100% Pass Guaranteed Accurate CIPP-US Answers 365 Days Free Updates [Q12-Q34]

Share

100% Pass Guaranteed Accurate CIPP-US Answers 365 Days Free Updates

CIPP-US DUMPS Q&As with Explanations Verified & Correct Answers


The CIPP/US certification is highly respected in the privacy industry and is recognized as a mark of excellence in the field of privacy and data protection. It demonstrates to employers and clients that the holder has the knowledge and skills to manage privacy risks and comply with privacy laws and regulations in the United States.


IAPP CIPP-US exam is a highly regarded certification for privacy professionals, and passing the exam is an essential step towards building a successful career in privacy. CIPP-US exam tests the candidate's knowledge of the laws and regulations governing privacy in the US, including the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act, among others. CIPP-US exam also covers data protection, data privacy management, and ethical considerations related to privacy.

 

NEW QUESTION # 12
A student has left high school and is attending a public postsecondary institution. Under what condition may a school legally disclose educational records to the parents of the student without consent?

  • A. If the student has not yet turned 18 years of age
  • B. If the student is in danger of academic suspension
  • C. If the student is still a dependent for tax purposes
  • D. If the student has applied to transfer to another institution

Answer: C

Explanation:
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students' educational records. FERPA generally requires schools to obtain written consent from students before disclosing their records to third parties, such as parents. However, FERPA allows some exceptions to this rule, such as when the disclosure is for health or safety emergencies, or when the student is still a dependent for tax purposes. According to FERPA, a school may disclose educational records to the parents of a student who is claimed as a dependent on the parents' most recent federal income tax return, without the student's consent. This exception applies regardless of the student's age or enrollment status at a postsecondary institution. References:
* IAPP CIPP/US Body of Knowledge, Section III, C, 2
* [IAPP CIPP/US Study Guide, Chapter 3, Section 3.5]
* [FERPA, 34 CFR § 99.31(a)(8)]


NEW QUESTION # 13
Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?

  • A. Information about medication errors under the Food, Drug and Cosmetic Act
  • B. Money laundering information under the Bank Secrecy Act of 1970
  • C. Personal health information under the HIPAA Privacy Rule
  • D. Information about workspace injuries under OSHA requirements

Answer: C

Explanation:
The HIPAA Privacy Rule generally prohibits covered entities and business associates from disclosing protected health information (PHI) to law enforcement without the individual's authorization, unless one of the exceptions in 45 CFR ?164.512 applies. These exceptions include disclosures required by law, disclosures for law enforcement purposes, disclosures about victims of abuse, neglect or domestic violence, disclosures for health oversight activities, disclosures for judicial and administrative proceedings, disclosures for research purposes, disclosures to avert a serious threat to health or safety, disclosures for specialized government functions, disclosures for workers' compensation, and disclosures to coroners and medical examiners. None of these exceptions apply to the type of information in option D, which is personal health information that is not related to any of the above purposes. Therefore, an organization would generally not be required to disclose such information to law enforcement under the HIPAA Privacy Rule.


NEW QUESTION # 14
SCENARIO
Please use the following to answer the next QUESTION :
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking QUESTIONS about my opinions."
"Let me see," Matt said, and began reading the list of QUESTIONS that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer QUESTIONS about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
How could the marketer have best changed its privacy management program to meet COPPA "Safe Harbor" requirements?

  • A. By receiving FTC approval for the content of its emails
  • B. By regularly assessing the security risks to consumer privacy
  • C. By making a COPPA privacy notice available on website
  • D. By participating in an approved self-regulatory program

Answer: D

Explanation:
COPPA safe harbor programs comprise industry groups that self-regulate their member-operators and establish their own guidelines and requirements that must guarantee the same or greater protection for children as the standards set forth in the COPPA rule.


NEW QUESTION # 15
SuperMart is a large Nevada-based business that has recently determined it sells what constitutes "covered information" under Nevada's privacy law, Senate Bill 260. Which of the following privacy compliance steps would best help SuperMart comply with the law?

