Questions Flashcards
1
Q
Which jurisdiction must courts have in order to hear a particular case?
A
Personal jurisdiction and subject matter jurisdiction
2
Q
Which authority supervises and enforces laws regarding advertising to children via the Internet?
A. Office of Civil rights
B. The Federal Trade Commission
C. Dept of Homeland Security
A
The Federal Trade Commission
3
Q
According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to do what?
A. Determine which bodies will be involved in adjudication
B. Decide if any enforcement actions are justified
C. Adhere to its industry’s code of conduct
D. Appeal decisions made against it
A
Determine which bodies will be involved in adjudication
4
Q
Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”?
A. International data transfers
B. Large platform providers
C. Promoting enforceable self-regulatory codes
D. Do Not Track
A
International data transfers
5
Q
The “Consumer Privacy Bill of Rights” presented in a 2012 Obama administration report is generally based on?
A. The 1974 Privacy Act
B. Common law principles
C. European Union Directive
D. Traditional fair information practices
A
European Union Directive
6
Q
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?
A. A consent decree
B. Stare decisis decree
C. A judgment rider
D. Common law judgment
A
A consent decree
7
Q
Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?
A. Mandatory
B. Implied consent
C. Opt-in
D. Opt-out
A
A. Mandatory B. implied consent C. Opt -in D. Opt-out
Answer: C. Opt in? *check
8
Q
Hypo: What is the best reason for Cheryl (owner) to follow Janice’s (lawyer)
suggestion about classifying customer data?
A. It will help employees stay better organized
B. It will help the company meet a federal mandate
C. It will increase the security of customers’ personal information (PI)
D. It will prevent the company from collecting too much personal information (PI)
A
It will increase the security of customer’s personal information (PI)
9
Q
What is the most likely risk of Fitness Coach, Inc. adopting Janice’s first draft of the privacy policy?
A. Leaving the company susceptible to violations by setting unrealistic goals
B. Failing to meet the needs of customers who are concerned about privacy
C. Showing a lack of trust in the organization’s privacy practices
D. Not being in standard compliance with applicable laws
A
Leaving the company susceptible to violations by setting unrealistic goals.
10
Q
What is the main problem with Cheryl’s (owner) suggested method of communicating the new privacy policy?
A. The policy would not be considered valid if not communicated in full.
B. The policy might not be implemented consistency across departments.
C. Employees would not be comfortable with a policy that is put into action over time.
D. Employees might not understand how the documents relate to the policy as a whole.
Reveal Solution
A
The policy might not be implemented consistency across departments.
11
Q
Based on the scenario, which of the following would have helped Janice (lawyer) to better meet the company’s needs?
A. Creating a more comprehensive plan for implementing a new policy
B. Spending more time understanding the company’s information goals
C. Explaining the importance of transparency in implementing a new policy
D. Removing the financial burden of the company’s employee training program
Reveal Solution
A
Spending more time understanding the company’s information goals
12
Q
According to the FTC Report of 2012, what is the main goal of Privacy by Design?
A. Obtaining consumer consent when collecting sensitive data for certain purposes
B. Establishing a system of self-regulatory codes for mobile-related services
C. Incorporating privacy protections throughout the development process
D. Implementing a system of standardization for privacy notices
A
Answer: C. Incorporating privacy protections throughout the development process
13
Q
What is the main reason some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices?
A. A large amount of money may have to be sent on improved technology and security
B. Industries may not be strict enough in the creation and enforcement of rules
C. A new business owner may not
A
B. industries may not be strict enough in the creation and enforcement of rules
14
Q
What is the main purpose of the Global Privacy Enforcement Network?
A. To promote universal cooperation among privacy authorities
B. To investigate allegations of privacy violations internationally
C. To protect the interests of privacy consumer groups worldwide
D. To arbitrate disputes between countries over jurisdiction for privacy laws
A
answer: A. to promote universal cooperation among privacy authorities
15
Q
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?
A
A. Scanning emails sent to and received by students
16
Q
Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?
A. A local nonprofit charity’s fundraiser
B. An online merchant’s free shipping offer
C. A national bank’s no-fee checking promotion
D. A city bus system’s frequent rider program
A
Answer: B. An online merchant’s free shipping offer.
17
Q
An organization self-certified under Privacy Shield must, upon request by an individual, do what?
A. Suspend the use of all personal information collected by the organization to fulfill its original purpose.
B. Provide the identities of third parties with whom the organization shares personal information.
C. Provide the identities of third and fourth parties that may potentially receive personal information.
D. Identify all personal information disclosed during a criminal investigation.
A
Answer:
Provide the identities of third parties with whom the organization shares personal information
18
Q
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?
A. The Office of the Comptroller of the Currency
B. The Consumer Financial Protection Bureau
C. The Department of Health and Human Services
D. The Federal Trade Commission
A
Answer: The Dept of Health and Human Services
19
Q
Please use the following to answer the next question:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”
This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.
As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
At this stage of the investigation, what should the data privacy leader review first?
A. Available data flow diagrams
B. The text of the original complaint
C. The company’s data privacy policies
D. Prevailing regulation on this subject
A
Answer: Prevailing regulation on this subject
20
Q
FROM HYPO
Upon review, the data privacy leader discovers that the Company’s documented data inventory is obsolete. What is the data privacy leader’s next best source of information to aid the investigation?
A. Reports on recent purchase histories
B. Database schemas held by the retailer
C. Lists of all customers, sorted by country
D. Interviews with key marketing personnel
A
Answer: Lists of all customers, sorted by country
21
Q
From hypo above. Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?
A
Answer: Data controller.
22
Q
Under the GDPR, the complainant’s request regarding her personal information is known as what?
A
Right to be Forgotten
23
Q
In which situation would a policy of “no consumer choice” or “no option” be expected
A. When a job applicant’s credit report is provided to an employer
B. When a customer’s financial information is requested by the government
C. When a patient’s health record is made available to a pharmaceutical company
D. When a customer’s street address is shared with a shipping company
A
Answer: When a customer’s street address is shared with a shipping company.
24
Q
What is the main challenge financial institutions face when managing user preferences?
A. . Ensuring they are in compliance with numerous complex state and federal privacy laws
B. Developing a mechanism for opting out that is easy for their consumers to navigate
C. Ensuring that preferences are applied consistently across channels and platforms
D. Determining the legal requirements for sharing preferences with their affiliates
A
Answer: Ensuring that preferences are applied consistently across channels and platforms.
25
A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?
A. The vendor’s reputation
B. The vendor’s financial health
C. The vendor’s employee retention rates
D. The vendor’s employee training program
Answer: The vendor employee's retention rates
26
In which situation is a company operating under the assumption of implied consent?
A. An employer contacts the professional references provided on an applicant’s resume
B. An online retailer subscribes new customers to an e-mail list by default
C. A landlord uses the information on a completed rental application to run a credit report
D. A retail clerk asks a customer to provide a zip code at the check-out counter
Answer A
27
All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?
A. Facilitating participation across departments and levels
B. Developing a process for review and update of privacy policies
C. Deciding how aggressive to be in the use of personal information
D. Understanding the laws that regulate a company’s collection of information
Answer: Developing a process for review and update of privacy policies
28
Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?
A. Being more closely scrutinized for any breaches of policy
B. Getting accused of discriminatory practices
C. Attracting skepticism from auditors
D. Having a security system failure
Answer: Being more closely scrutinized for any breaches of policy
29
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
A. Uses the transferred data for limited purposes
B. Provides the same level of privacy protection as the organization
C. Notifies the organization if it can no longer meet its requirements for proper data handling
D. Enters a contract with the organization that states the third party will process data according to the consent agreement
Answer: Enters a contract with the organization that states the third party will process data according to the consent agreement.
30
What was the original purpose of the Federal Trade Commission Act?
A. To ensure privacy rights of U.S. citizens
B. To protect consumers
C. To enforce antitrust laws
D. To negotiate consent decrees with companies violating personal privacy
Answer: TO enforce antitrust laws
31
SCENARIO -
Please use the following to answer the next question:
Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop.
“Doing your homework?” Matt asked hopefully.
“No,” the boy said. “I’m filling out a survey.”
Matt looked over his son’s shoulder at his computer screen. “What kind of survey?”
“It’s asking questions about my opinions.”
“Let me see,” Matt said, and began reading the list of questions that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”
Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.
Based on the incident, the FTC’s enforcement actions against the marketer would most likely include what violation?
A. Intruding upon the privacy of a family with young children.
B. Collecting information from a child under the age of thirteen.
C. Failing to notify of a breach of children’s private information.
D. Disregarding the privacy policy of the children’s marketing industry.
Answer: Collecting information from a child under the age of thirteen.
32
Same scenario as above.
How does Matt come to the decision to report the marketer’s activities?
