How to pass IAPP CIPP-US exam with the help of dumps?

Question # 1

Which of the following became the first state to pass a law specifically regulating thecollection of biometric data?

A. California.
B. Texas.
C. Illinois.
D. Washington.

Show Answer

Question # 2

In which situation is a company operating under the assumption of implied consent?

A. An employer contacts the professional references provided on an applicant’s resume
B. An online retailer subscribes new customers to an e-mail list by default
C. A landlord uses the information on a completed rental application to run a credit report
D. A retail clerk asks a customer to provide a zip code at the check-out counter

Show Answer

Question # 3

Which of the following does Title VII of the Civil Rights Act prohibit an employer from askinga job applicant?

A. Questions about age
B. Questions about a disability
C. Questions about a national origin
D. Questions about intended pregnancy

Show Answer

Question # 4

Which of the following would NOT constitute an exception to the authorization requirementunder the HIPAA Privacy Rule?

A. Disclosing health information for public health activities.
B. Disclosing health information to file a child abuse report.
C. Disclosing health information needed to treat a medical emergency.
D. Disclosing health information needed to pay a third party billing administrator.

Show Answer

Question # 5

What was unique about the action that the Federal Trade Commission took against B.J.’s Wholesale Club in 2005?

A. It made third-party audits a penalty for policy violations.
B. It was based on matters of fairness rather than deception.
C. It was the first substantial U.S.-EU Safe Harbor enforcement.
D. It made user consent mandatory after any revisions of policy.

Show Answer

Question # 6

What type of material is exempt from an individual’s right to disclosure under the PrivacyAct?

A. Material requires by statute to be maintained and used solely for research purposes.
B. Material reporting investigative efforts to prevent unlawful persecution of an individual.
C. Material used to determine potential collaboration with foreign governments innegotiation of trade deals.
D. Material reporting investigative efforts pertaining to the enforcement of criminal law.

Show Answer

Question # 7

What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act(HITECH)?

A. Make electronic health records (EHRs) part of regular care
B. Bill the majority of patients electronically for their health care
C. Send health information and appointment reminders to patients electronically
D. Keep electronic updates about the Health Insurance Portability and Accountability Act

Show Answer

Question # 8

SCENARIOPlease use the following to answer the next QUESTION:Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx,and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking thestate’s Do Not Call list, as well as the people on it. “If they were really serious about notbeing bothered,” Evan said, “They’d be on the national DNC list. That’s the only one we’rerequired to follow. At SunriseLynx, we call until they ask us not to.”Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call “another time.” This, to Larry, is a clear indication that they don’t want to be called at all.Evan doesn’t see it that way.Larry believes that Evan’s arrogance also affects the way he treats employees. The U.S.Constitution protects American workers, and Larry believes that the rights of those atSunriseLynx are violated regularly. At first Evan seemed friendly, even connecting withemployees on social media. However, following Evan’s political posts, it became clear toLarry that employees with similar affiliations were the only ones offered promotions.Further, Larry occasionally has packages containing personal-use items mailed to work.Several times, these have come to him already opened, even though this name was clearlymarked. Larry thinks the opening of personal mail is common at SunriseLynx, and thatFourth Amendment rights are being trampled under Evan’s leadership.Larry has also been dismayed to overhear discussions about his coworker, Sadie.Telemarketing calls are regularly recorded for quality assurance, and although Sadie isalways professional during business, her personal conversations sometimes contain sexualcomments. This too is something Larry has heard Evan laughing about. When hementioned this to a coworker, his concern was met with a shrug. It was the coworker’sbelief that employees agreed to be monitored when they signed on. Although personaldevices are left alone, phone calls, emails and browsing histories are all subject tosurveillance. In fact, Larry knows of one case in which an employee was fired after anundercover investigation by an outside firm turned up evidence of misconduct. Although theemployee may have stolen from the company, Evan could have simply contacted theauthorities when he first suspected something amiss.Larry wants to take action, but is uncertain how to proceed.In regard to telemarketing practices, Evan the supervisor has a misconception regarding?

A. The conditions under which recipients can opt out
B. The wishes of recipients who request callbacks
C. The right to monitor calls for quality assurance
D. The relationship of state law to federal law

Show Answer

Question # 9

Which of the following best describes how federal anti-discrimination laws protect theprivacy of private-sector employees in the United States?