  • A. Providing a mechanism for consumers to opt out of sales.
  • B. Reviewing its vendor contracts to ensure that the vendors are subject to service provider restrictions.
  • C. Preparing a notice of financial incentive for any loyalty programs offered to its customers.
  • D. Implementing internal protocols for handling access and deletion requests.

Answer: A

Explanation:
Nevada's privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of "covered information" under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.
Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:
* If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.
* If the sale is to a person who processes the covered information on behalf of the operator.
* If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
* If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.
* If the sale is to a person who is an affiliate of the operator.
* If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator's assets.
To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.
Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.
Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).
Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.
Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.
References:
* [IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.
* CIPP/US Practice Questions (Sample Questions), Question 33.


NEW QUESTION # 16
When developing a company privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?

  • A. Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizational program.
  • B. Relationships with company leaders responsible for approving, implementing, and periodically reviewing the corporate privacy program.
  • C. Relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.
  • D. Relationships with individuals across company departments and at different levels in the organization's hierarchy.

Answer: B


NEW QUESTION # 17
Which of the following federal agencies does NOT have regulatory authority related to privacy?

  • A. Consumer Financial Protection Bureau.
  • B. U.S. Department of Transportation.
  • C. U.S. Department of Commerce.
  • D. Federal Reserve

Answer: C

Explanation:
The U.S. Department of Commerce (DOC) is a federal agency that promotes economic growth, trade, and innovation, but does not have regulatory authority related to privacy. The DOC administers several voluntary privacy frameworks, such as the Privacy Shield, the APEC Cross- Border Privacy Rules, and the NIST Privacy Framework, but these are not legally binding or enforceable by the DOC. The DOC also participates in international privacy negotiations and dialogues, but does not have the power to issue rules or regulations on privacy matters.


NEW QUESTION # 18
Which of the following best describes an employer's privacy-related responsibilities to an employee who has left the workplace?

  • A. An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.
  • B. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.
  • C. An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.
  • D. An employer has a responsibility to maintain a former employee's access to computer systems and company data needed to support claims against the company such as discrimination.

Answer: B


NEW QUESTION # 19
All of the following are tasks in the "Discover" phase of building an information management program EXCEPT?

  • A. Deciding how aggressive to be in the use of personal information
  • B. Understanding the laws that regulate a company's collection of information
  • C. Developing a process for review and update of privacy policies
  • D. Facilitating participation across departments and levels

Answer: C

Explanation:
The "Discover" phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:
Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected. Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses. Understanding the laws that regulate a company's collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm- Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA). Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.
Developing a process for review and update of privacy policies is not a task in the "Discover" phase, but rather in the "Implement" phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant. The tasks in this phase include:
Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.
Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.
Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency. Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.


NEW QUESTION # 20
In what way is the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act intended to help consumers?

  • A. By requiring companies to allow consumers to opt-out of future e-mails.
  • B. By requiring a company to receive an opt-in before sending any advertising e-mails.
  • C. By providing consumers with free spam-filtering software.
  • D. By prohibiting companies from sending objectionable content through unsolicited e-mails.

Answer: A

Explanation:
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States.
The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship. The law also does not apply to non-commercial messages, such as political or charitable solicitations12 The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers' requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request. The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transferthe e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12 By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content. The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12 References:
* Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act


NEW QUESTION # 21
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the most likely risk of Fitness Coach, Inc. adopting Janice's first draft of the privacy policy?

  • A. Not being in standard compliance with applicable laws
  • B. Showing a lack of trust in the organization's privacy practices
  • C. Leaving the company susceptible to violations by setting unrealistic goals
  • D. Failing to meet the needs of customers who are concerned about privacy

Answer: C

Explanation:
Janice's first draft of the privacy policy may be too restrictive and impractical for Fitness Coach, Inc. to follow, given the nature of its business and the expectations of its customers. By limiting the retention of personal information to one year and requiring written consent for any third-party sharing, the policy may create operational challenges and customer dissatisfaction. For example, customers may want to resume their fitness programs after a long hiatus and expect the company to have their previous records and preferences.
Similarly, third-party contractors may need access to customer information to provide better services and tailor their classes. If the company fails to adhere to its own privacy policy, it may face legal consequences, reputational damage, and loss of trust from its customers. Therefore, the company should adopt a more realistic and flexible privacy policy that balances its business needs and its customers' privacy rights. References:
* Privacy Policy for Health Coaches
* Privacy Policies for Online Coaches
* Privacy Policy - Coaching.com


NEW QUESTION # 22
The Cable Communications Policy Act of 1984 requires which activity?