A. The marketer failed to make an adequate attempt to provide Matt with information
B. The marketer did not provide evidence that the prize books were appropriate for children
C. The marketer seems to have distributed his son’s information without Matt’s permission
D. The marketer failed to identify himself and indicate the purpose of the messages
Answer: The marketer failed to make an adequate attempt to provide Matt with information
33
Scenario above Matt and his son
How could the marketer have best changed its privacy management program to meet COPPA “Safe Harbor” requirements?
A. By receiving FTC approval for the content of its emails
B. By making a COPPA privacy notice available on website
C. By participating in an approved self-regulatory program
D. By regularly assessing the security risks to consumer privacy
Answer: C. By participating in an approved self-regulatory program
34
What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?
A. Make electronic health records (EHRs) part of regular care
B. Bill the majority of patients electronically for their health care
C. Send health information and appointment reminders to patients electronically
D. Keep electronic updates about the Health Insurance Portability and Accountability Act
Answer: Make electronic health records (EHRs) part of regular care
35
All of the following organizations are specified as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) EXCEPT?
A. Healthcare information clearinghouses
B. Pharmaceutical companies
C. Healthcare providers
D. Health plans
Answer: Pharmaceutical companies
36
A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?
A. Department of Health and Human Services
B. The affected individuals
C. The local media
D. Medical providers
Answer:
D. Medical Providers
37
What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?
A. The ability for the consumer to correct inaccurate credit report information
B. The truncation of account numbers on credit card receipts
C. The right to request removal from e-mail lists
D. Consumer notice when third-party data is used to make an adverse decision
Answer: The truncation of account numbers on credit card receipts
38
Who has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA)?
A. State Attorneys General
B. The Federal Trade Commission
C. The Department of Commerce
D. The Consumer Financial Protection Bureau
A. State Attorneys General
B. The Federal Trade Commission
C. The Department of Commerce
D. The Consumer Financial Protection Bureau
Answer: The Consumer Financial Protection Bureau
39
Under the Fair and Accurate Credit Transactions Act (FACTA), what is the most appropriate action for a car dealer holding a paper folder of customer credit reports?
A. To follow the Disposal Rule by having the reports shredded
B. To follow the Red Flags Rule by mailing the reports to customers
C. To follow the Privacy Rule by notifying customers that the reports are being stored
D. To follow the Safeguards Rule by transferring the reports to a secure electronic file
Answer: To follow the Disposal Rule by having the reports shredded.
40
When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?
A. After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
B. After disclosing marketing practices to customers and after giving them an opportunity to opt in.
C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
D. After disclosing marketing practices to customers and after giving them an opportunity to opt out.
A. After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
B. After disclosing marketing practices to customers and after giving them an opportunity to opt in.
C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
D. After disclosing marketing practices to customers and after giving them an opportunity to opt out.
Answer: C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
41
What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?
A. Conduct annual consumer surveys regarding satisfaction with user preferences
B. Process requests for changes to user preferences within a designated time frame
C. Provide consumers with the opportunity to opt out of receiving telemarketing phone calls
D. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter’s own use
Answer: D. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter's own use.
42
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan’s day ended with many questions, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?
A. By being present when patients checkin
B. By speaking to a painful without authorization
C. By ignoring the conversation about a potential breach
D. By following his plans for his upcoming paper.
D. By following his plans for his upcoming paper.
43
Scenario above.
Although Declan’s day ended with many questions, he was pleased about his new position.
How can the radiology department address Declan’s concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?
A. State the privacy policy to the patient verbally
B. Post the privacy notice in a prominent location instead
C. Direct patients to the correct area of the hospital website
D. Confirm that patients are given the privacy notice on their first visit
Answer: C. Direct patients to the correct area of the hospital website
44
Scenario above.
Although Declan’s day ended with many questions, he was pleased about his new position.
Based on the scenario, what is the most likely way Declan’s supervisor would answer his question about the hospital’s use of a billing company?
A. By suggesting that Declan look at the hospital’s publicly posted privacy policy
B. By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)
C. By pointing out that contracts are in place to help ensure the observance of minimum security standards
D. By describing how the billing system is integrated into the hospital’s electronic health records (EHR) system
Answer: C. By pointing out that contracts are in place to help ensure the observance of minimum security standards
45
Which entities must comply with the Telemarketing Sales Rule?
A. For-profit organizations and for-profit telefunders regarding charitable solicitations
B. Nonprofit organizations calling on their own behalf
C. For-profit organizations calling businesses when a binding contract exists between them
D. For-profit and not-for-profit organizations when selling additional services to establish customers
Answer: A. For-profit organizations and for-profit telefunders regarding charitable solicitations
46
Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?
A. The consent must be in writing, must state the times when calls can be made to the consumer and must be signed
B. The consent must be in writing, must contain the number to which calls can be made and must have an end date
C. The consent must be in writing, must contain the number to which calls can be made and must be signed
D. The consent must be in writing, must have an end date and must state the times when calls can be made
Answer: C. The consent must be in writing, must contain the number to which calls can be made and must be signed
47
When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?
A. When the operational structures of its divisions are not transparent
B. When the goods and services sold by its divisions are very similar
C. When a call is not the result of an error or other unforeseen cause
D. When the entity manages user preferences through multiple platforms
Answer: C. When a call is not the result of an error or other unforeseen cause.
48
Within what time period must a commercial message sender remove a recipient’s address once they have asked to stop receiving future e-mail?
A. 7 days
B. 10 days
C. 15 days
D. 21 days
Answer: 10 days
49
A student has left high school and is attending a public postsecondary institution. Under what condition may a school legally disclose educational records to the parents of the student without consent?
A. If the student has not yet turned 18 years of age
B. If the student is in danger of academic suspension
C. If the student is still a dependent for tax purposes
D. If the student has applied to transfer to another institution
Answer: C. If the student is still a dependent for tax purposes
50
In what way does the “Red Flags Rule” under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?
A. It mandates the use of updated technology for securing credit records
B. It requires the owner to implement an identity theft warning system
C. It is not usually enforced in the case of a small financial institution
D. It does not apply because the owner is not a creditor
Answer: D. It does not apply because the owner is not a creditor.
51
Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?
A. Financial institutions must avoid collecting a customer’s sensitive personal information
B. Financial institutions must help ensure a customer’s understanding of products and services
C. Financial institutions must use a prescribed level of encryption for most types of customer records
D. Financial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing
Answer: B. Financial institutions must help ensure a customer’s understanding of products and services
52
Which act violates the Family Educational Rights and Privacy Act of 1974 (FERPA)?
A. A K-12 assessment vendor obtains a student’s signed essay about her hometown from her school to use as an exemplar for public release
B. A university posts a public student directory that includes names, hometowns, e-mail addresses, and majors
C. A newspaper prints the names, grade levels, and hometowns of students who made the quarterly honor roll
D. University police provide an arrest report to a student’s hometown police, who suspect him of a similar crime
Answer: A K-12 assessment vendor obtains a student’s signed essay about her hometown from her school to use as an exemplar for public release
53
According to FERPA, when can a school disclose records without a student’s consent?
A. If the disclosure is not to be conducted through email to the third party
B. If the disclosure would not reveal a student’s student identification number
C. If the disclosure is to practitioners who are involved in a student’s health care
D. If the disclosure is to provide transcripts to a school where a student intends to enroll
Answer: D If the disclosure is to provide transcripts to a school where a student intends to enroll
54
What is the main purpose of the CAN-SPAM Act?
A. To diminish the use of electronic messages to send sexually explicit materials
B. To authorize the states to enforce federal privacy laws for electronic marketing
C. To empower the FTC to create rules for messages containing sexually explicit content
D. To ensure that organizations respect individual rights when using electronic advertising
Answer: D. To ensure that organizations respect individual rights when using electronic advertising
55
The Video Privacy Protection Act of 1988 restricted which of the following?
A. Which purchase records of audio visual materials may be disclosed
B. When downloading of copyrighted audio visual materials is allowed
C. When a user’s viewing of online video content can be monitored
D. Who advertisements for videos and video games may target
Answer: A. Which purchase records of audio visual materials may be disclosed
56
The Cable Communications Policy Act of 1984 requires which activity?
A. Delivery of an annual notice detailing how subscriber information is to be used
B. Destruction of personal information a maximum of six months after it is no longer needed
C. Notice to subscribers of any investigation involving unauthorized reception of cable services
D. Obtaining subscriber consent for disseminating any personal information necessary to render cable services
Answer: A. Delivery of an annual notice detailing how subscriber information is to be used
57
What is the main purpose of requiring marketers to use the Wireless Domain Registry?
