no selling info of children under 16 without consent, Data Controller may obtain consent from he child through an opt-out procedure, under 13 consent is from the parent

Answer 107

A

document, states how a company collects, stores, and uses personal information it gathers

Answer 108

A

tells employees how personal information should be stored, accessed, and utilized.

Answer 109

A

informs consumers how their personal information will be used, helps consumers make an informed decision

Answer 110

A

maintain a link on the website and each page where personal information is collected

Answer 111

A

send customers the privacy policy each year

Answer 112

A

conspiciously post the privacy policy on the website and mobile apps

Answer 113

A

categories of personal information, categories of third parties, how to request changes, how the policy is updated, it’s effective date, how it responds to do-not-track, if a third party can collect personal information

Answer 114

A

privacy policy not being followed is an unfair or deceptive trade practice, FTC can bring enforcement

Answer 115

A

designing, developing, testing, releasing, revieweing and updating

Answer 116

A

data should be used in a manner consistent with the notice what was in effect at the time data was obtained

Answer 117

A

express, affirmative consent should be given by consumers before making material retroactive changes to data usage

Answer 118

A

at a minimum, sharing consumer information with third parties after committing not to share the data

Answer 119

A

short at the top, option to review the detailed longer privacy notice

Answer 120

A

one point to manage all privacy preferences

Answer 121

A

symbols used to indicate how information is processed

Answer 122

A

to enhance transparency

Answer 123

A

the data controller is responsible for any data misuse by vendors

Answer 124

A

Data controllers must have written contracts with their business associates

Answer 125

A

Data controllers to have written contacts in place before processing may occur

Answer 126

A

Data controller to have sufficient gaurantees from their third parties, properly vet and contract the 3rd parties

Answer 127

A

Consider their reputation, financial condition, and security controls

Answer 128

A

confidentialiy provisions, security protections, audit rights, no further use provision, subcontractor use, information sharing, breach notification, consumer consent, data classification system, and an end of relationship provision

Answer 129

A

the organization’s privacy notice and practices

Answer 130

A

3rd party vendors

Answer 131

A

physical location of the servers

Answer 132

A

California consumer privacy act, users have the right to opt-out of data selling

Answer 133

A

Virginia consumer data protection act, user can opt-out of targeted advertising, data selling, and profiling

Answer 134

A

California privacy rights act, data controllers to have contracts with any party they share data with

Answer 135

A

dictate what laws apply

Answer 136

A

a person’s information is subject to the laws of their home jurisdiction

Answer 137

A

facilitate the free flow of data between EU member states

Answer 138

A

Adequacy decision, appropriate safeguards, derogations

Answer 139

A

BCRs, EC model clauses, National model clauses, Codes of conduct, Certification, Ad Hoc contract

Answer 140

A

Consent, Performance of contract, Public interest, Legal claims, Vital interests, Legitimate interest

Answer 141

A

equivalent or greater protection in the transferee country

Answer 142

A

no more safe harbor, in part because of Edward Snowden

Answer 143

A

no more privacy shield, facebook ireland

Answer 144

A

a company’s rules for internally handling data transfer, don’t apply to data transfers with 3rd parties

Answer 145

A

it must be certified by a privacy supervisory agency in the EU

Answer 146

A

binding contract rules must contain stuff about, transparency, quality, security, audit, training, compliance procedures, a binding element

Answer 147

A

standard contract clauses, a company contractually promises to comply with EU law

Answer 148

A

the transferee country equivalent protections as GDPR, the clause and the legal system, or the supervisory authority should suspend the transfer priviledges

Answer 149

A

have to get approval from an EU data protection authority or the EU commission, the data protection authority has enforcement authority to include suspension

Answer 150

A

last resort

Answer 151

A

controllers and processors to conduct a transfer impact assessment prior to transferring personal data

Answer 152

A

a risk assessment of transferring data to a third countries, considers SCCs, legal system, adequacy decision stuff

Answer 153

A

understand all transfers of personal data, verify all transfer tools, assess if appropriate safeguards will be impinged upon, identify supplemental measures, steps for supplemental measures, re-evaluate the level of protection in the trasferee country

Answer 154

A

Google Analytics violates Chapter V of GDPR, SCCs didn’t provide appropriate safegaurds, US intelligence agencies could access data

Answer 155

A

cornerstone of privacy program management

Answer 156

A

discover (assess), build (protect), communicate (sustain), evlove (respond)

Answer 157

A

(1) Discover/Assess (including “Issue identification and self-assessment” and “Determination of best practices”); (2) Build/Protect (including “Procedure development and verification” and “Full implementation”); (3) Communicate/Sustain (including “Documentation” and “Education”); and (4) Evolve/Respond (including “Affirmation and monitoring” and “Adaptation”)

Answer 158

A

a policy based approach to managing the flow of information through a lifecycle

Answer 159

A

privacy policy, privacy statement, fair processing statement, strictly speaking the notice is internal facing the policy is external facing

Answer 160

A

Fair information practices (FIPs)

Answer 161

A

have assets and employees in the EU, data stored in the EU, and data interactions with EU residents

Answer 162

A

of EU data subjects that access their websites or digital products

Answer 163

A

4% of the company’s global revenue

Answer 164

A

Data protection authorities ,one in each EU country, but Germany has 1 national and 16 state level, DPAs enforce the GDPR

Answer 165

A

investigate, correct, advise; ask for records and proof of compliance, ban/stop/suspend data procecssing, require additional breach notification, order erasing of information, suspend cross boarder data flow

Answer 166

A

Transparent communication

Answer 167

A

Right to access

Answer 168

A

Rectify data

Answer 169

A

Restrict processing

Answer 170

A

Notification obligation to data subjects about their rights

Answer 171

A

Data portability

Answer 172

A

Object to processing personal information

Answer 173

A

No Automated processing

Answer 174

A

30 days after receipt, possible to get an extension of 60 days if the request is burdensome

Answer 175

A

Without undue delay

Answer 176

A

Without undue delay

Answer 177

A

Data is unintelligible, taken steps to minimize risk, would require disproportionate effort

Answer 178

A

Asia Pacific Economic Cooperation, founded in 2004

Answer 179

A

FIPs in APEC is similar to Madrid Resolution

Answer 180

A

preventing harm, notice, collection limitation, use of personal information, choice, integrity of information, security safeguards, access, correction, accountability

Answer 181

A

Cross boarder privacy enforcement agreement, APEC

Answer 182

A

multi jurisdiction, key practices to most restrictive laws

Answer 183

A

Antitrust laws

Answer 184

A

In 1938 it gave it general consumer protection authority, referred to as Section 5

Answer 185

A

5 people, a chairperson and 4 commissioners

Answer 186

A

privacy, fair credit reporting act (FCRA), CAN-SPAM act, COPPA

Answer 187

A

most important piece of federal privacy legislation

Answer 188

A

unfair or deceptive acts or practices affecting commerece are unlawful

Answer 189

A

apply to acts of foreign trade

Answer 190

A

non-profits, banks, financial institutions, common carriers

Answer 191

A

permitted it to issue regulations

Answer 192

A

To bring enforcement actions

Answer 193

A

news, public complaints, etc.

Answer 194

A

Investigatory powers

Answer 195

A

require business to submit written reports, subpoena power

Answer 196

A

If the FTC has reason to believe

Answer 197

A

An Administrative Law Judge (ALJ)

Answer 198

A

an injunction, ALJ can not impose civil penalties

Answer 199

A

ALJ to FTC commissioners to Federal Circuit Court

Answer 200

A

Prosecute claims before a Federal District Court, review by the Federal Appelate Court

Answer 201

A

TRUE , to provide guidance to other companies

Answer 202

A

Enforces good practice, avoid expense, easily enforceable, avoid additional negative press, limits exposure to business practices to competitors

Answer 203

A

a material statement or omission that is likely to mislead consumers who are acting reasonably

Answer 204

A

first privacy enforcement action, GeoCities sold information

Answer 205

A

first consent decree, revealed email addresses

Answer 206

A

collecting names and phone numbers, and messages didn’t get deleted

Answer 207

A

did not conduct annaul re-certifications

Answer 208

A

tracked consumers via mobile devices

Answer 209

A

couldn’t prevent all identity theft

Answer 210

A

3rd party developers could access user data

Answer 211

A

weak encryption, secretly installed software

Answer 212

A

Substantial injury, lack of off setting benefits, and consumers could’t have reasonably avoided