  • A. Destruction of personal information a maximum of six months after it is no longer needed
  • B. Delivery of an annual notice detailing how subscriber information is to be used
  • C. Notice to subscribers of any investigation involving unauthorized reception of cable services
  • D. Obtaining subscriber consent for disseminating any personal information necessary to render cable services

Answer: B

Explanation:
The Cable Communications Policy Act of 1984 (CCPA) is a federal law that regulates the cable television industry and protects the privacy of cable subscribers. One of the provisions of the CCPA is that cable operators must providetheir subscribers with an annual notice that clearly and conspicuously informs them of the following information12:
* The nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information
* The nature, frequency, and purpose of any disclosure of such information, including an identification of the types of persons to whom the disclosure may be made
* The period during which such information will be maintained by the cable operator
* The times and place at which the subscriber may have access to such information
* The limitations provided by the CCPA with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under the CCPA to enforce such limitations The annual notice must also state that the subscriber has the right to prevent disclosure of personally identifiable information to third parties, except as required by law or court order, and that the subscriber may sue for damages, attorney's fees, and other relief for violations of the CCPA12.
References: 1: Cable Communications Policy Act of 1984, Section 631 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.2


NEW QUESTION # 23
Which entities must comply with the Telemarketing Sales Rule?

  • A. For-profit organizations calling businesses when a binding contract exists between them
  • B. For-profit and not-for-profit organizations when selling additional services to establish customers
  • C. Nonprofit organizations calling on their own behalf
  • D. For-profit organizations and for-profit telefunders regarding charitable solicitations

Answer: D

Explanation:
The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2 The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged intelemarketing.
However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing.
Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3 Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 - Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.


NEW QUESTION # 24
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

  • A. Unfair and Deceptive Acts and Practices laws.
  • B. Consumer Bill of Rights.
  • C. Red Flag Rules.
  • D. Investigative Consumer Reporting Agencies Act.

Answer: A

Explanation:
The marketer could be prosecuted for violating the Unfair and Deceptive Acts and Practices (UDAP) laws, which are enforced by the Federal Trade Commission (FTC) and state attorneys general. UDAP laws prohibit businesses from engaging in unfair or deceptive practices that harm consumers, such as false advertising, misleading claims, or hidden fees. In this scenario, the marketer could be accused of deceiving children into providing personal information and preferences under the guise of a survey and a contest, without obtaining verifiable parental consent or disclosing how the information will be used or shared. This could also violate the Children's Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection and use of personal information from children under 13 years of age.


NEW QUESTION # 25
Which of the following is NOT a principle found in the APEC Privacy Framework?

  • A. Integrity of Personal Information.
  • B. Access and Correction.
  • C. Preventing Harm.
  • D. Privacy by Design.

Answer: D

Explanation:
Explanation/Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiqtJX4tPHvAhUQG-
wKHUoGBgkQFjAHegQIBRAD&url=https%3A%2F%2Fwww.apec.org%2F-%2Fmedia%2FAPEC%
2FPublications%2F2016%2F11%2F2016-CTI-Report-to-Ministers%2FTOC%2FAppendix-17-Updates-to-the- APEC-Privacy-Framework.pdf&usg=AOvVaw1Yysi4Ym_1VaCw1VZiB70a


NEW QUESTION # 26
Which action is prohibited under the Electronic Communications Privacy Act of 1986?