A. To access a current list of wireless domain names
B. To prevent unauthorized emails to mobile devices
C. To acquire authorization to send emails to mobile devices
D. To ensure their emails are sent to actual wireless subscribers
Answer: B. To prevent unauthorized emails to mobile devices
58
SCENARIO -
Please use the following to answer the next question:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo’s business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals – ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual’s ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient’s attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?
A. Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI
B. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth’s security measures
C. Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred
D. Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI
Answer: B. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth’s security measures
59
ou are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo.
What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?
A. Training on techniques for identifying phishing attempts
B. Training on the terms of the contractual agreement with HealthCo
C. Training on the difference between confidential and non-public information
D. Training on CloudHealth’s HR policy regarding the role of employees involved data breaches
Answer: A training on techniques for identifying phishing attempts
60
ou are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo.
Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo’s actions?
A. Administrative Safeguards
B. Technical Safeguards
C. Physical Safeguards
D. Security Safeguards
Answer: C. Physical Safeguards
61
ou are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo.
Which of the following would be HealthCo’s best response to the attorney’s discovery request?
A. Reject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations
B. Respond with a request for satisfactory assurances such as a qualified protective order
C. Turn over all of the compromised patient records to the plaintiff’s attorney
D. Respond with a redacted document only relative to the plaintiff
Answer: B. Respond with a request for satisfactory assurances such as a qualified protective order
62
Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?
A. Information about medication errors under the Food, Drug and Cosmetic Act
B. Money laundering information under the Bank Secrecy Act of 1970
C. Information about workplace injuries under OSHA requirements
D. Personal health information under the HIPAA Privacy Rule
Answer: D. Personal health information under the HIPAA Privacy Rule
63
A law enforcement agency subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?
A. SCA
B. ECPA
C. CALEA
D. USA FREEDOM Act
Answer: C. CALEA
64
What practice do courts commonly require in order to protect certain personal information on documents, whether paper or electronic, that is involved in litigation?
A. Redaction
B. Encryption
C. Deletion
D. Hashing
Answer: A Redaction
65
What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?
A. Where one of the parties has given consent
B. Where state law permits such interception
C. If an organization intercepts an employee’s purely personal call
D. Only if all parties have given consent
Answer: A. Where one of the parties has given consent
66
What was the original purpose of the Foreign Intelligence Surveillance Act?
A. To further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.
B. To further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.
C. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.
D. To further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect’s home, stemming from the Olmstead v. United States decision.
Answer: C. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.
67
What practice does the USA FREEDOM Act NOT authorize?
A. Emergency exceptions that allow the government to target roamers
B. An increase in the maximum penalty for material support to terrorism
C. An extension of the expiration for roving wiretaps
D. The bulk collection of telephone data and internet metadata
D. The bulk collection of telephone data and internet metadata
68
Why was the Privacy Protection Act of 1980 drafted?
A. To respond to police searches of newspaper facilities
B. To assist prosecutors in civil litigation against newspaper companies
C. To assist in the prosecution of white-collar crimes
D. To protect individuals from personal privacy invasion by the police
Answer: A. To respond to police searches of newspaper facilities
69
The rules for “e-discovery” mainly prevent which of the following?
Answer: B. The loss of information due to poor data retention practices
70
What do the Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act all have in common?
A. They require employers not to discriminate against certain classes when employees use personal information
B. They require that employers provide reasonable accommodations to certain classes of employees
C. They afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information
D. They permit employers to use or disclose personal information specifically about employees who are members of certain classes
Answer: A. They require employers not to discriminate against certain classes when employees use personal information
71
Which is an exception to the general prohibitions on telephone monitoring that exist under the U.S. Wiretap Act?
A. Call center exception
B. Inter-company communications exception
C. Ordinary course of business exception
D. Internet calls exception
Answer: C. Ordinary course of business exception
72
SCENARIO -
Please use the following to answer the next question:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state’s Do Not Call list, as well as the people on it. “If they were really serious about not being bothered,” Evan said, “They’d be on the national DNC list. That’s the only one we’re required to follow. At SunriseLynx, we call until they ask us not to.”
Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call “another time.” This, to Larry, is a clear indication that they don’t want to be called at all. Evan doesn’t see it that way.
Larry believes that Evan’s arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan’s political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan’s leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker’s belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In what area does Larry have a misconception about private-sector employee rights?
A. The applicability of federal law
B. The enforceability of local law
C. The strict nature of state law
D. The definition of tort law
Answer: A. The applicability of federal law
73
SCENARIO -
Please use the following to answer the next question:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state’s Do Not Call list, as well as the people on it. “If they were really serious about not being bothered,” Evan said, “They’d be on the national DNC list. That’s the only one we’re required to follow. At SunriseLynx, we call until they ask us not to.”
Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call “another time.” This, to Larry, is a clear indication that they don’t want to be called at all. Evan doesn’t see it that way.
Larry believes that Evan’s arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan’s political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan’s leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker’s belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
Based on the way he uses social media, Evan is susceptible to a lawsuit based on?
A. Defamation
B. Discrimination
C. Intrusion upon seclusion
D. Publicity given to private life
Answer: B. Discrimination
74
Same scenario as above.
Larry wants to take action, but is uncertain how to proceed.
Which act would authorize Evan’s undercover investigation?
A. The Whistleblower Protection Act
B. The Stored Communications Act (SCA)
C. The National Labor Relations Act (NLRA)
D. The Fair and Accurate Credit Transactions Act (FACTA)
Answer: B. The Stored Communications Act (SCA)
75
Same scenario as above.
In regard to telemarketing practices, Evan the supervisor has a misconception regarding?
Answer: D. The relationship of state law to federal law
76
Which of the following best describes private-sector workplace monitoring in the United States?
A. Employers have broad authority to monitor their employees
B. U.S. federal law restricts monitoring only to industries for which it is necessary
C. Judgments in private lawsuits have severely limited the monitoring of employees
D. Most employees are protected from workplace monitoring by the U.S. Constitution
Answer: A. Employers have broad authority to monitor their employees
77
Which of the following is most likely to provide privacy protection to private-sector employees in the United States?
A. State law, contract law, and tort law
B. The Federal Trade Commission Act (FTC Act)
C. Amendments one, four, and five of the U.S. Constitution
D. The U.S. Department of Health and Human Services (HHS)
A. State law, contract law, and tort law
B. The Federal Trade Commission Act (FTC Act)
C. Amendments one, four, and five of the U.S. Constitution
D. The U.S. Department of Health and Human Services (HHS)
Answer: A. State law, contract law, and tort law
78
What role does the U.S. Constitution play in the area of workplace privacy?
A. It provides enforcement resources to large employers, but not to small businesses
B. It provides legal precedent for physical information security, but not for electronic security
C. It provides contractual protections to members of labor unions, but not to employees at will
D. It provides significant protections to federal and state governments, but not to private-sector employment
A. It provides enforcement resources to large employers, but not to small businesses
B. It provides legal precedent for physical information security, but not for electronic security
C. It provides contractual protections to members of labor unions, but not to employees at will
D. It provides significant protections to federal and state governments, but not to private-sector employment
Answer: D. It provides significant protections to federal and state governments, but not to private-sector employment
79
Which action is prohibited under the Electronic Communications Privacy Act of 1986?
A. Intercepting electronic communications and unauthorized access to stored communications
B. Monitoring all employee telephone calls
C. Accessing stored communications with the consent of the sender or recipient of the message
D. Monitoring employee telephone calls of a personal nature
Answer: A. Intercepting electronic communications and unauthorized access to stored communications
80
Which of the following does Title VII of the Civil Rights Act prohibit an employer from asking a job applicant?
A. Questions about age
B. Questions about a disability
C. Questions about national origin
D. Questions about intended pregnancy
Answer: C. Questions about national origin
81
How did the Fair and Accurate Credit Transactions Act (FACTA) amend the Fair Credit Reporting Act (FCRA)?
A. It expanded the definition of “consumer reports” to include communications relating to employee investigations
B. It increased the obligation of organizations to dispose of consumer data in ways that prevent unauthorized access
C. It stipulated the purpose of obtaining a consumer report can only be for a review of the employee’s credit worthiness
D. It required employers to get an employee’s consent in advance of requesting a consumer report for internal investigation purpos
B. It increased the obligation of organizations to dispose of consumer data in ways that prevent unauthorized access
82
How did the Fair and Accurate Credit Transactions Act (FACTA) amend the Fair Credit Reporting Act (FCRA)?
A. It expanded the definition of “consumer reports” to include communications relating to employee investigations
B. It increased the obligation of organizations to dispose of consumer data in ways that prevent unauthorized access
C. It stipulated the purpose of obtaining a consumer report can only be for a review of the employee’s credit worthiness
D. It required employers to get an employee’s consent in advance of requesting a consumer report for internal investigation purposes
Answer: B. It increased the obligation of organizations to dispose of consumer data in ways that prevent unauthorized access
83
Which federal act does NOT contain provisions for preempting stricter state laws?
