ExamGecko
Search Search Login
Home Home / IAPP / CIPP-US
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following federal agencies does NOT have regulatory authority related to privacy?
Under the Driver's Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?
The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?
Which of the following data elements is most likely to be subject to comprehensive state data security and privacy laws?
Which power was NOT granted to the California Privacy Protection Agency by the California Privacy Rights Act (CPRA)?
Due to cookie deprecation, businesses will be required to simplify their tracking practices by doing what?
A software company wants to use web scraping to collect personal data from professional networking websites in order to train an artificial intelligence program to evaluate Job applications. The company has identified several actions for limiting their potential legal liability regarding affected data subjects and professional networking websites. Which of the following would be the least effective action for helping them do this?
According to the Family Educational Rights and Privacy Act (FERPA). when can a school disclose records without a student's consent?
SCENARIO Please use the following to answer the next question; Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Secunty Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign Ever since the pandemic. Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each togin conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only. Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers The secondary data center, managed by Amazon AWS. is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile delense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data Under Section 702 of F1SA. The NSA may do which of the following without a Foreign Intelligence Surveillance Court warrant?

Question 150 - CIPP-US discussion

Report
Export

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask QUESTION NO:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Based on Felicia's Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?

A.

Reconsider the plan in favor of a policy of dedicated work devices.

Answers
A.

Reconsider the plan in favor of a policy of dedicated work devices.

B.

Adopt the same kind of monitoring policies used for work-issued devices.

Answers
B.

Adopt the same kind of monitoring policies used for work-issued devices.

C.

Weigh any productivity benefits of the plan against the risk of privacy issues.

Answers
C.

Weigh any productivity benefits of the plan against the risk of privacy issues.

D.

Make employment decisions based on those willing to consent to the plan in writing.

Answers
D.

Make employment decisions based on those willing to consent to the plan in writing.

Suggested answer: C

Explanation:

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects: The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited. The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data. The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs. The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction. The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR. The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue. The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices. The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits.References: IAPP CIPP/US Body of Knowledge, Section III.C.2 IAPP CIPP/US Textbook, Chapter 3, pp. 113-115 FTC Mobile Device Security

Show Answer
asked 22/11/2024
Mark Josef Delos Santos
32 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms