
[Feb-2026] CIPP-US Exam Dumps - Free Demo & 365 Day Updates
Free Sales Ending Soon - Use Real CIPP-US PDF Questions
IAPP CIPP-US Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
NEW QUESTION # 20
SCENARIO
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice's suggestion about classifying customer data?
- A. It will help employees stay better organized
- B. It will help the company meet a federal mandate
- C. It will prevent the company from collecting too much personal information (PI)
- D. It will increase the security of customers' personal information (PI)
Answer: D
Explanation:
Explanation/Reference: https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/dcps/
NEW QUESTION # 21
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data,including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed.
Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Based on the problems with the company's privacy security that Roberta identifies, what is the most likely cause of the breach?
- A. Mishandling of information caused by lack of access controls.
- B. Unintended disclosure of information shared with a third party.
- C. Fraud involving credit card theft at point-of-service terminals.
- D. Lost company property such as a computer or flash drive.
Answer: A
Explanation:
The scenario describes how the company had no adequate rules about access to customer information and how low-level employees had access to all of the company's customer data, including financial records. This indicates that the company did not implement proper access controls to limit who can access, use, or disclose customer information based on their roles and responsibilities. Access controls are one of the key elements of information security and privacy, as they help prevent unauthorized or inappropriate access to sensitive data.
Without access controls, the company's customer information was vulnerable to mishandling by employees or outsiders who could exploit the weaksecurity measures. Therefore, the most likely cause of the breach was mishandling of information caused by lack of access controls. References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Information Management from a U.S. Perspective, Section 4.2: Information Security, p. 113-114
* IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective
I.C: Describe the role of information security in privacy, Subobjective I.C.1: Identify the key elements of information security, p. 8
NEW QUESTION # 22
SCENARIO
Please use the following to answer the next question:
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis.
This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information.
Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?
- A. Implemented a comprehensive policy for accessing customer information.
- B. Communicated requests for changes to users' preferences across the organization and with third parties.
- C. Looked for any persistent threats to security that could compromise the company's network.
- D. Honored the promise of its privacy policy to acquire information by using an opt-in method.
Answer: A
Explanation:
The scenario suggests that the company lacked adequate rules about access to customer information, which increased the risk of unauthorized access and data breach. Implementing a comprehensive policy for accessing customer information would have helped the company to limit the access to only those who need it for legitimate purposes, and to protect the confidentiality, integrity, and availability of the data. This is also one of the recommendations that Roberta made in her report.
NEW QUESTION # 23
Under the Fair Credit Reporting Act (FCRA), what must a person who is denied employment based upon his credit history receive?
- A. An opportunity to reapply with the employer.
- B. Information from several consumer reporting agencies (CRAs).
- C. A list of rights from the Consumer Financial Protection Bureau (CFPB).
- D. A prompt notification from the employer.
Answer: D
Explanation:
The FCRA requires that an employer who takes an adverse action against an applicant or employee based on information in a consumer report must provide a notice of the adverse action to the individual. The notice must include the name, address, and phone number of the CRA that supplied the report; astatement that the CRA did not make the decision and cannot explain why the adverse action was taken; a notice of the individual's right to dispute the accuracy or completeness of the information in the report; and a notice of the individual's right to obtain a free copy of the report from the CRA within 60 days12. References:
* CIPP/US Practice Questions (Sample Questions), Question 141, Answer A, Explanation A.
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.2, p.
101-102.
* Fair Credit Reporting Act (FCRA), Section 615, Subsection (a).
NEW QUESTION # 24
Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?
- A. 15 days
- B. 10 days
- C. 21 days
- D. 7 days
Answer: B
Explanation:
According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient's opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.
NEW QUESTION # 25
A software company wants to use web scraping to collect personal data from professional networking websites in order to train an artificial intelligence program to evaluate Job applications. The company has identified several actions for limiting their potential legal liability regarding affected data subjects and professional networking websites. Which of the following would be the least effective action for helping them do this?
- A. Following the terms of use posted on professional networking websites that are scraped.
- B. Limiting the amount of the personally identifiable information they collect
- C. Adding a notice to the company website's terms of use disclosing the use of web scraping
- D. Decertifying the scraped data before selling it to any third parties.
Answer: C
Explanation:
Web scraping to collect personal data can pose significant legal and ethical risks, particularly when it involves professional networking sites or other platforms where terms of service (ToS) explicitly prohibit such activity.
To limit liability, the software company must take proactive measures to comply with applicable laws (such as privacy laws) and contractual obligations (e.g., terms of use on the scraped websites).
Adding a notice to the company website's terms of use would be the least effective action, as it does not address the legal and ethical issues associated with scraping data from third-party websites. Simply adding a notice about the company's use of scraping does not mitigate liability for violating the ToS of professional networking websites or violating privacy rights under laws like the GDPR or CCPA.
Explanation of Options:
* A. Following the terms of use posted on professional networking websites that are scraped:This is one of the most effective ways to limit legal liability. Violating ToS can result in lawsuits or legal penalties, so adhering to them is critical.
* B. Adding a notice to the company website's terms of use disclosing the use of web scraping:This is the least effective action. Including this notice on the company's own website does not address potential violations of third-party website ToS or the privacy rights of affected individuals.
* C. Limiting the amount of the personally identifiable information they collect:Minimizing the amount of data collected aligns with data protection principles, such as data minimization under the GDPR, and can reduce privacy risks.
* D. Deidentifying the scraped data before selling it to any third parties:Deidentifying or anonymizing data is a critical step for reducing legal liability and complying with privacy laws.
However, the company should also ensure that the deidentification is robust and irreversible.
References from CIPP/US Materials:
* GDPR Article 5: Establishes principles such as data minimization and accountability for data processing.
* IAPP CIPP/US Certification Textbook: Highlights the risks of web scraping and the importance of adhering to contractual obligations and privacy laws.
NEW QUESTION # 26
When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?
- A. After disclosing marketing practices to customers and after giving them an opportunity to opt out.
- B. After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
- C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
- D. After disclosing marketing practices to customers and after giving them an opportunity to opt in.
Answer: C
Explanation:
https://www.ftc.gov/business-guidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act "If you share their NPI with nonaffiliated third parties outside of three exceptions (see "Exceptions"), you must give your consumers and customers an "opt-out notice" that clearly and conspicuously describes their right to opt out of the information being shared. An opt-out notice must be delivered with a privacy notice, and it can be part of the privacy notice."
NEW QUESTION # 27
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.
Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Based on Felicia's Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?
- A. Adopt the same kind of monitoring policies used for work-issued devices.
- B. Reconsider the plan in favor of a policy of dedicated work devices.
- C. Weigh any productivity benefits of the plan against the risk of privacy issues.
- D. Make employment decisions based on those willing to consent to the plan in writing.
Answer: C
Explanation:
BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:
* The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
* The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
* The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
* The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
* The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
* The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
* The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
* The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
* IAPP CIPP/US Body of Knowledge, Section III.C.2
* IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
* FTC Mobile Device Security
NEW QUESTION # 28
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months,one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
Based on the scenario, which of the following would have helped Janice to better meet the company's needs?
- A. Spending more time understanding the company's information goals
- B. Creating a more comprehensive plan for implementing a new policy
- C. Explaining the importance of transparency in implementing a new policy
- D. Removing the financial burden of the company's employee training program
Answer: A
Explanation:
According to the Wiley study guide, one of the steps in developing a privacy policy is to conduct a privacy assessment, which involves identifying the organization's information goals and needs, as well as the legal and regulatory requirements that apply to its data collection and use practices3. By spending more time understanding the company's information goals, Janice would have been able to tailor the privacy policy to fit the company's business model and customer expectations, while still complying with the relevant privacy laws and standards. This would have also helped Janice to address Cheryl's concerns about the impact of the policy on the company's operations and customer relationships, and to propose solutions that balance privacy protection and service delivery.