A. The CAN-SPAM Act
B. The Children’s Online Privacy Protection Act (COPPA)
C. The Fair and Accurate Credit Transactions Act (FACTA)
D. The Telemarketing Consumer Protection and Fraud Prevention Act
A. The CAN-SPAM Act
B. The Children’s Online Privacy Protection Act (COPPA)
C. The Fair and Accurate Credit Transactions Act (FACTA)
D. The Telemarketing Consumer Protection and Fraud Prevention Act
Answer:
D. The Telemarketing Consumer Protection and Fraud Prevention Act
84
Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?
A. The entity must conduct business in the state
B. The entity must have employees in the state
C. The entity must be registered in the state
D. The entity must be an information broker
A. The entity must conduct business in the state
B. The entity must have employees in the state
C. The entity must be registered in the state
D. The entity must be an information broker
Answer: A. The entity must conduct business in the state
85
What is the most likely reason that states have adopted their own data breach notification laws?
A. Many states have unique types of businesses that require specific legislation
B. Many lawmakers believe that federal enforcement of current laws has not been effective
C. Many types of organizations are not currently subject to federal laws regarding breaches
D. Many large businesses have intentionally breached the personal information of their customers
A. Many states have unique types of businesses that require specific legislation
B. Many lawmakers believe that federal enforcement of current laws has not been effective
C. Many types of organizations are not currently subject to federal laws regarding breaches
D. Many large businesses have intentionally breached the personal information of their customers
Answer: B. Many lawmakers believe that federal enforcement of current laws has not been effective
86
Which federal law or regulation preempts state law?
A. Health Insurance Portability and Accountability Act
B. Controlling the Assault of Non-Solicited Pornography and Marketing Act
C. Telemarketing Sales Rule
D. Electronic Communications Privacy Act of 1986
Answer: B. Controlling the Assault of Non-Solicited Pornography and Marketing Act
87
More than half of U.S. states require telemarketers to?
A. Identify themselves at the beginning of a call
B. Obtain written consent from potential customers
C. Register with the state before conducting business
D. Provide written contracts for customer transactions
Answer: C. Register with the state before conducting business
88
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?
A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.
B. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
C. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.
D. The encryption of all personal information of Massachusetts residents when stored on portable devices.
D. The encryption of all personal information of Massachusetts residents when stored on portable devices.
Hide Solution
89
California’s SB 1386 was the first law of its type in the United States to do what?
A. Require commercial entities to disclose a security data breach concerning personal information about the state’s residents
B. Require notification of non-California residents of a breach that occurred in California
C. Require encryption of sensitive information stored on servers that are Internet connected
D. Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices
A. Require commercial entities to disclose a security data breach concerning personal information about the state’s residents
90
Most states with data breach notification laws indicate that notice to affected individuals must be sent in the “most expeditious time possible without unreasonable delay.” By contrast, which of the following states currently imposes a definite limit for notification to affected individuals?
A. Maine
B. Florida
C. New York
D. California
B. Florida
91
Under state breach notification laws, which is NOT typically included in the definition of personal information?
A. State identification number
B. First and last name
C. Social Security number
D. Medical information
D. Medical information
Hide Solution
92
Which of the following best describes what a “private right of action” is?
A. The right of individuals to keep their information private.
B. The right of individuals to submit a request to access their information.
C. The right of individuals harmed by data processing to have their information deleted.
D. The right of individuals harmed by a violation of a law to file a lawsuit against the violation.
D. The right of individuals harmed by a violation of a law to file a lawsuit against the violation.
Hide Solution
93
Which of the following is NOT a principle found in the APEC Privacy Framework?
A. Integrity of Personal Information.
B. Access and Correction.
C. Preventing Harm.
D. Privacy by Design.
D. Privacy by Design.
94
What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?
A. Describing the policy changes on its website.
B. Obtaining affirmative consent from its customers.
C. Publicizing the policy changes through social media.
D. Reassuring customers of the security of their information.
B. Obtaining affirmative consent from its customers.
95
Federal laws establish which of the following requirements for collecting personal information of minors under the age of 13?
A. Implied consent from a minor’s parent or guardian, or affirmative consent from the minor.
B. Affirmative consent from a minor’s parent or guardian before collecting the minor’s personal information online.
C. Implied consent from a minor’s parent or guardian before collecting a minor’s personal information online, such as when they permit the minor to use the internet.
D. Affirmative consent of a parent or guardian before collecting personal information of a minor offline (e.g., in person), which also satisfies any requirements for online consent.
B. Affirmative consent from a minor’s parent or guardian before collecting the minor’s personal information online.
96
If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?
A. The organization will still be in compliance with most sector-specific privacy and security laws.
B. The impact of an organizational data breach will be more severe than if the data had been segregated.
C. Temporary employees will be able to find the data necessary to fulfill their responsibilities.
D. The organization will be able to address legal discovery requests efficiently without producing more information than necessary.
B. The impact of an organizational data breach will be more severe than if the data had been segregated.
97
Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?
A. A bill of rights for individuals seeking access to their personal information.
B. A code of responsibilities for medical establishments to uphold privacy laws.
C. An international court ruling on personal information held in the commercial sector.
D. A baseline of marketers’ minimum responsibilities for providing opt-out mechanisms.
A. A bill of rights for individuals seeking access to their personal information.
98
Which of the following became the first state to pass a law specifically regulating the practices of data brokers?
A. Washington.
B. California.
C. New York.
D. Vermont.
Answer: D. Vermont
99
Acme has built an AI algorithm that determines wheter an individual will pay their bill or default. A person who is determined by the algorithim to be more likely to default will receive frequent payment reminder calls.
Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?
A. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
B. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.
C. If the algorithm’s methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
If the algorithim makes automated decisons using risk factors and public information, Acme need not determine if the algorithim has a disparate impact on protected classes
RISK FFACTORS/ PUBLIC INFO
100
Global Manufacturing Co's HR dept purchased a new software tool. This tool helps future candidates fo executive roles. Provides a "360 view".
What is the most important step for the HR Dept to take when implementing this software?
A. Making sure that the software does not unintentionally discriminate against protected groups
B. Ensuring that the software contains a privacy notice explaining that employees have no right to privacy as long as they are running this software.
C. Confirming employees have read and signed the employee handbook
Answer: A. Making sure that the software does not unintentionally discriminate against protected groups.
101
WHich of the following would not constitute an exception to the authorization requirement under the HIPAA PRivacy Rule?
A. Disclosing health information for public health activities.
B. Disclosing health information to file a child abuse report.
C. Disclosing health information needed to treat a medical emergency.
D. Disclosing health information needed to pay a third party billing administrator.
D. Disclosing health information needed to pay a third party billing administrator.
102
Which type of material is exempt from an individual's right to disclosure under the Privacy Act?
A. Material required by statute to be maintained and used solely for research purposes.
B. Material reporting investigative efforts to prevent unlawful persecution of an individual.
C. Material used to determine potential collaboration with foreign governments in negotiation of trade deals.
D. Material reporting investigative efforts pertaining to the enforcement of criminal law.
B. Material reporting investigative efforts prevent unlawfaul persecution of an individual.
103
Which of the following best describes an employer's privacy-related responsibilties to an employee who has left the workplace?
A. An employer has a responsibility to maintain a former employee’s access to computer systems and company data needed to support claims against the company such as discrimination.
B. An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.
C. An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.
D. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.
D. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.
104
All of the following common law torts are relevant to employee privacy under US law except?
A. IIED
B. Intrusion upon seculsion
C. Defamation
D. Conversion
Answer: D Conversion
105
Which law provides employee benefits but often mandates the collection of medical information?
A. The Occupational Safety and Health Act.
B. The Americans with Disabilities Act.
C. The Employee Medical Security Act.
D. The Family and Medical Leave Act.
D. The Family and Medical Leave Act.
106
John, a CA resident, receives notificaiton that a major corporation with $500 million in annual revenue experienced a data breach.
Which of the following answers Johns ability under CCPA?
A. John has no right to sue the corporation because the CCPA does not address any data breach rights.
B. John cannot sue the corporation for the data breach because only the state’s Attoney General has authority to file suit under the CCPA.
C. John can sue the corporation for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.
D. John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm.
Answer: C. John can sue the corp for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.
107
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network. Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH’s notification responsibilities?
A. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
B. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
D. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.
C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in NY.
NOTIFICATIOn, NY
108
Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.
Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?
A. Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.
B. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual’s personal information upon request constitutes an unfair practice.
C. The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.
D. The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act requires that businesses under New York’s jurisdiction must delete customers’ personal information upon request.