A. They prescribe working environments that are safe and comfortable.
B. They limit the amount of time a potential employee can be interviewed.
C. They promote a workforce of employees with diverse skills and interests.
D. They limit the types of information that employers can collect about employees.

Show Answer

Question # 10

Although an employer may have a strong incentive or legal obligation to monitoremployees’ conduct or behavior, some excessive monitoring may be considered an intrusion on employees’ privacy? Which of the following is the strongest example ofexcessive monitoring by the employer?

A. An employer who installs a video monitor in physical locations, such as a warehouse, toensure employees are performing tasks in a safe manner and environment.
B. An employer who installs data loss prevention software on all employee computers tolimit transmission of confidential company information.
C. An employer who installs video monitors in physical locations, such as a changing room,to reduce the risk of sexual harassment.
D. An employer who records all employee phone calls that involve financial transactionswith customers completed over the phone.

Show Answer

Question # 11

Under state breach notification laws, which is NOT typically included in the definition ofpersonal information?

A. State identification number
B. First and last name
C. Social Security number
D. Medical Information

Show Answer

Question # 12

Why was the Privacy Protection Act of 1980 drafted?

A. To respond to police searches of newspaper facilities
B. To assist prosecutors in civil litigation against newspaper companies
C. To assist in the prosecution of white-collar crimes
D. To protect individuals from personal privacy invasion by the police

Show Answer

Question # 13

Once a breach has been definitively established, which task should be prioritized next?

A. Involving law enforcement and state Attorneys General.
B. Determining what was responsible for the breach and neutralizing the threat.
C. Providing notice to the affected parties so they can take precautionary measures.
D. Implementing remedial measures and evaluating how to prevent future breaches.

Show Answer

Question # 14

What practice does the USA FREEDOM Act NOT authorize?

A. Emergency exceptions that allows the government to target roamers
B. An increase in the maximum penalty for material support to terrorism
C. An extension of the expiration for roving wiretaps
D. The bulk collection of telephone data and internet metadata

Show Answer

Question # 15

SCENARIOPlease use the following to answer the next QUESTION:Declan has just started a job as a nursing assistant in a radiology department at WoodlandHospital. He has also started a program to become a registered nurse.Before taking this career path, Declan was vaguely familiar with the Health InsurancePortability and Accountability Act (HIPAA). He now knows that he must help ensure thesecurity of his patients’ Protected Health Information (PHI). Therefore, he is thinkingcarefully about privacy issues.On the morning of his first day, Declan noticed that the newly hired receptionist handedeach patient a HIPAA privacy notice. He wondered if it was necessary to give these privacynotices to returning patients, and if the radiology department could reduce paper wastethrough a system of one-time distribution.He was also curious about the hospital’s use of a billing company. He Questioned whetherthe hospital was doing all it could to protect the privacy of its patients if the billing companyhad details about patients’ care.On his first day Declan became familiar with all areas of the hospital’s large radiologydepartment. As he was organizing equipment left in the halfway, he overheard aconversation between two hospital administrators. He was surprised to hear that a portablehard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, andwondered whether the hospital had plans to properly report what had happened.Despite Declan’s concern about this issue, he was amazed by the hospital’s effort tointegrate Electronic Health Records (EHRs) into the everyday care of patients. He thoughtabout the potential for streamlining care even more if they were accessible to all medicalfacilities nationwide.Declan had many positive interactions with patients. At the end of his first day, he spoke toone patient, John, whose father had just been diagnosed with a degenerative musculardisease. John was about to get blood work done, and he feared that the blood work couldreveal a genetic predisposition to the disease that could affect his ability to obtaininsurance coverage. Declan told John that he did not think that was possible, but thepatient was wheeled away before he could explain why. John plans to ask a colleagueabout this.In one month, Declan has a paper due for one his classes on a health topic of his choice.By then, he will have had many interactions with patients he can use as examples. He willbe pleased to give credit to John by name for inspiring him to think more carefully aboutgenetic testing.Although Declan’s day ended with many Questions, he was pleased about his newposition.Based on the scenario, what is the most likely way Declan’s supervisor would answer hisquestion about the hospital’s use of a billing company?

A. By suggesting that Declan look at the hospital’s publicly posted privacy policy
B. By assuring Declan that third parties are prevented from seeing Private HealthInformation (PHI)
C. By pointing out that contracts are in place to help ensure the observance of minimumsecurity standards
D. By describing how the billing system is integrated into the hospital’s electronic healthrecords (EHR) system

Show Answer

Question # 16

Which of the following is most likely to provide privacy protection to private-sectoremployees in the United States?