References:
1: https://iapp.org/certify/cippus/
2: https://iapp.org/certify/get-certified/cippus/
3:
https://www.wiley.com/en-be/IAPP+CIPP+US+Certified+Information+Privacy+Professional+Study+Guide-p-9
4:
https://www.techtarget.com/searchsecurity/quiz/10-CIPP-US-practice-questions-to-test-your-privacy-knowledge
5: https://www.study4exam.com/iapp/free-cipp-us-questions
https://www.passitcertify.com/iapp/cipp-us-questions.html
NEW QUESTION # 29
The Video Privacy Protection Act of 1988 restricted which of the following?
- A. When downloading of copyrighted audio visual materials is allowed
- B. Which purchase records of audio visual materials may be disclosed
- C. When a user's viewing of online video content can be monitored
- D. Who advertisements for videos and video games may target
Answer: B
Explanation:
The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer's informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure.
NEW QUESTION # 30
Which federal act does NOT contain provisions for preempting stricter state laws?
- A. The Children's Online Privacy Protection Act (COPPA)
- B. The Fair and Accurate Credit Transactions Act (FACTA)
- C. The Telemarketing Consumer Protection and Fraud Prevention Act
- D. The CAN-SPAM Act
Answer: C
Explanation:
Explanation
NEW QUESTION # 31
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?
- A. The Department of Health and Human Services
- B. The Office of the Comptroller of the Currency
- C. The Federal Trade Commission
- D. The Consumer Financial Protection Bureau
Answer: A
Explanation:
* The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.
* The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.
* The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:
* The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.
* The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.
* The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.
* The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.
* The Board of Governors of the Federal Reserve System (FRB), which has authority over state- chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.
* The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.
* The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.
* The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.
* The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.
References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] :
[SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]
NEW QUESTION # 32
SCENARIO
Please use the following to answer the next QUESTION
Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.
One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still be sitting in the office, unsecured.
Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.
Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills - all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.
In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.
After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Based on the scenario, which legislation should ease Noah's worry about his credit report as a result of applying at Arnie's Emporium?
- A. The Privacy Rule under the Gramm-Leach-Bliley Act (GLBA).
- B. The Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).
- C. The Red Flags Rule under the Fair and Accurate Credit Transactions Act (FACTA).
- D. The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA).
Answer: B
NEW QUESTION # 33
Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?
- A. A code of responsibilities for medical establishments to uphold privacy laws.
- B. A baseline of marketers' minimum responsibilities for providing opt-out mechanisms.
- C. A bill of rights for individuals seeking access to their personal information.
- D. An international court ruling on personal information held in the commercial sector.
Answer: D
Explanation:
The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section.
The APEC information privacy principles are:
* Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.
* Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.
* Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.
* Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.
* Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.
* Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.
* Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.
* Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the legitimate rights of persons other than the individual would be violated.
* Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.
The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information,such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond. References:
* APEC Privacy Framework (2015)
* APEC Cross-Border Privacy Rules (CBPR) System
* APEC Privacy Recognition for Processors (PRP) System
* APEC Privacy Framework: A New Model for Transborder Data Flows
NEW QUESTION # 34
Which of the following best describes what a "private right of action" is?
- A. The right of individuals harmed by a violation of a law to file a lawsuit against the violation.
- B. The right of individuals to keep their information private.
- C. The right of individuals harmed by data processing to have their information deleted.
- D. The right of individuals to submit a request to access their information.
Answer: A
Explanation:
A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcingprivacy rights.
Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC's enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation. References:
* U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 2, Section 2.3.3, pp. 35-36.
* How to end the deadlock on the private right of action by Paula Bruening, IAPP Privacy Perspectives, Jan 20, 2022.
* Private Right of Action (Legal Definition & Examples) by Lawrina, accessed on Jan 25, 2022.
NEW QUESTION # 35
SCENARIO
Please use the following to answer the next question:
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis.
This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information.
Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?
- A. Consumers have a right to exercise control over how companies use their personal data.
- B. Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.
- C. Consumers have a right to easily accessible information about privacy and security practices.
- D. Consumers have a right to reasonable limits on the personal data that a company retains.
Answer: D
Explanation:
The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company's privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws.
NEW QUESTION # 36
What was the primary reason for the creation of HIPAA?
- A. To introduce protected health information security measures.
- B. To create a common database within healthcare systems for patient diagnosis and prescription management.
- C. To increase the efficiency of electronic healthcare payments.