C. THE CCPA entitles Sarah to request deletion of her PI
109
Which of the following is an example of federal preemption?
A. The Payment Card Industry’s (PCI) ability to self-regulate and enforce data security standards for payment card data.
B. The U.S. Federal Trade Commission’s (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries.
C. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there.
D. The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act prohibiting states from passing laws that impose greater obligations on senders of email marketing.
D.
110
Which of the organizations would be required to provides its customers wth an annual privacy notice?
Topic 1
Which of these organizations would be required to provide its customers with an annual privacy notice?
A. The Four Winds Tribal College.
B. The Golden Gavel Auction House.
C. The King County Savings and Loan.
D. The Breezy City Housing Commission.
C. King county savings and loan
banks must provide annual privacy notice
111
which entity within the Dept of Health and Human Services (HHS) is the primary enforcer of the HIPPA?
A. Office for civil rights
B. Office of Social Services
A. Office of Civil rights
112
Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?
A. Delete their personal information.
B. Correct their personal information.
C. Disclose their personal information to them.
D. Refrain from selling their personal information to third parties.
under CCPA you can request to deter your PI, correct your PI, disclose PI to you, and refrain from feeling PI to 3rd parties.
113
Which of the following accurately describes the purpose of a particular federal enforcement agency?
A. The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).
B. The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.
C. The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites’ posted privacy disclosures.
D. The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.
D. The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.
114
Scenario: Data breach involving customer personal and financial information at a large retail store, the company director's were shocked. Roberta the privacy analyst was not. all employees could view files.
Based on the problems with the company’s privacy security that Roberta identifies, what is the most likely cause of the breach?
A. Mishandling of information caused by lack of access controls.
B. Unintended disclosure of information shared with a third party.
C. Fraud involving credit card theft at point-of-service terminals.
D. Lost company property such as a computer or flash drive.
Answer - Mishandling of information caused by lack of access controls
115
Scenario: Data breach involving customer personal and financial information at a large retail store, the company director's were shocked. Roberta the privacy analyst was not. all employees could view files.
Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?
A. Consumers have a right to exercise control over how companies use their personal data.
B. Consumers have a right to reasonable limits on the personal data that a company retains.
C. Consumers have a right to easily accessible information about privacy and security practices.
D. Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.
B. Consumers have a right to reasonable limits on the personal data that a company retains.
116
Scenario: Data breach involving customer personal and financial information at a large retail store, the company director's were shocked. Roberta the privacy analyst was not. all employees could view files.
What could the company have done differently prior to the breach to reduce their risk?
A. Implemented a comprehensive policy for accessing customer information.
B. Honored the promise of its privacy policy to acquire information by using an opt-in method.
C. Looked for any persistent threats to security that could compromise the company’s network.
D. Communicated requests for changes to users’ preferences across the organization and with third parties.
A. Implemented a comprehensive policy for accessing customer information.
117
Matt and his son + the survey
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?
A. Investigative Consumer Reporting Agencies Act
B. Unfair and Deceptive Acts and Practices
C. Consumer bill of rights
Answer - B Unfair and deceptive acts
118
in the case of civil litigation, what might a defendant who is being sued for distributing an employee's private information face?
an Injuction
119
The US Supreme Court has recognized an individual's rights to privacy over personal issues such as contraception by acknowledging which of the following?
A. Federal preemption of state constitutions that expressly recognize an individual right to privacy.
B. A “penumbra” of unenumerated constitutional rights as well as more general protections of due process of law.
C. An interpretation of the U.S. Constitution’s explicit definition of privacy that extends to personal issues.
D. The doctrine of stare decisis, which allows the U.S. Supreme Court to follow the precedent of previously decided case law.
A penumbra of unenumerated constitutional rights as well as more general protections of due process of law .
120
based on the 2012 FTC report "protecting consumer privacy in an era of rapid change" which of the following directives is most important for businesses?
A. Announcing the tracking of online behavior for advertising purposes
B. Integrating privacy protections during product development
C. Allowing consumers to opt in before collecting any data
D. Mitigating harm to consumers after a security breach
B. Integrating privacy protections during product development
121
In march 2012, the FTC released a privacy report that outlined three core principles for companies handling consumer data. Which was not one of the 3 principles?
A. Simiplying consumer choice
B. Enhancing security measures
C. Practicing Privacy by Design
D. Providing greater transparency
B. Enhancing security measures
122
what is a key way that Gramm Leach Billy Act prevents unauthorized access into a person's bank account?
A. By requiring immediate public disclosure after a suspected security breach
B. By requiring the amount of customer personal information printed on paper
C. by requiring financial institutions limit the collection of PI
D. By restricting the disclosure of customers account numbers by financial institutions
D. by restricting the disclosure of customers account numbers by financial institutions
123
in what way is the controlling the assault of non solicited pornography and marketing (CAN-SPAM) Act intended to help consumers?
A. By providing consumers with free spam filtering software
B. By requiring a company to receive an opt-in before sending any advertising emails
C. By prohibiting companies from sending objectionable content through unsolicited emails.
D. By requiring companies to allow consumers to opt out of future emails.
D. By requiring companies to allow consumers to opt out of future emails.
124
Otto is preparing a report to his board of directors at filtration station where is responsible for the privacy program. company sells filters and tubing to pharmaceutical companies for research use.
Filtration suffered a breach
Board ask Otto to provide information on the breach
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?
A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
B. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
C. That business contact information could be considered personal information governed by CCPA.
D. That CCPA only applies to companies based in California, which exempts the company from compliance.
C. That business contact information could be considered personal information governed by CCPA.
125
Otto is preparing a report to his board of directors at filtration station where is responsible for the privacy program. company sells filters and tubing to pharmaceutical companies for research use.
Filtration suffered a breach
Board ask Otto to provide information on the breach
What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for HR data?
What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for the HR data?
A. Request that the Board sign off in a written document on the choice of cloud provider.
B. Ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit.
C. Obtain express consent from employees for storing the HR data in the cloud and keep a record of the employee consents.
D. Negotiate a Business Associate Agreement with the cloud provider to protect any health-related data employees might share with Filtration Station.
B. Ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit.
126
Data breach under federal and state requires:
Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:
A. You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.
B. When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.
C. When you are required to provide an individual with notice of a data breach under any state’s law, you must provide the individual with an offer for free credit monitoring.
D. The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.
D. The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.
127
what consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?
A. ability to receive reports from mulitple credit reporting agencies
B. Ability to appeal negative credit-based decisions
C. The ability to correct inaccurate credit informaiton
D. Ability to investigate incidents of identity theft
C. The ability to correct inaccurate credit informaiton
128
Privacy Is Hiring Inc., a CA-based company, is an online specialty recruiting firm focusing on placing privacy professionals in roles at major companies. Job candidates create online profiles outlining their experience and credentials, and can pay $19.99/month via credit card to have their profiles promoted to potential employers. Privacy Is Hiring Inc. keeps all customer data at rest encrypted on its servers.
Under what circumstances would Privacy Is Hiring Inc., need to notify affected individuals in the event of a data breach?
A. If law enforcement has completed its investigation and has authorized Privacy Is Hiring Inc. to provide the notification to clients and applicable regulators.
B. If the job candidates’ credit card information and the encryption keys were among the information taken.
C. If Privacy Is Hiring Inc., reasonably believes that job candidates will be harmed by the data breach.
D. If the personal information stolen included the individuals’ names and credit card pin numbers.
B. If the job candidates’ credit card information and the encryption keys were among the information taken.
129
Scenario: Noahhh trying to get a new job. Arnies told Noah he did not get the position. Noah looking for a job still.
Consumers today are most likely protected from situations like the one Noah had buying stock bc of which federal action or legislaiton act?
A. The rules under Fair Debt Collection Practices Act
B. The creation of the Consumer Financail Protection Bureau
C. FTC ivestigations into "unfair and deceptive" acts
D. Investigations of abuse acts and practices under the Dodd frank wall street reform and Consumer protection act.
D. Investigaitons of abuse acts and practices under Dodd Frank wall Street reform and consumer protection act.
130
Scenario: Noahhh trying to get a new job. Arnies told Noah he did not get the position. Noah looking for a job still.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Based on the scenario, which legislation should ease Noah’s worry about his credit report as a result of applying at Arnie’s Emporium?
A. The Privacy Rule under the Gramm-Leach-Bliley Act (GLBA).
B. The Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).
C. The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA).
D. The Red Flags Rule under the Fair and Accurate Credit Transactions Act (FACTA).
C. The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA).
131
Which federal agency plays a role in privacy policy but does not have regulatory authority?
A. The office of the comptroller of the currency
B. Federal trade communications commission
C. Dept of transportation
D. Dept of commerce
D. The Department of Commerce
132
Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?