Answer 213

A

log key strokes, take screen shots, photograph anyone with the camera, geo track users

Answer 214

A

upheld FTCs unfairness authority, affirmed FTCs authority to regulate cybersecurity

Answer 215

A

rule making authority for unfair or deceptive trade practices, i.e. trade rules

Answer 216

A

disclosed patient information

Answer 217

A

FTCs cease and desist was unenforceable, FTC started holding public hearings

Answer 218

A

weak security measures

Answer 219

A

man in the middel attacks, pre-installing software

Answer 220

A

exposed routers and web cameras to attack

Answer 221

A

falsely claimed to have bank grade security

Answer 222

A

didn’t have appropriate security measures

Answer 223

A

COPPA violations

Answer 224

A

didn’t have reasonable security measures

Answer 225

A

IoT data and physical security issues

Answer 226

A

unsecured cloud storage

Answer 227

A

violated GLBA, mortgage information

Answer 228

A

geolocation data, IP addresses, and info stored in cookies

Answer 229

A

all operators of commercial websites

Answer 230

A

information collected, how used, if info is disclosed to third parties

Answer 231

A

mail or fax a consent form, credit card, debit card, call a toll free number, video conference, government issued ID

Answer 232

A

collected for the purpose of increasing security

Answer 233

A

access information, withdraw consent

Answer 234

A

True, participate in a seal program

Answer 235

A

California and Deleware

Answer 236

A

Collect personal information of consumers and resell it

Answer 237

A

Large amounts of data, analyized to get insights on consumer behavior

Answer 238

A

2014, data brokers to use data minimzation practices as they relate to children

Answer 239

A

Potential harm from inaccurate predictions

Answer 240

A

Consumer consent, no UI, need new models of FIPs and security by design

Answer 241

A

shift to electronic reimbursement requests, ,efficiency of healthcare

Answer 242

A

Privacy rule and the Security rule

Answer 243

A

Covered entities and Business associates

Answer 244

A

A healthcare provider that bills for insurance

Answer 245

A

Any person or entity that receives health information from a covered entity to provide services on behalf of the covered entity

Answer 246

A

individually identifiable health information

Answer 247

A

In HITECH

Answer 248

A

limit PHI to the minimum necessary to accomplish the intended purpose

Answer 249

A

Data set with facial identifiers removed, 16 categories

Answer 250

A

independent document, plain language, description,person, party, purpose, expire, dated and signed

Answer 251

A

Covered entitiy to keep a record, give to the individual upon request

Answer 252

A

Emergency, public health activities, report victims of abuse or domestic violence, court, law enforcement, research, investigate compliance

Answer 253

A

date of first service, compliance date, time of enrollment, upon request of the person

Answer 254

A

Medical, billing, enrollment, any other information used to make decisions

Answer 255

A

Access the designated record set, except for psychotherapy notes or information collected for a legal proceeding or regulatory action

Answer 256

A

within 30 days

Answer 257

A

can request the last 6 years

Answer 258

A

ensure CIA, threats, PHI uses or disclosures, ensure compliance

Answer 259

A

the measure’s size, complexity, capabilities, technical infrastructure, cost, risk ocurrance probability, potential risks

Answer 260

A

Required and Addressable

Answer 261

A

OCR, FTC, DOJ, State Attorneys General

Answer 262

A

States can request their law is not preempted, have to ask HHS, California Medical Information Privacy Act is an example

Answer 263

A

A company has recognized security practices in place not less than 12 months

Answer 264

A

Give HHS greater discretion imposing fines

Answer 265

A

Mapping a person’s contact with others, communicable diseases

Answer 266

A

Rules for data breaches, increased penalties, gave great acess to records, codified terms

Answer 267

A

There is a low probability of compromise based on nature and extent of disclosure, who the person was that accessed it, was it acquired or viewed, extent the risk has been mitigated

Answer 268

A

Notify media outlets, within 60 days

Answer 269

A

Secretary of HHS

Answer 270

A

Law enforcement says so

Answer 271

A

Share infor with family and care givers, biomed research confidential, allowed for remote viewing of PHI, no information blocking

