[Q90-Q114] Use Real CIPP-US - 100% Cover Real Exam Questions [Jun-2026]

Share

Use Real CIPP-US - 100% Cover Real Exam Questions [Jun-2026] 

Dumps Brief Outline Of The CIPP-US Exam - TestKingsIT

NEW QUESTION # 90
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asi a. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

  • A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
  • B. That CCPA only applies to companies based in California, which exempts the company from compliance.
  • C. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
  • D. That business contact information could be considered personal information governed by CCPA.

Answer: D

Explanation:
CCPA applies regardless of enforcement. Under the CPRA, which amended the CCPA, business contact information is PII.


NEW QUESTION # 91
Which act violates the Family Educational Rights and Privacy Act of 1974 (FERPA)?

  • A. A university posts a public student directory that includes names, hometowns, e-mail addresses, and majors
  • B. A newspaper prints the names, grade levels, and hometowns of students who made the quarterly honor roll
  • C. University police provide an arrest report to a student's hometown police, who suspect him of a similar crime
  • D. A K-12 assessment vendor obtains a student's signed essay about her hometown from her school to use as an exemplar for public release

Answer: D

Explanation:
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions. Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123 Option A violates FERPA because it involves the disclosure of a student's personally identifiable information (PII) from the education records without consent. A student's signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12 A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12 Therefore, the school must obtain the student's (or the parent's, if the student is a minor) written consent before providing the essay to the vendor for public release.
Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA. Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12 Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12 However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12 Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records. FERPA only applies to education records that are directly related to a student and maintained by theschool or a party acting for the school12 A newspaper's publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper's own sources and reporting. Therefore, FERPA does not prohibit such disclosure.
Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent. FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123 If the university police provide an arrest report to the student's hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.
References: 1: Family Educational Rights and Privacy Act - Wikipedia 2: Family Educational Rights and Privacy Act (FERPA) | CDC 3: What is FERPA? | Protecting Student Privacy - ed


NEW QUESTION # 92
U.S. federal laws protect individuals from employment discriminaton based on all of the following EXCEPT?

  • A. Pregnancy.
  • B. Marital status.
  • C. Age.
  • D. Genetic information.

Answer: B

Explanation:
U.S. federal laws protect individuals from employment discrimination based on a number of protected characteristics, such as age, pregnancy, and genetic information. However, marital status is not one of them. There is no federal law that prohibits employment discrimination based on marital status, although some states and localities have enacted such laws.


NEW QUESTION # 93
Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.
Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

  • A. The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.
  • B. Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.
  • C. The New York "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act requires that businesses under New York's jurisdiction must delete customers' personal information upon request.
  • D. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual's personal information upon request constitutes an unfair practice.

Answer: A

Explanation:
The correct answer is C because the California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents the right to request the deletion of their personal information that a business has collected from them. The CCPA applies to any business that collects personal information from California residents, regardless of where the business is located, as long as the business meets certain thresholds of revenue, data volume, or data sharing.
Therefore, the social media platform that Sarah uses is subject to the CCPA and must honor Sarah's deletion request, unless an exception applies. The CCPA also requires businesses to provide notice and choice to consumers about their data collection and use practices, and to respond to consumer requests within 45 days.


NEW QUESTION # 94
According to FERPA, when can a school disclose records without a student's consent?

  • A. If the disclosure is to practitioners who are involved in a student's health care
  • B. If the disclosure is not to be conducted through email to the third party
  • C. If the disclosure is to provide transcripts to a school where a student intends to enroll
  • D. If the disclosure would not reveal a student's student identification number

Answer: C

Explanation:
According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student's education records without consent if the disclosure meets one of the exceptions in 34 CFR ?99.. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student's enrollment or transfer (34 CFR ?99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student's admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR ?99.34(a)(1)).


NEW QUESTION # 95
According to FERPA, when can a school disclose records without a student's consent?

  • A. If the disclosure is to practitioners who are involved in a student's health care
  • B. If the disclosure is not to be conducted through email to the third party
  • C. If the disclosure is to provide transcripts to a school where a student intends to enroll
  • D. If the disclosure would not reveal a student's student identification number

Answer: C


NEW QUESTION # 96
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
Which act would authorize Evan's undercover investigation?