A. Research (such as information for understanding consumer trends).
B. Risk mitigation (such as information that may reduce the risk of fraud).
C. Location of individuals (such as identifying an individual from partial information).
D. Marketing (such as appending data to customer information that a marketing company already has).
A. Research
133
what information did the red flag program clarification act of 2010 add to the original red flags rule?
A. the most common methods of identity theft
B. the definition of what constitutes a creditor
C. the process for proper dispoal of sensitive data
D. The components of an identity theft detection program.
B. the definition of what constitutes a creditor.
134
Although an employer may have a strong incentive or legal obligation to monitor employees’ conduct or behavior, some excessive monitoring may be considered an intrusion on employees’ privacy? Which of the following is the strongest example of excessive monitoring by the employer?
A. An employer who installs a video monitor in physical locations, such as a warehouse, to ensure employees are performing tasks in a safe manner and environment.
B. An employer who installs data loss prevention software on all employee computers to limit transmission of confidential company information.
C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment.
D. An employer who records all employee phone calls that involve financial transactions with customers completed over the phone.
C. cameras in changing rooms
135
which state first passed a law specifically regulating the collection of biometric data?
A. California.
B. Texas.
C. Illinois.
D. Washington.
Illionois passed the first
136
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants’ postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
Regarding credit checks of potential employees, Celeste has a misconception regarding what?
A. Consent requirements.
B. Disclosure requirements.
C. Employment-at-will rules.
D. Records retention policies
Consent Requirement
137
SCENARIO -
Please use the following to answer the next question:
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants’ postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
Which law will be most relevant to Felicia’s plan to ask applicants about drug addiction?
A. The Americans with Disabilities Act (ADA).
B. The Occupational Safety and Health Act (OSHA).
C. The Genetic Information Nondiscrimination Act of 2008.
D. The Health Insurance Portability and Accountability Act (HIPAA).
Americans with Disabilites Act
138
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants’ postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
Based on Felicia’s Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?
A. Reconsider the plan in favor of a policy of dedicated work devices.
B. Adopt the same kind of monitoring policies used for work-issued devices.
C. Weigh any productivity benefits of the plan against the risk of privacy issues.
D. Make employment decisions based on those willing to consent to the plan in writing.
D. Make employment decisions based on those willing to consent the the plan in writing
139
what privacy concept grants a consumer the right to view and correct errors on his or her credit report?
A. Access
B. Notice
C. Actoon
D. Choice
A. access
140
A company's employee wellness portal offers an app to track exercise activity via mobile devices, which of the following design techniques wold most inform users of their data privacy rights when using the app?
A. offer information about data collection and uses at key data entry points
B. Publish a privacy policy written in clear, concise, and understandable language
C. present a privacy policy to user during welness prohgram registration process
D. provide a link
C. present a privacy polocy at registration
141
Under the Fair Credit Reporting Act (FCRA), what must a person who is denied employment based upon his credit history receive?
A. A prompt notification from the employer.
B. An opportunity to reapply with the employer.
C. Information from several consumer reporting agencies (CRAs).
D. A list of rights from the Consumer Financial Protection Bureau (CFPB).
A. prompt notification from the employer
142
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?
A. The EPPA requires that employers post essential information about the Act in a conspicuous location.
B. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.
C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
D. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.
C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
143
US federal laws protect individuals from employment discrimination based on all of the following except?
A. age
B. preggers
C. marital status
D. genetic information
C. marital status
144
Which statute is considered part of U.S. federal privacy law?
A. The Fair Credit Reporting Act.
B. SB 1386.
C. The Personal Information Protection and Electronic Documents Act.
D. The e-Privacy Directive.
Fair credit reporting act
145
In 2012, the White House and the FTC both issued reports advocating a new approach to privacy enforcement that can best be described as what?
A. Harm-based.
B. Self-regulatory.
C. Comprehensive.
D. Notice and choice.
C. comprehensive
146
FTC often negotiates consent decrees with companies found to be in violation of privacy principles. How does this benefit both parties involved?
A. it standardizes the amount of fines
B. it simplifies the audit requriements
C. it avoids potential harmful publicity
D. It spares the expense of going to trial .
D. It spares the expense of going to trial .
147
when developing a privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?
A. relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.
B. Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizatiinal prgroam
C. Relationships with company leaders responsible for approving, implementing and perioidically reviewing the corporate privacy program.
D. Relationships with individuals across company departments and at different levels in the organizations hierarchy
D. Relationships with individuals across company departments and at different levels in the organizations hierarchy
148
FERPA requires schools to do what except?
A. Verify the identity of students who make requests for access to their records.
B. Provide students with access to their records within a specified amount of time.
C. Respond to all reasonable student requests regarding explanation of their records.
D. Obtain student authorization before releasing directory information in their records.
B. provide students with access to their records within a specified amount of time.
149
Chanel Hair Studio is a busy high end salon. CHanel implements AI
whats the biggest privacy concern related to Chanel's use of their new software?
A. Scanning a client social media acconts
B. Calculating client profile address distance from the salon
C. using CL profile info
D. Assessing client tardiness
B. Calculating client profile address distance from the salo
150
Which of the following laws is NOT involved in the regulation of employee background checks?
A. The Civil Rights Act.
B. The Gramm-Leach-Bliley Act (GLBA).
C. The U.S. Fair Credit Reporting Act (FCRA).
D. The California Investigative Consumer Reporting Agencies Act (ICRAA).
B. the gram leach biley act
151
Which of the following scenarios would be most likely to violate the Fourth Amendment of the U.S. Constitution with regard to contact tracing?
A. A private employer conducting a voluntary contact-tracing program with its employees.
B. An employer asking employees if they have been diagnosed with or tested for COVID-19 before allowing them to physically enter the workplace.
C. A government program that installs a contact-tracing app on an individual's phone and collects data after providing notice and obtaining the individual’s consent.
D. A government program that automatically installs a contact-tracing app on an individual's phone and collects data without obtaining the individual’s consent.
D. A govt progream automatically installs a contacttracing app
152
Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.
For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.
Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place.
Which of the following would accurately describe the relationship of the parties if they enter into a contract for use of the app?
A. Miraculous Healthcare would be the covered entity because its name and branding are on the app; MedApps would be a business associate because it is hosting the data that supports the app.
B. MedApps would be the covered entity because it built and hosts the app and all the data; Miraculous Healthcare would be a business associate because it only provides its brand on the app.
C. Miraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it.
D. Miraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous.
D. Miraculous would be the covered entity bc it is health care provider and Medapps would be a business associated.
153
Scenario: Miraculous Healthcare is a large medical practice with multiple locations in CA and NV. they are offering telehealth appts' virtual appts.
What HIPPA compliance issue would Miraculous have to consider before using the telehealth app?
A. HIPPA does not permit healthcare providers to use cloud host
B. HOPPA does not permit in person appt to be hostd in cloud
C. HIIPA would require Miraculous and MedApps to enter into bussiness associate
D. HIPAA would require Miraculous to obtain patient consent before in=person appt data can be shared with third parties.
D. HIPAA would require Miraculous to obtain patient consent before in=person appt data can be shared with third parties.
154
Scenario: Miraculous Healthcare is a large medical practice with multiple locations in CA and NV. they are offering telehealth appts' virtual appts.
What can Riya do to most minimize the privacy risks of using an app for telehealth appointments?
A. Require MedApps to de-identify all patient data
B. Prohibit Medapps from using subcontractors
C. Rqurie MedApps to submit a SOC2 report
D. Engage in active oversight of MEdApps
A. Require medals to de identifying
155
Scenario: Miraculous Healthcare is a large medical practice with multiple locations in CA and NV. they are offering telehealth appts' virtual appts.
If MedApps receives an access request under CCPA from a CA based user how should it handles the request?
A. MedApps should decline the request because Protected Health Information is not subject to CCPA.
B. MedApps should promptly verify the user's identity and provide the requested information.
C. MedApps should promptly forward the request to Miraculous for instructions on handling.
D. MedApps should decline the request because MedApps is not based in California.
C. MedApps should promplty forward the request to Miraculous for instructions on handling
156
Under what conditions will personal data processing be subject to the Virginia Consumer Data Protection Act (VCDPA) requirements for a documented data protection assessment?
A. If the data subject is younger than 13 years of age and the data is processed after January 1, 2023.
B. If the data processor processes personal data beyond the controller's instructions.
C. If the personal data is stored by a California-based third-party service provider.
D. If the personal data is processed for purposes of targeted advertising.
D. if the personal data is processed for purposes of targeted advertising
157
What was unique about the action that the Federal Trade Commission took against B.J.’s Wholesale Club in 2005?