  • A. Monitoring employee telephone calls of a personal nature
  • B. Intercepting electronic communications and unauthorized access to stored communications
  • C. Accessing stored communications with the consent of the sender or recipient of the message
  • D. Monitoring all employee telephone calls

Answer: B

Explanation:
The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that protects the privacy of wire, oral, and electronic communications while they are being made, in transit, or stored on computers. The ECPA has three titles: Title I prohibits the intentional interception, use, or disclosure of wire, oral, or electronic communications, except for certain exceptions, such as consent, provider protection, or law enforcement purposes. Title II, also known as the Stored Communications Act (SCA), prohibits the unauthorized access to or disclosure of stored wire or electronic communications, such as email, voicemail, or online messages, except for certain exceptions, such as consent, provider protection, or law enforcement purposes. Title III regulates the installation and use of pen register and trap and trace devices, which record the numbers dialed to or from a telephone line, but not the content of the communications. Therefore, the action that is prohibited under the ECPA is intercepting electronic communications and unauthorized access to stored communications, which are covered by Title I and Title II of the Act, respectively.


NEW QUESTION # 27
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?

  • A. Communicated requests for changes to users' preferences across the organization and with third parties.
  • B. Honored the promise of its privacy policy to acquire information by using an opt-in method.
  • C. Implemented a comprehensive policy for accessing customer information.
  • D. Looked for any persistent threats to security that could compromise the company's network.

Answer: D


NEW QUESTION # 28
What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?

  • A. Process requests for changes to user preferences within a designated time frame
  • B. Conduct annual consumer surveys regarding satisfaction with user preferences
  • C. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter's own use
  • D. Provide consumers with the opportunity to opt out of receiving telemarketing phone calls

Answer: C

Explanation:
Explanation/Reference: https://www.investopedia.com/terms/g/glba.asp


NEW QUESTION # 29
The FTC often negotiates consent decrees with companies found to be in violation of privacy principles. How does this benefit both parties involved?

  • A. It avoids potentially harmful publicity.
  • B. It standardizes the amount of fines.
  • C. It simplifies the audit requirements.
  • D. It spares the expense of going to trial.

Answer: D

Explanation:
Negotiating consent decrees with companies found to be in violation of privacy principles benefits both parties involved by sparing the expense of going to trial. By opting for a consent decree, both the FTC and the company can avoid the time-consuming and costly process of litigation, including a trial. This approach allows for a more efficient resolution to the matter and enables the company to take corrective actions more quickly. Additionally, it can help the company avoid potentially harmful publicity that could arise from a public trial or a prolonged legal battle. While consent decrees might include penalties or fines, they often focus on implementing measures to improve compliance and protect consumers' privacy rights.


NEW QUESTION # 30
Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?

  • A. Delete their personal information.
  • B. Refrain from selling their personal information to third parties.
  • C. Correct their personal information.
  • D. Disclose their personal information to them.

Answer: C


NEW QUESTION # 31
SCENARIO
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice's suggestion about classifying customer data?

  • A. It will help the company meet a federal mandate
  • B. It will prevent the company from collecting too much personal information (PI)
  • C. It will help employees stay better organized
  • D. It will increase the security of customers' personal information (PI)

Answer: D

Explanation:
Explanation/Reference: https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/dcps/


NEW QUESTION # 32
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In regard to telemarketing practices, Evan the supervisor has a misconception regarding?

  • A. The conditions under which recipients can opt out
  • B. The relationship of state law to federal law
  • C. The wishes of recipients who request callbacks
  • D. The right to monitor calls for quality assurance

Answer: C


NEW QUESTION # 33
In which situation would a policy of "no consumer choice" or "no option" be expected?

  • A. When a patient's health record is made available to a pharmaceutical company
  • B. When a customer's financial information is requested by the government
  • C. When a job applicant's credit report is provided to an employer
  • D. When a customer's street address is shared with a shipping company

Answer: B

Explanation:
According to the Family Educational Rights and Privacy Act (FERPA), a policy of "no consumer choice" or "no option" means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so.
Therefore, when a customer's financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer's consent.


NEW QUESTION # 34
......


The CIPP-US certification is beneficial for professionals working in various industries, including healthcare, technology, finance, and legal. Certified Information Privacy Professional/United States (CIPP/US) certification helps individuals to gain a deeper understanding of privacy laws and regulations, which is critical for organizations to comply with the ever-evolving privacy landscape in the US. It also enhances an individual's career prospects, as many organizations today require privacy professionals with the CIPP-US certification.

 

CIPP-US dumps Exam Material with 228 Questions: https://prep4sure.examtorrent.com/CIPP-US-exam-papers.html