Ask Question
IAPP CIPP-US Practice Test - Questions Answers, Page 12
Add to Whishlist
List of questions
Question 111
Which of the following is an example of federal preemption?
The Payment Card Industry's (PCI) ability to self-regulate and enforce data security standards for payment card data.
The U.S. Federal Trade Commission's (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries.
The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there.
The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act prohibiting states from passing laws that impose greater obligations on senders of email marketing.
Federal preemption is a doctrine in law that allows a federal law to take precedence over or to displace a state law in certain matters of national importance (such as interstate commerce). The doctrine is based on the Supremacy Clause of the Constitution, which declares that federal law is the ''supreme law of the land'' and that state judges are bound by it. There are two types of federal preemption: express and implied. Express preemption occurs when Congress expressly states that a federal law is intended to preempt certain types of state legislation. Implied preemption occurs when a state law conflicts with federal law because it is impossible to comply with both at the same time, or because it interferes with the objectives of the federal law, or because the federal government has fully occupied the field of regulation.
The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is an example of express preemption. The Act regulates commercial email messages and establishes requirements for senders and penalties for violations. The Act also explicitly preempts any state law that ''expressly regulates the use of electronic mail to send commercial messages'', except for state laws that prohibit falsity or deception. This means that states cannot pass laws that impose greater obligations on senders of email marketing than the federal law, such as requiring opt-in consent or providing additional opt-out mechanisms. Therefore, the CAN-SPAM Act is the correct answer to the question.
The other options are not examples of federal preemption. The Payment Card Industry's (PCI) ability to self-regulate and enforce data security standards for payment card data is not a federal law, but a private sector initiative. The U.S. Federal Trade Commission's (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries is not a preemption of state law, but a concurrent power that can coexist with state consumer protection laws. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there, is not preempted by any federal law, but is a state law that applies to entities that meet certain criteria of collecting or selling personal information of California residents.Reference:Federal preemption,What is Federal Preemption?,Federal preemption Definition & Meaning,preemption,Preemption legal definition of Preemption, CAN-SPAM Act, IAPP CIPP/US Study Guide, Chapter 2.
Question 112
Which of these organizations would be required to provide its customers with an annual privacy notice?
The Four Winds Tribal College.
The Golden Gavel Auction House.
The King County Savings and Loan.
The Breezy City Housing Commission.
The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA.Reference:
Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.
17 CFR 248.5 - Annual privacy notice to customers required., paragraph (a) (1).
IAPP CIPP/US Study Guide, page 65.
Question 113
Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) ''Privacy Rule''?
Office for Civil Rights.
Office of Social Services.
Office of Inspector General.
Office of Public Health and Safety.
The Office for Civil Rights (OCR) within the HHS is the primary enforcer of the HIPAA Privacy Rule, which establishes national standards for the protection of individually identifiable health information by covered entities and business associates. The OCR investigates complaints, conducts compliance reviews, and provides technical assistance and guidance to ensure compliance with the Privacy Rule. The OCR can also impose civil monetary penalties for violations of the Privacy Rule, ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for the same violation.Reference:HIPAA Enforcement,IAPP CIPP/US Study Guide, Chapter 3, Section 3.1.1
Question 114
Which of the following best describes how federal anti-discrimination laws protect the privacy of private-sector employees in the United States?
They prescribe working environments that are safe and comfortable.
They limit the amount of time a potential employee can be interviewed.
They promote a workforce of employees with diverse skills and interests.
They limit the types of information that employers can collect about employees.
Federal anti-discrimination laws, such as Title VII of the Civil Rights Act of 1964, the Equal Pay Act of 1963, the Age Discrimination in Employment Act of 1967, and the Americans with Disabilities Act of 1990, prohibit employers from discriminating against employees or applicants based on certain protected characteristics, such as race, color, religion, sex, national origin, age, disability, and genetic information. These laws also limit the types of information that employers can collect, use, disclose, or retain about employees or applicants, in order to prevent discrimination or invasion of privacy. For example, employers cannot ask about an applicant's medical history, disability status, genetic information, or religious beliefs, unless they are relevant to the job or a bona fide occupational qualification. Employers also cannot use such information to make adverse employment decisions, such as hiring, firing, promotion, or compensation, unless they are justified by a legitimate business necessity or a reasonable accommodation. Employers must also safeguard the confidentiality of such information and dispose of it properly when it is no longer needed.Reference:
Federal Laws Prohibiting Job Discrimination Questions And Answers
Laws Enforced by EEOC
Employment and Anti-Discrimination Laws in the Workplace
Protections Against Discrimination and Other Prohibited Practices
3. Who is protected from employment discrimination?
Question 115
Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?
Delete their personal information.
Correct their personal information.
Disclose their personal information to them.
Refrain from selling their personal information to third parties.
The CCPA grants California residents the right to request that a business delete, disclose, or stop selling their personal information, but it does not grant them the right to request that a business correct their personal information. However, the CPRA, which will amend and expand the CCPA in 2023, will grant California residents the right to request that a business correct inaccurate personal information.Reference:CCPA,CPRA,IAPP CIPP/US Study Guide(p. 62)
Question 116
Which of the following accurately describes the purpose of a particular federal enforcement agency?
The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).
The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.
The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites' posted privacy disclosures.
The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.
The FTC is the primary federal agency responsible for enforcing privacy and data security laws in the United States. The FTC has broad jurisdiction over most commercial entities that collect, use, or share personal information from consumers. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, which includes unfair or deceptive privacy practices. The FTC can bring enforcement actions against companies that violate their own privacy policies, fail to provide adequate notice or choice to consumers, engage in unfair or harmful data practices, or breach consumers' reasonable expectations of privacy. The FTC can also issue rules, guidelines, and reports on privacy and data security issues, as well as conduct investigations, workshops, and educational campaigns.Reference:
IAPP CIPP/US Body of Knowledge, Section I.A.1.a
IAPP CIPP/US Textbook, Chapter 1, pp. 9-12
FTC Privacy and Security Enforcement
Question 117
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Based on the problems with the company's privacy security that Roberta identifies, what is the most likely cause of the breach?
Unlock Premium Member
Question 118
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?
Question 119
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?
Question 120
SCENARIO
Please use the following to answer the next QUESTION
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. ''Doing your network?'' Matt asked hopefully.
''No,'' the boy said. ''I'm filling out a survey.''
Matt looked over his son's shoulder at his computer screen. ''What kind of survey?'' ''It's asking Questio ns about my opinions.''
''Let me see,'' Matt said, and began reading the list of Questio ns that his son had already answered. ''It's asking your opinions about the government and citizenship. That's a little odd. You're only ten.''
Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Based on the incident, the FTC's enforcement actions against the marketer would most likely include what violation?
Related questions
Export
If you didn't receive an email within 5 minutes, you should submit a support request to [email protected].
|
BASIC - 1 Month
$
3
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PLUS - 2 Months
$
15
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PRO - 6 Months
$
40
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Selling illegal goods, money scams etc.
Serious attack on a group.
Harassing an individual (including doxing)
Threatening or glorifying violence or serious harm, including self-harm
Nudity/Sexual content
Sexually explicit or suggestive imagery or writing involving minors
Sexually explicit or suggestive imagery or writing involving non-consenting adults or non-humans
Reusing content without attribution (link and blockquotes)
Not in English or has very bad formatting, grammar, and spelling
Author's credential is offensive, spam, or impersonation
Ex. Illegal content, incomplete question...
Question