A. It made third-party audits a penalty for policy violations.
B. It was based on matters of fairness rather than deception.
C. It was the first substantial U.S.-EU Safe Harbor enforcement.
D. It made user consent mandatory after any revisions of policy.
B. It was based on matters of fairness rather than deception.
158
What are the maximum statutory damages for violations of the Fair Credit Reporting Act?
A. $500 per violation
B. $1,000 per violation
C. $2,000 per violation
D. $5k
$1,000
159
A company based in the US receives info about its UK subsidiary employees in connection with HR services it provides.
How can the UK Company ensure an adequate level of data protection that would allow the restricted data transfer to continue?
SCC's!
160
The use of cookies on a website by a service provider is generally not deemed a ‘sale’ of personal information by CCPA, as long as which of the following conditions is met?
A. The third party stores personal information to trigger a response to a consumer’s request to exercise their right to opt in.
B. The analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.
C. The service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.
D. The information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.
C. the service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.
161
Which of the following would NOT be considered a method of obtaining verifiable parental consent before collecting, using or disclosing personal information from children under the Children’s Online Privacy Protection Act (COPPA) of 1998?
A. Using a credit card, debit card, or other online payment system.
B. Having the parent call a toll-free telephone number staffed by trained personnel.
C. Having the parent sign a consent form and return it to the operator by postal mail, facsimile, or electronic scan.
D. Sending a text message to the parent explaining the intended uses of the information.
D. sending a text to the parent
162
Edward Snowden’s revelations regarding government programs collecting massive amounts of information about U.S. citizens and noncitizens led to the passage of which law?
A. Cybersecurity law
B. Foreign Intellegence surveillance act
C. USA Freedom Act
D. Cloud act
C. USA Freedom Act
163
in 2011, the FTC announced a settlement with Google regarding its social networking service Google Buzz. The FTC alleged that in the process of launching the service, the company did all of the following except?
A. violates its own policies
B. engaged in deceptive trade
C. Failed to comply with safe harbor
D. Failed to employ sufficient security safeguards
D. failed to employ sufficient security safeguards
164
Which of the following is a U.S. surveillance program authorized under Section 702 of the Foreign Intelligence Surveillance Act Amendments Act?
A. Upstream
B. NATGRID
C. Project 6
D. SORM
A. upstream
165
ABC Corp. is a consumer-facing business that uses a number of vendors to help operate its business, such as payment processors, cloud service providers, and an e-commerce platform.
If ABC Corp. were subject to the California Consumer Privacy Act (CCPA), what would it have to do in order to avoid having its transfer of personal information to vendors be considered a "sale" of personal information?
A. Register its transfer of personal information with the California Attorney General's office.
B. Ensure that it does not receive any monetary consideration from the vendors for the personal information.
C. Enter into a contract with the vendors containing restrictions on what they can do with the personal information.
D. State in its privacy policy that it will only transfer the personal information to vendors who provide the business with certain services.
C. Enter into a contract with the vendors containing restrictions on what they can do with the personal information.
166
In a data sharing arrangement, which of the following organizations would determine the rules that apply to the processing of the data being shared?
A. The business associate.
B. The hosting provider.
C. The data processor.
D. The data controller.
D. the Data controller
167
Your company's most brilliant engineer develops a new Artificial Intelligence (AI) technology he calls OXO-2576. The engineer wants to begin using it to analyze all of the data your company collects about its customers. As the company's privacy professional, you have some privacy concerns about using AI technology with customer data.
Which of the following is the best recommendation to offer the company?
A. Do not publicize that the company is using AI technology with its customer data.
B. De-identify the data collected by the AI technology so it cannot be linked to any individuals.
C. Automate the AI technology so there is no human seeing or handling the customers' personal information.
D. Use the AI technology only for employees, as companies are given more leeway when handling employee personal information.
B. De-identify the data collected by the AI technology so it cannot be linked to any individuals.
168
Which of the following would best provide a sufficient consumer disclosure under the Fair Credit Reporting Act (FCRA) prior to a consumer report being obtained for employment purposes?
A. A standalone notice document.
B. A notice provision in a mailed offer letter.
C. A notice provision in an electronic employment application.
D. A verbal notice provided with a conditional offer of employment.
A. A standalone notice document.
169
Which of the following state laws has an entity exemption for organizations subject to the Gramm-Leach-Bliley Act (GLBA)?
A. Nevada Privacy Law.
B. California Privacy Rights Act.
C. California Consumer Privacy Act.
D. Virginia Consumer Data Protection Act
D. Virginia Consumer Data Protection Act
170
The federal Driver's Privacy Protection Act (DPPA) prohibits the release or use of what type of personal information?
A. Information obtained from rental car agencies identifying drivers license numbers.
B. Information obtained from police departments concerning a driver's traffic violations or accidents.
C. Information obtained from automobile dealers regarding driver's name and Social Security Number.
D. Information obtained from State motor vehicle departments in connection with a motor vehicle record.
D. Information obtained from State motor vehicle departments in connection with a motor vehicle record.
171
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?
A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the General Data Protection Regulation (GDPR).
B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country.
C. Establish baseline privacy obligations that U.S. companies must comply with for personal information, even if stored in a foreign country.
D. Prohibit foreign companies from using the personal information of U.S. citizens without their consent.
B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country.
172
Which of the following most accurately describes the regulatory status of pandemic contact-tracing apps in the United States?
A. Contact tracing is covered exclusively under the Health Insurance Portability and Accountability Act (HIPAA).
B. Contact tracing is regulated by the U.S. Centers for Disease Control and Prevention (CDC).
C. Contact tracing is subject to a patchwork of federal and state privacy laws.
D. Contact tracing is not regulated in the United States.
C. Contact tracing is subject to a patchwork of federal and state privacy laws.
173
scenario
Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence
Under Section 702 of FISA, the NSA may do which of the following without a Foreign Intelligence Surveillance Court warrant?
A. Compel AWS to disclose Jane's email communications with a Taiwanese national residing in Taiwan.
B. Compel AWS to disclose email communications between two Chinese nationals residing in the EU.
C. Compel Microsoft to disclose Patrick's Skype calls with a Brazilian national living in Peru.
D. Compel Jane to disclose the PIN code for her corporate mobile phone.
B. Compel AWS to disclose email communications between two Chinese nationals residing in the EU.
174
scenario
Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence
Before inspecting any GPS geolocation data from Jane's corporate mobile phone, Patrick should first do what?
A. Obtain prior consent from Jane pursuant to the Telephone Consumer Protection Act
B. Revise emerging workplace privacy best practices with a reputable advocacy organization.
C. Obtain a subpoena from law enforcement, or a court order, directing Jones Labs to collect the GPS geolocation data.
D. Ensure that such activity is permitted under Jane's employment contract or the company's employee privacy policy.
D. Ensure that such activity is permitted under Jane's employment contract or the company's employee privacy policy.
175
SCENARIO -
Please use the following to answer the next question:
Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Security Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign.
Ever since the pandemic, Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.
Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers. The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data center based in Ireland. Manufacturing data of Jones Labs is stored in Taiwan and managed by a local supplier that has no presence in the U.S.
When storing Jane's fingerprint for remote authentication. Jones Labs should consider legality issues under which of the following?
A. The Privacy Rule of the HITECH Act.
B. The California IoT Security Law (SB 327).
C. The applicable state law such as Illinois BIPA.
D. The federal Genetic Information Nondiscrimination Act (GINA).
C. The applicable state law such as Illinois BIPA.
176
A financial services company install "bossware" software on its employees' remote computers to monitor performance. The software logs screenshots, mouse movements, and keystrokes to determine whether an employee is being productive. The software can also enable the computer webcams to record video footage.
Which of the following would best support an employee claim for an intrusion upon seclusion tort?
A. The webcam is enabled to record video any time the computer is turned on.
B. The company creates and saves a biometric template for each employee based upon keystroke dynamics.
C. The software automatically sends a notification to a supervisor any time the employee's mouse is dormant for more than five minutes.
D. The webcam records video of an employee using a company laptop to perform personal business while at a coffee shop during work hours.
A. The webcam is enabled to record video any time the computer is turned on.
177
SCENARIO -
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular fitness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
Who, if anyone, would the company have to notify immediately following the security team's first call to the privacy manager on Friday?
A. It would have to notify each state's attorney general's office since the app is marketed to consumers.
B. It would not have to notify anyone since malware intrusions do not trigger breach notification laws.
C. It would have to notify the Federal Trade Commission (FTC) since there was an incident involving a mobile app.
D. It would not have to notify anyone since there was no unauthorized access of user data that would be considered personal information under applicable st
D. It would not have to notify anyone since there was no unauthorized access of user data that would be considered personal information under applicable state laws.
178
SCENARIO -
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular fitness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
Based on the information the security team provides on Monday morning, what is the company's notification obligation?