A. State law, contract law, and tort law
B. The Federal Trade Commission Act (FTC Act)
C. Amendments one, four, and five of the U.S. Constitution
D. The U.S. Department of Health and Human Services (HHS)

Show Answer

Question # 17

Under the Fair and Accurate Credit Transactions Act (FACTA), what is the mostappropriate action for a car dealer holding a paper folder of customer credit reports?

A. To follow the Disposal Rule by having the reports shredded
B. To follow the Red Flags Rule by mailing the reports to customers
C. To follow the Privacy Rule by notifying customers that the reports are being stored
D. To follow the Safeguards Rule by transferring the reports to a secure electronic file

Show Answer

Question # 18

A covered entity suffers a ransomware attack that affects the personal health information(PHI) of more than 500 individuals. According to Federal law under HIPAA, which of thefollowing would the covered entity NOT have to report the breach to?

A. Department of Health and Human Services
B. The affected individuals
C. The local media
D. Medical providers

Show Answer

Question # 19

Under the Driver’s Privacy Protection Act (DPPA), which of the following parties wouldrequire consent of an individual in order to obtain his or her Department of Motor Vehicleinformation?

A. Law enforcement agencies performing investigations.
B. Insurance companies needing to investigate claims.
C. Attorneys gathering information related to lawsuits.
D. Marketers wishing to distribute bulk materials.

Show Answer

Question # 20

Which of the following best describes private-sector workplace monitoring in the UnitedStates?

A. Employers have broad authority to monitor their employees
B. U.S. federal law restricts monitoring only to industries for which it is necessary
C. Judgments in private lawsuits have severely limited the monitoring of employees
D. Most employees are protected from workplace monitoring by the U.S. Constitution

Show Answer

Question # 21

John, a California resident, receives notification that a major corporation with $500 millionin annual revenue has experienced a data breach. John’s personal information in theirpossession has been stolen, including his full name and social security numb. John alsolearns that the corporation did not have reasonable cybersecurity measures in place tosafeguard his personal information.Which of the following answers most accurately reflects John’s ability to pursue a legalclaim against the corporation under the California Consumer Privacy Act (CCPA)?

A. John has no right to sue the corporation because the CCPA does not address any databreach rights.
B. John cannot sue the corporation for the data breach because only the state’s AttoneyGeneral has authority to file suit under the CCPA.
C. John can sue the corporation for the data breach but only to recover monetary damageshe actually suffered as a result of the data breach.
D. John can sue the corporation for the data breach to recover monetary damages sufferedas a result of the data breach, and in some circumstances seek statutory damagesirrespective of whether he suffered any financial harm.

Show Answer

Question # 22

What consumer service was the Fair Credit Reporting Act (FCRA) originally intended toprovide?

A. The ability to receive reports from multiple credit reporting agencies.
B. The ability to appeal negative credit-based decisions.
C. The ability to correct inaccurate credit information.
D. The ability to investigate incidents of identity theft.

Show Answer

Question # 23

In a case of civil litigation, what might a defendant who is being sued for distributing anemployee’s private information face?

A. Probation.
B. Criminal fines.
C. An injunction.
D. A jail sentence.

Show Answer

Question # 24

SCENARIOPlease use the following to answer the next QUESTIONOtto is preparing a report to his Board of Directors at Filtration Station, where he isresponsible for the privacy program. Filtration Station is a U.S. company that sells filtersand tubing products to pharmaceutical companies for research use. The company is basedin Seattle, Washington, with offices throughout the U.S. and Asia. It sells to businesscustomers across both the U.S. and the Asia-Pacific region. Filtration Station participates inthe Cross-Border Privacy Rules system of the APEC Privacy Framework.Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknownthird party was able to gain access to Filtration Station’s network and was able to steal datarelating to employees in the company’s Human Resources database, which is hosted by athird-party cloud provider based in the U.S. The HR data is encrypted. Filtration Stationalso uses the third-party cloud provider to host its business marketing contact database.The marketing database was not affected by the data breach. It appears that the databreach was caused when a system administrator at the cloud provider stored theencryption keys with the data itself.The Board has asked Otto to provide information about the data breach and how updateson new developments in privacy laws and regulations apply to Filtration Station. They areparticularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act(CCPA) and breach notification requirements.What can Otto do to most effectively minimize the privacy risks involved in using a cloudprovider for the HR data?