  • A. The Fair and Accurate Credit Transactions Act (FACTA)
  • B. The National Labor Relations Act (NLRA)
  • C. The Whistleblower Protection Act
  • D. The Stored Communications Act (SCA)

Answer: B


NEW QUESTION # 97
What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

  • A. A large amount of money may have to be sent on improved technology and security
  • B. A new business owner may not understand the regulations
  • C. Industries may not be strict enough in the creation and enforcement of rules
  • D. Human rights may be disregarded for the sake of privacy

Answer: C


NEW QUESTION # 98
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete.
What is the data privacy leader's next best source of information to aid the investigation?

  • A. Reports on recent purchase histories
  • B. Lists of all customers, sorted by country
  • C. Database schemas held by the retailer
  • D. Interviews with key marketing personnel

Answer: D

Explanation:
The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation. References: [IAPP CIPP/US Study Guide], Chapter
5: Data Management, p. 97-98; IAPP Privacy Tech Vendor Report, Data Mapping and Inventory, p. 9-10.


NEW QUESTION # 99
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In what area does Larry have a misconception about private-sector employee rights?

  • A. The applicability of federal law
  • B. The definition of tort law
  • C. The enforceability of local law
  • D. The strict nature of state law

Answer: A


NEW QUESTION # 100
Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?

  • A. Disclosing health information for public health activities.
  • B. Disclosing health information to file a child abuse report.
  • C. Disclosing health information needed to treat a medical emergency.
  • D. Disclosing health information needed to pay a third party billing administrator.

Answer: D

Explanation:
Among the options provided, disclosing health information needed to pay a third party billing administrator would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule. Generally, when disclosing health information for payment and healthcare operations purposes, specific patient authorization is not required. However, this exception applies primarily to disclosures made to healthcare providers, health plans, and other entities directly involved in the payment or healthcare operations process.


NEW QUESTION # 101
Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?

  • A. 7 days
  • B. 10 days
  • C. 21 days
  • D. 15 days

Answer: B


NEW QUESTION # 102
Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.
Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?

  • A. If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
  • B. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
  • C. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
  • D. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.

Answer: B

Explanation:
If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output. The Fair Credit Reporting Act (FCRA) protects consumers from unfair, inaccurate, and discriminatory treatment by creditors and other businesses that use credit reports. The FCRA prohibits creditors from using information about protected classes, such as race, color, religion, national origin, sex, marital status, age, or because they receive income from a public assistance program, to make decisions about credit. In the case of Acme Student Loan Company, the algorithm is using information about protected classes to make automated decisions about whether to send payment reminder calls. This could have a disparate impact on protected classes, such as people of color or people with low incomes. For example, people of color may be more likely to be identified as being at risk of default, even if they are just as likely to repay their loans as people of other races. Acme Student Loan Company must ensure that the algorithm does not have a disparate impact on protected classes. This could be done by using a variety of methods, such as:
Testing the algorithm for accuracy, fairness, and bias before and after deployment Providing consumers with notice and consent options for the use of their data Allowing consumers to access, correct, or delete their data Implementing accountability and oversight mechanisms for the algorithm Ensuring compliance with applicable laws and regulations


NEW QUESTION # 103
The rules for "e-discovery" mainly prevent which of the following?

  • A. The loss of information due to poor data retention practices
  • B. A conflict between business practice and technological safeguards
  • C. The practice of employees using personal devices for work
  • D. A breach of an organization's data retention program

Answer: B

Explanation:
E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter. The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology. For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e- discovery, as well as the sanctions for failing to comply with e-discovery obligations. The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.


NEW QUESTION # 104
When developing a company privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?

  • A. Relationships with company leaders responsible for approving, implementing, and periodically reviewing the corporate privacy program.
  • B. Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizational program.
  • C. Relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.
  • D. Relationships with individuals across company departments and at different levels in the organization's hierarchy.

Answer: D

Explanation:
When developing a company privacy program, a privacy professional needs to understand the business objectives, processes, and risks of the organization, as well as the legal and regulatory requirements and best practices for privacy. To achieve this, a privacy professional should establish and maintain relationships with individuals across company departments and at different levels in the organization's hierarchy, such as IT, marketing, human resources, legal, compliance, security, and senior management. These relationships will help the privacy professional to gather relevant information, identify privacy issues and gaps, communicate privacy policies and procedures, provide training and awareness, monitor compliance, and resolve conflicts.
The other relationshipslisted are also important, but not as essential as the internal relationships for developing a company privacy program. References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Developing a Privacy Program, Section 5.1: Privacy Program Framework, p. 145-146
* IAPP CIPP/US Body of Knowledge, Domain V: Developing a Privacy Program, Objective V.A:
Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 23
* IAPP CIPP/US Exam Blueprint, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 7


NEW QUESTION # 105
SCENARIO
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice's suggestion about classifying customer data?