- D. To extend privacy laws to business associates within health care.
Answer: C
Explanation:
Although HIPAA contains extensive privacy protection, the law is mainly adopted to increase the efficiency of (electronic) healthcare payments.
NEW QUESTION # 37
What was the original purpose of the Foreign Intelligence Surveillance Act?
- A. To further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.
- B. To further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect's home, stemming from the Olmstead v. United States decision.
- C. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.
- D. To further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.
Answer: C
Explanation:
The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon. It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power1 The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation23 FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of
U.S. persons4 References: https://www.intelligence.gov/foreign-intelligence-surveillance-act
https://www.intelligence.gov/foreign-intelligence-surveillance-act/1234-categories-of-fisa
NEW QUESTION # 38
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?
- A. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
- B. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate
- C. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
- D. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
Answer: D
Explanation:
notification to individuals in the state of New York.
NEW QUESTION # 39
More than half of U.S. states require telemarketers to?
- A. Provide written contracts for customer transactions
- B. Identify themselves at the beginning of a call
- C. Register with the state before conducting business
- D. Obtain written consent from potential customers
Answer: C
Explanation:
" For example, more than half the states require that telemarketers obtain a license or register with the state.39" Excerpt From: "IAPP_US_TB_US-Private-Sector-Privacy-3E_1.0." Apple Books.
"states may require that a written contract be created for certain transaction".
Excerpt From: "IAPP_US_TB_US-Private-Sector-Privacy-3E_1.0." Apple Books.
NEW QUESTION # 40
What practice do courts commonly require in order to protect certain personal information on documents, whether paper or electronic, that is involved in litigation?
- A. Hashing
- B. Redaction
- C. Deletion
- D. Encryption
Answer: B
NEW QUESTION # 41
Which action is prohibited under the Electronic Communications Privacy Act of 1986?
- A. Monitoring all employee telephone calls
- B. Accessing stored communications with the consent of the sender or recipient of the message
- C. Intercepting electronic communications and unauthorized access to stored communications
- D. Monitoring employee telephone calls of a personal nature
Answer: C
Explanation:
The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that protects the privacy of wire, oral, and electronic communications while they are being made, in transit, or stored on computers. The ECPA has three titles: Title I prohibits the intentional interception, use, or disclosure of wire, oral, or electronic communications, except for certain exceptions, such as consent, provider protection, or law enforcement purposes. Title II, also known as the Stored Communications Act (SCA), prohibits the unauthorized access to or disclosure of stored wire or electronic communications, such as email, voicemail, or online messages, except for certain exceptions, such as consent, provider protection, or law enforcement purposes. Title III regulates the installation and use of pen register and trap and trace devices, which record the numbers dialed to or from a telephone line, but not the content of the communications. Therefore, the action that is prohibited under the ECPA is intercepting electronic communications and unauthorized access to stored communications, which are covered by Title I and Title II of the Act, respectively.
NEW QUESTION # 42
Which is an exception to the general prohibitions on telephone monitoring that exist under the U.S. Wiretap Act?
- A. Inter-company communications exception
- B. Internet calls exception
- C. Call center exception
- D. Ordinary course of business exception
Answer: D
NEW QUESTION # 43
Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?
- A. Disclosing health information needed to treat a medical emergency.
- B. Disclosing health information to file a child abuse report.
- C. Disclosing health information for public health activities.
- D. Disclosing health information needed to pay a third party billing administrator.
Answer: A
NEW QUESTION # 44
......
The CIPP-US certification exam is administered by the International Association of Privacy Professionals (IAPP), a non-profit organization that is dedicated to promoting and advancing privacy professionals worldwide. The IAPP is the largest and most comprehensive global information privacy community and resource, providing training, certification, and networking opportunities to privacy professionals worldwide. The CIPP-US certification exam is just one of the many certification programs offered by the IAPP, which also includes the CIPP/E (Europe), CIPP/Canada (Canada), and CIPP/Asia (Asia-Pacific) certification programs.
CIPP-US Dumps - Pass Your Certification Exam: https://quiztorrent.testbraindump.com/CIPP-US-exam-prep.html