Answer 272

A

Any federally assisted program that provides training or treatement for substance use

Answer 273

A

Patient consents, veteran affairs, crimes, child abuse, medical emergency, audits, court order

Answer 274

A

can’t use to initiate criminal charges or criminal investigation

Answer 275

A

provide notice of rights, formal security program, protect paper and electronic records, destroy records when the company leaves the Part 2 program

Answer 276

A

Fair credit reporting act

Answer 277

A

Title VI of FDIC and amended the Consumer Credit Protection Act (CCPA)

Answer 278

A

Fair credit reporting act (FCRA)

Answer 279

A

Any consumer reporting agency (CRA) or users of a consumer report, furnishers of information to the CRA, companies that extend credit - red flags rule

Answer 280

A

Consumer reports

Answer 281

A

written, oral, or other communication used for eligibility for credit, insurance, employment, character, reputation, mode of living

Answer 282

A

Not a consumer report if it’s transactional, between affiliates, consumer is provided an opt out of affiliate sharing

Answer 283

A

CRAs can’t share a consumer report unless the user has a permissable purpose

Answer 284

A

court order, consumer consent, credit transaction, employment purpose, insurance, gov benefits, assess credit risk, account terms, travle charge cards, child support, liquidation

Answer 285

A

offer, promotion, reassignment, retention

Answer 286

A

consumer consent, firm offer of credit or insurance

Answer 287

A

firm offers of credit or insurance, the CRA must maintain a notification system and allow users to opt out

Answer 288

A

must be implemented within 5 business days

Answer 289

A

Only if it is coded for insurance purposes

Answer 290

A

Users are prohibited from re-disclosing that consumer report

Answer 291

A

the consumer report has to be accurate, current, and complete

Answer 292

A

Bankruptcy >10 years, other stuff more than 7 years old

Answer 293

A

Don’t apply to credit, life insurance >$150K, employment >$75K salary

Answer 294

A

Bankruptcy chapter, number of credit inquiries, credit account voluntarily closed, any dispute information

Answer 295

A

procedures

Answer 296

A

identity of users are validated, consumer reports are accurate

Answer 297

A

both uses and furnishers of information

Answer 298

A

Consumers have a right to see all the information in their file maintained by the CRA

Answer 299

A

Consumers have a right to see everyon their report was given to in the last 2 years for employment, last 1 year for everything else

Answer 300

A

Confirm the consumer’s identity

Answer 301

A

Be in writing, unless consumer consents otherwise, and it must include a summary of the consumer’s rights

Answer 302

A

A re-investigation

Answer 303

A

The reinvestigation reveals the information was inaccurate, incomplete, or can’t be verified

Answer 304

A

Notify anyone who received the consumer report within the last 6 months, or for 2 years if it was for employment purposes

Answer 305

A

Within 5 days of it being completed

Answer 306

A

it must be included in all future consumer reports containing the disputed information

Answer 307

A

notice must be given to the consumer

Answer 308

A

The name and contact information of the CRA, a statement the CRA isn’t responsible for and can’t explain anything, their right to request a free copy within 60 days, thei right to protest it

Answer 309

A

Consumer to be provided a credit score and information to understand the score

Answer 310

A

If reasonable procedures are in place to ensure compliance to the law

Answer 311

A

A copy of the report must be given to the consumer along with their rights, before taking action, however, if the consumer submitted the employment application by mail, phone, computer, they don’t need to do this

Answer 312

A

within 3 days aftter taking action, and provide name and contact infor of CRA, statement, and how to get a free copy

Answer 313

A

Tell the CRA, who the user is, permissable purpose, procedures in place, verify identity and certifications of recipient

Answer 314

A

For firm offers of credit or insurance not initiated by a consumer, i.e., companies creating a prequalificaiton list for their product or service

Answer 315

A

maintain records of the prescreen criteria for 3 years

Answer 316

A

CRA file was used, they are credit worthy, service can be withheld if fail further screening, consumer can prohibit (opt out of) similar solicitations by contacting the CRA

Brainscape's Knowledge GenomeTM

Data Privacy Flashcards

Brainscape's Knowledge Genome^TM