IAPP CIPP-US Practice Test - Questions Answers, Page 17
Question list
Related questions
A financial services company install 'bossware' software on its employees' remote computers to monitor performance. The software logs screenshots, mouse movements, and keystrokes to determine whether an employee is being productive. The software can also enable the computer webcams to record video footage.
Which of the following would best support an employee claim for an intrusion upon seclusion tort?
The webcam is enabled to record video any time the computer is turned on.
The company creates and saves a biometric template for each employee based upon keystroke dynamics.
The software automatically sends a notification to a supervisor any time the employee's mouse is dormant for more than five minutes.
The webcam records video of an employee using a company laptop to perform personal business while at a coffee shop during work hours.
The CFO of a pharmaceutical company is duped by a phishing email and discloses many of the company's employee personnel files to an online predator. The files include employee contact information, job applications, performance reviews, discipline records, and job descriptions.
Which of the following state laws would be an affected employee's best recourse against the employer?
The state social security number confidentiality statute.
The state personnel record review statute.
The state data destruction statute.
The state UDAP statute.
A company based in United States receives information about its UK subsidiary's employees in connection with the centralized HR service it provides.
How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?
By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.
By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.
By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.
By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.
Which of the following state laws has an entity exemption for organizations subject to the Gramm-Leach-Bliley Act (GLBA)?
Nevada Privacy Law.
California Privacy Rights Act.
California Consumer Privacy Act.
Virginia Consumer Data Protection Act
When designing contact tracing apps in relation to COVID-19 or any other diagnosed virus, all of the following privacy measures should be considered EXCEPT?
Data retention.
Use limitations.
Opt-out choice.
User confidentiality.
SCENARIO -
Please use the following to answer the next question:
Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Security Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign.
Ever since the pandemic, Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.
Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers. The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data center based in Ireland. Manufacturing data of Jones Labs is stored in Taiwan and managed by a local supplier that has no presence in the U.S.
Before inspecting any GPS geolocation data from Jane's corporate mobile phone, Patrick should first do what?
Obtain prior consent from Jane pursuant to the Telephone Consumer Protection Act
Revise emerging workplace privacy best practices with a reputable advocacy organization.
Obtain a subpoena from law enforcement, or a court order, directing Jones Labs to collect the GPS geolocation data.
Ensure that such activity is permitted under Jane's employment contract or the company's employee privacy policy.
Once a breach has been definitively established, which task should be prioritized next?
Involving law enforcement and state Attorneys General.
Determining what was responsible for the breach and neutralizing the threat.
Providing notice to the affected parties so they can take precautionary measures.
Implementing remedial measures and evaluating how to prevent future breaches.
SCENARIO -
Please use the following to answer the next question:
Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.
For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices' branding. MedApps provides technical support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.
Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.
Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps.
What HIPAA compliance issue would Miraculous have to consider before using the telehealth app?
HIPAA does not permit healthcare providers to use cloud hosting services.
HIPAA does not permit in-person appointment data to be hosted in the cloud.
HIPAA would require Miraculous and MedApps to enter into a Business Associate Agreement.
HIPAA would require Miraculous to obtain patient consent before in-person appointment data can be shared with third parties.
Which of the following practices is NOT a key component of a data ethics framework?
Automated decision-making.
Preferability testing.
Data governance.
Auditing.
What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in 2005?
It made third-party audits a penalty for policy violations.
It was based on matters of fairness rather than deception.
It was the first substantial U.S.-EU Safe Harbor enforcement.
It made user consent mandatory after any revisions of policy.
Question