A. The company does not need to notify anyone since secure credit card information is not subject to breach notification laws.
B. The company does not need to notify anyone since the security team is not completely certain the attacker actually took the credit card information.
C. The company must notify its bank and the card brands under its PCI obligations, and potentially provide notice to individuals and state authorities. depending on state law.
D. The company must report the incident to the U.S. Secret Service since the incident involves financial information, followed by notice to individuals and some state authorities.
C. The company must notify its bank and the card brands under its PCI obligations, and potentially provide notice to individuals and state authorities. depending on state law.
179
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular fitness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
How does the Monday evening discovery of the malware on the company's database server alter the company's notification obligations, if at all?
A. This discovery requires notice also be provided to the U.S. Dept. of Health and Human Services since the impacted information includes health information.
B. This discovery has no effect on the situation, since the user information does not include a social security number or driver's license number.
C. This discovery requires notice also be provided to the FTC since a health app is subject to the Health Breach Notification Rule.
D. This discovery has no effect on the situation, since all required notifications are already being provided.
C. This discovery requires notice also be provided to the FTC since a health app is subject to the Health Breach Notification Rule.
180
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular fitness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
What answer should be given to the Chief Financial Officer's question?
A. "No, we do not have to provide a free credit monitoring offer since our breach notification obligations under HIPAA supersede state breach notification laws."
B. "No. we do not have to provide a free credit monitoring offer since the impacted information did not include social security numbers."
C. "Yes, we must include a free credit monitoring offer since this incident involves credit card information."
D. ''Yes, all breach notices must include a free credit monitoring offer."
What answer should be given to the Chief Financial Officer's question?
C. "Yes, we must include a free credit monitoring offer since this incident involves credit card information."
181
SCENARIO -
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular fitness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
What answer should be given to the General Counsel?
A. "Users can only sue us if we violate the state breach notification laws."
B. "This is a health data incident subject to HIPAA, so the private right of action does not apply."
C. "Users cannot sue us, because only federal and state regulators have enforcement authority in data breaches."
D. "Even if we provide notice, we may still face liability due to mishandling the data and causing potential harm to users."
D. "Even if we provide notice, we may still face liability due to mishandling the data and causing potential harm to users."
182
One of the most significant elements of Senate Bill No. 260 relating to Internet privacy is the introduction of what term into Nevada law?
A. Data Ethics.
B. Data Brokers.
C. Artificial Intelligence.
D. Transfer Mechanism.
Data brokers
183
Mega Corp. is a U.S.-based business with employees in California, Virginia, and Colorado. Which of the following must Mega Corp. comply with in regard to its human resources data?
A. California Privacy Rights Act.
B. California Privacy Rights Act and Virginia Consumer Data Protection Act.
C. California Privacy Rights Act and Colorado Privacy Act.
D. California Privacy Rights Act, Virginia Consumer Data Protection Act, and Colorado Privacy Act.
CPRA
184
A California resident has created an account on your company's online food delivery platform and placed several orders in the past month. Later she submits a data subject request to access her personal information under the California Privacy Rights Act.
Assuming that the CPRA is in force, which of the following data elements would your company NOT have to provide to the requester once her identity has been verified?
A. Inferences made about the individual for the company's internal purposes.
B. The loyalty account number assigned through the individual's use of the services.
C. The time stamp for the creation of the individual's account in the platform's database.
D. The email address submitted by the individual as part of the account registration process.
A. Inferences made about the individual for the company's internal purposes.
185
Topic 1
Nearly every state has a data breach notification law with a “compromise standard” for determining when notice is required. Which of the following is the best explanation of what a “compromise” is under this framework?
A. Compromise is defined by the degree to which the affected individuals suffered actual harm or had substantial risk of actual harm.
B. Compromise is defined by the case law in the jurisdiction and is typically based on the totality of the circumstances.
C. Compromise means that personally identifiable information was wrongfully accessed by third parties.
D. Compromise means that the confidentiality, security, or integrity of the information was violated.
D. Compromise means that the confidentiality, security, or integrity of the information was violated.
186
Once a breach has been definitively established, which task should be prioritized next?
A. Involving law enforcement and state Attorneys General.
B. Determining what was responsible for the breach and neutralizing the threat.
C. Providing notice to the affected parties so they can take precautionary measures.
D. Implementing remedial measures and evaluating how to prevent future breaches.
B. Determining what was responsible for the breach and neutralizing the threat.
187
our company, which sells its products in the United States and the European Union, is seeking to purchase cloud storage from a multinational cloud storage provider. The engineering team at your company wants to set up cloud data centers from the storage provider in both the United States and Germany.
Which of the following contractual provisions should be included in the contract to ensure the security of the personal data being stored in both data center locations?
A. An audit provision that allows the cloud storage provider to restrict an independent auditor’s access to the premises, documents and personnel involved in the cloud storage provider’s processing of the data.
B. A general authorization provision that allows the cloud storage provider to appoint subcontractors to help provide the cloud storage services.
C. A purpose limitation provision that requires the data, including personal information, to only be used for the contracted purposes.
D. A non-solicitation provision prohibiting both companies from seeking to hire employees of the other company.
C. A purpose limitation provision that requires the data, including personal information, to only be used for the contracted purposes.
188
When designing contact tracing apps in relation to COVID-19 or any other diagnosed virus, all of the following privacy measures should be considered EXCEPT?
A. Data retention.
B. Use limitations.
C. Opt-out choice.
D. User confidentiality.
Opt out choices
189
Under HIPAA and the HITECH Act, business associates who receive Protected Health Information (PHI) from covered entities must execute Business Associate Agreements and also?
A. Ensure there is a written agreement with the Department of Health and Human Services.
B. Provide a SOC 2 audit to support the warranties in the agreements.
C. Reaffirm the terms of the agreements on an annual basis.
D. Have any subcontractors enter into agreements.
D - Have any subcontractors enter into agreements.
190
Which of the following practices is NOT a key component of a data ethics framework?
A. Automated decision-making.
B. Preferability testing.
C. Data governance.
D. Auditing.
B. preferability testing
191
Under the Driver’s Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?
A. Law enforcement agencies performing investigations.
B. Insurance companies needing to investigate claims.
C. Attorneys gathering information related to lawsuits.
D. Marketers wishing to distribute bulk materials.
D. Marketers wishing to distribute bulk materials.
192
As a result of the Schrems II decision and CJEU opinion, what would the preferred course of action be if a Section 702 disclosure related to a foreign entity is required?
A. Ensure that the most recent SCC from the European Commission is being executed as a valid method of adequacy.
B. Provide 30 days notice to affected parties to allow the opportunity for filing a motion to quash with the court.
C. Seek redress from the court pursuing a protective order, since the consumer is unable to file a motion to quash.
D. Seek the advice of outside counsel and conduct a transfer impact assessment.
D. Seek the advice of outside counsel and conduct a transfer impact assessment.
193
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?
A. If the data involved was encrypted.
B. If the data involved was accessed but not exported.
C. If the entity was subject to the GLBA Safeguards Rule.
D. If the entity followed internal notification procedures compatible with state law.
C. If the entity was subject to the GLBA Safeguards Rule.
194
The CFO of a pharmaceutical company is duped by a phishing email and discloses many of the company’s employee personnel files to an online predator. The files include employee contact information, job applications, performance reviews, discipline records, and job descriptions.
Which of the following state laws would be an affected employee’s best recourse against the employer?
A. The state social security number confidentiality statute.
B. The state personnel record review statute.
C. The state data destruction statute.
D. The state UDAP statute.
B. The state personnel record review statute.
195
SuperMart is a large Nevada-based business that has recently determined it sells what constitutes “covered information” under Nevada’s privacy law, Senate Bill 260. Which of the following privacy compliance steps would best help SuperMart comply with the law?
A. Providing a mechanism for consumers to opt out of sales.
B. Implementing internal protocols for handling access and deletion requests.
C. Preparing a notice of financial incentive for any loyalty programs offered to its customers.
D. Reviewing its vendor contracts to ensure that the vendors are subject to service provider restrictions.
A. Providing a mechanism for consumers to opt out of sales.
196
Which of the following privacy rights is NOT available under the Colorado Privacy Act?
A. The right to access sensitive data.
B. The right to correct sensitive data.
C. The right to delete sensitive data.
D. The right to limit the use of sensitive data.
D. The right to limit the use of sensitive data.
197
Topic 1
The California Privacy Rights Act (CPRA) expands upon a number of topics previously introduced in the California Consumer Privacy Act (CCPA). Which of the following was already part of the CCPA?
A. Risk assessments.
B. Cybersecurity audits.
C. Private right of action.
D. Automated decision-making.
C private right of action