A. Request that the Board sign off in a written document on the choice of cloud provider.
B. Ensure that the cloud provider abides by the contractual requirements by conducting anon-site audit.
C. Obtain express consent from employees for storing the HR data in the cloud and keep arecord of the employee consents.
D. Negotiate a Business Associate Agreement with the cloud provider to protect anyhealth-related data employees might share with Filtration Station.

Show Answer

Question # 25

SCENARIOPlease use the following to answer the next QUESTIONWhen there was a data breach involving customer personal and financial information at alarge retail store, the company’s directors were shocked. However, Roberta, a privacyanalyst at the company and a victim of identity theft herself, was not. Prior to the breach,she had been working on a privacy program report for the executives. How the companyshared and handled data across its organization was a major concern. There were neitheradequate rules about access to customer information norprocedures for purging and destroying outdated data. In her research, Roberta haddiscovered that even low- level employees had access to all of the company’s customerdata, including financial records, and that the company still had in its possession obsoletecustomer data going back to the 1980s.Her report recommended three main reforms. First, permit access on an as-needs-to-knowbasis. This would mean restricting employees’ access to customer information to data thatwas relevant to the work performed. Second, create a highly secure database for storingcustomers’ financial information (e.g., credit card and bank account numbers) separatefrom less sensitive information. Third, identify outdated customer information and thendevelop a process for securely disposing of it.When the breach occurred, the company’s executives called Roberta to a meeting whereshe presented the recommendations in her report. She explained that the company havinga national customer base meant it would have to ensure that it complied with all relevantstate breach notification laws. Thanks to Roberta’s guidance, the company was able tonotify customers quickly and within the specific timeframes set by state breach notificationlaws.Soon after, the executives approved the changes to the privacy program that Robertarecommended in her report. The privacy program is far more effective now because ofthese changes and, also, because privacy and security are now considered the responsibility of every employee.Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform thecompany’s privacy program?

A. Consumers have a right to exercise control over how companies use their personaldata.
B. Consumers have a right to reasonable limits on the personal data that a companyretains.
C. Consumers have a right to easily accessible information about privacy and securitypractices.
D. Consumers have a right to correct personal data in a manner that is appropriate to thesensitivity.

Show Answer

Question # 26

SCENARIOPlease use the following to answer the next QUESTION:A US-based startup company is selling a new gaming application. One day, the CEO of thecompany receives an urgent letter from a prominent EU-based retail partner. Triggered byan unresolved complaint lodged by an EU resident, the letter describes an ongoinginvestigation by a supervisory authority into the retailer’s data handling practices.The complainant accuses the retailer of improperly disclosing her personal data, withoutconsent, to parties in the United States. Further, the complainant accuses the EU-basedretailer of failing to respond to her withdrawal of consent and request for erasure of herpersonal data. Your organization, the US-based startup company, was never informed ofthis request for erasure by the EU-based retail partner. The supervisory authorityinvestigating the complaint has threatened the suspension of data flows if the partiesinvolved do not cooperate with the investigation. The letter closes with an urgent request:“Please act immediately by identifying all personal data received from our company.”This is an important partnership. Company executives know that its biggest fans come fromWestern Europe; and this retailer is primarily responsible for the startup’s rapid marketpenetration.As the Company’s data privacy leader, you are sensitive to the criticality of the relationshipwith the retailer.Under the GDPR, the complainant’s request regarding her personal information is knownas what?

A. Right of Access
B. Right of Removal
C. Right of Rectification
D. Right to Be Forgotten

Show Answer

Question # 27

What information did the Red Flag Program Clarification Act of 2010 add to the originalRed Flags rule?

A. The most common methods of identity theft.B. The definition of what constitutes a creditor.
C. The process for proper disposal of sensitive data.
D. The components of an identity theft detection program.

Show Answer

Question # 28

What practice do courts commonly require in order to protect certain personal informationon documents, whether paper or electronic, that is involved in litigation?

A. Redaction
B. Encryption
C. Deletion
D. Hashing

Show Answer

Question # 29

Which of the following conditions would NOT be sufficient to excuse an entity fromproviding breach notification under state law?