  • A. It will increase the security of customers' personal information (PI)
  • B. It will help the company meet a federal mandate
  • C. It will prevent the company from collecting too much personal information (PI)
  • D. It will help employees stay better organized

Answer: A

Explanation:
Data classification systematically categorizes information based on sensitivity and importance to determine its level of confidentiality. This process helps apply appropriate security and compliance measures to ensure each category receives proper protection. This process also helps to identify which personal data is subject to specific GDPR requirements, such as obtaining explicit consent from data subjects, or notifying data subjects in the event of a data breach. By classifying data, Cheryl can also make more informed decisions about where to store the information on her computer system and the nature of controls that are required based on classification. This way, she can protect her customers' privacy while maintaining the highest level of service.


NEW QUESTION # 106
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

  • A. The encryption of all personal information of Massachusetts residents when stored on portable devices.
  • B. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.
  • C. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
  • D. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.

Answer: A

Explanation:
The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information. One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located. The regulation defines personal information as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver's license number or state-issued identification card number; or ?financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account. The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.


NEW QUESTION # 107
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

  • A. If the data involved was encrypted.
  • B. If the data involved was accessed but not exported.
  • C. If the entity was subject to the GLBA Safeguards Rule.
  • D. If the entity followed internal notification procedures compatible with state law.

Answer: B

Explanation:
Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:
If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data. If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.
If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.
However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.


NEW QUESTION # 108
SCENARIO
Please use the following to answer the next question:
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis.
This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information.
Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?

  • A. Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.
  • B. Consumers have a right to easily accessible information about privacy and security practices.
  • C. Consumers have a right to exercise control over how companies use their personal data.
  • D. Consumers have a right to reasonable limits on the personal data that a company retains.

Answer: D

Explanation:
The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company's privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws.


NEW QUESTION # 109
Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?

  • A. Information about medication errors under the Food, Drug and Cosmetic Act
  • B. Personal health information under the HIPAA Privacy Rule
  • C. Money laundering information under the Bank Secrecy Act of 1970
  • D. Information about workspace injuries under OSHA requirements

Answer: B


NEW QUESTION # 110
The Cable Communications Policy Act of 1984 requires which activity?

  • A. Destruction of personal information a maximum of six months after it is no longer needed
  • B. Obtaining subscriber consent for disseminating any personal information necessary to render cable services
  • C. Delivery of an annual notice detailing how subscriber information is to be used
  • D. Notice to subscribers of any investigation involving unauthorized reception of cable services

Answer: D


NEW QUESTION # 111
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.
Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Based on Felicia's Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?

  • A. Reconsider the plan in favor of a policy of dedicated work devices.
  • B. Make employment decisions based on those willing to consent to the plan in writing.
  • C. Adopt the same kind of monitoring policies used for work-issued devices.
  • D. Weigh any productivity benefits of the plan against the risk of privacy issues.

Answer: D

Explanation:
BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:
* The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
* The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
* The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
* The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
* The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
* The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
* The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
* The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
* IAPP CIPP/US Body of Knowledge, Section III.C.2
* IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
* FTC Mobile Device Security


NEW QUESTION # 112
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask Question:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Regarding credit checks of potential employees, Celeste has a misconception regarding what?

  • A. Consent requirements.
  • B. Disclosure requirements.
  • C. Records retention policies
  • D. Employment-at-will rules.

Answer: A


NEW QUESTION # 113
The Video Privacy Protection Act of 1988 restricted which of the following?

  • A. Which purchase records of audio visual materials may be disclosed
  • B. When downloading of copyrighted audio visual materials is allowed
  • C. Who advertisements for videos and video games may target
  • D. When a user's viewing of online video content can be monitored

Answer: A


NEW QUESTION # 114
......


The CIPP-US certification is beneficial for professionals working in various industries, including healthcare, technology, finance, and legal. Certified Information Privacy Professional/United States (CIPP/US) certification helps individuals to gain a deeper understanding of privacy laws and regulations, which is critical for organizations to comply with the ever-evolving privacy landscape in the US. It also enhances an individual's career prospects, as many organizations today require privacy professionals with the CIPP-US certification.

 

Certification Training for CIPP-US Exam Dumps Test Engine: https://selftestengine.testkingit.com/IAPP/latest-CIPP-US-exam-dumps.html