A. If the data involved was encrypted.
B. If the data involved was accessed but not exported.
C. If the entity was subject to the GLBA Safeguards Rule.
D. If the entity followed internal notification procedures compatible with state law.

Show Answer

Question # 30

In which situation would a policy of “no consumer choice” or “no option” be expected?

A. When a job applicant’s credit report is provided to an employer
B. When a customer’s financial information is requested by the government
C. When a patient’s health record is made available to a pharmaceutical company
D. When a customer’s street address is shared with a shipping company

Show Answer

Question # 31

SCENARIOPlease use the following to answer the next QUESTION:You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.HealthCo is a HIPAA-covered entity that provides healthcare services to more than100,000 patients. A third-party cloud computing service provider, CloudHealth, stores andmanages the electronic protected health information (ePHI) of these individuals on behalfof HealthCo. CloudHealth stores the data in state B. As part of HealthCo’s businessassociate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth toimplement security measures, including industry standard encryption practices, toadequately protect the data. However, HealthCo did not perform due diligence onCloudHealth before entering the contract, and has not conducted audits of CloudHealth’ssecurity measures.A CloudHealth employee has recently become the victim of a phishing attack. When theemployee unintentionally clicked on a link from a suspicious email, the PHI of more than10,000 HealthCo patients was compromised. It has since been published online. TheHealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who haslaunched similar attacks on other hospitals – ones that exposed the PHI of public figuresincluding celebrities and politicians.During the course of its investigation, HealthCo discovers that CloudHealth has notencrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth hasnot provided privacy or security training to its employees. Law enforcement has requestedthat HealthCo provide its investigative report of the breach and a copy of the PHI of theindividuals affected.A patient affected by the breach then sues HealthCo, claiming that the company did notadequately protect the individual’s ePHI, and that he has suffered substantial harm as aresult of the exposed data. The patient’s attorney has submitted a discovery request for the ePHI exposed in the breach.Of the safeguards required by the HIPAA Security Rule, which of the following is NOT atissue due to HealthCo’s actions?

A. Administrative Safeguards
B. Technical Safeguards
C. Physical Safeguards
D. Security Safeguards

Show Answer

Question # 32

SCENARIOPlease use the following to answer the next QUESTION:A US-based startup company is selling a new gaming application. One day, the CEO of thecompany receives an urgent letter from a prominent EU-based retail partner. Triggered byan unresolved complaint lodged by an EU resident, the letter describes an ongoinginvestigation by a supervisory authority into the retailer’s data handling practices.The complainant accuses the retailer of improperly disclosing her personal data, withoutconsent, to parties in the United States. Further, the complainant accuses the EU-basedretailer of failing to respond to herwithdrawal of consent and request for erasure of her personal data. Your organization, theUS-based startup company, was never informed of this request for erasure by the EUbasedretail partner. The supervisory authority investigating the complaint has threatenedthe suspension of data flows if the parties involved do not cooperate with the investigation.The letter closes with an urgent request: “Please act immediately by identifying all personaldata received from our company.”This is an important partnership. Company executives know that its biggest fans come fromWestern Europe; and this retailer is primarily responsible for the startup’s rapid marketpenetration.As the Company’s data privacy leader, you are sensitive to the criticality of the relationshipwith the retailer.Under the General Data Protection Regulation (GDPR), how would the U.S.-based startupcompany most likely be classified?

A. As a data supervisor
B. As a data processor
C. As a data controller
D. As a data manager

Show Answer

Question # 33

Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicitedcommercial emails, Sarah believes that a major social media platform with over 50 millionusers has collected a lot of personal information about her. The company that runs theplatform is based in New York and France.Why is Sarah entitled to ask the social media platform to delete the personal informationthey have collected about her?

A. Any company with a presence in Europe must comply with the General Data ProtectionRegulation globally, including in response to data subject deletion requests.
B. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing todelete an individual’s personal information upon request constitutes an unfair practice.
C. The California Consumer Privacy Act entitles Sarah to request deletion of her personalinformation.
D. The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Actrequires that businesses under New York’s jurisdiction must delete customers’ personalinformation upon request.

Show Answer

Question # 34

Which of the following laws is NOT involved in the regulation of employee backgroundchecks?

A. The Civil Rights Act.
B. The Gramm-Leach-Bliley Act (GLBA).
C. The U.S. Fair Credit Reporting Act (FCRA).
D. The California Investigative Consumer Reporting Agencies Act (ICRAA).

Show Answer