Independence Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

IAPP CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) Exam Practice Test

Demo: 22 questions
Total 150 questions

Certified Information Privacy Professional/ Canada (CIPP/C) Questions and Answers

Question 1

Chanel Hair Studio is a busy high-end hair salon. In an effort to maximize efficiency of its operations and reduce wait times for appointments, Chanel decides to implement artificial intelligence software that will use client profiles and history to predict which clients will likely be late for their appointments. Information used to create the client profile included appointment history, distance from the salon, and any references to being tardy pulled from the client’s social media accounts. If a client is predicted to be late, their appointment will be cancelled within 5 minutes.

Based on the details, what is the biggest potential privacy concern related to Chanel’s use of this new software?

Options:

A.

Scanning a client’s social media accounts to use in a client profile without notice to the client.

B.

Calculating client profile address distance from the salon to determine location from salon to help predict if the client will be late.

C.

Using client profile information for any purpose other than setting up an appointment.

D.

Assessing client tardiness history with the salon for predictive purposes.

Question 2

What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

Options:

A.

The ability for the consumer to correct inaccurate credit report information

B.

The truncation of account numbers on credit card receipts

C.

The right to request removal from e-mail lists

D.

Consumer notice when third-party data is used to make an adverse decision

Question 3

SCENARIO

Please use the following to answer the next QUESTION:

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo’s business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security

measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals – ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual’s ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient’s attorney has submitted a discovery request for the ePHI exposed in the breach.

What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?

Options:

A.

Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI

B.

Because HealthCo did not conduct due diligence to verify or monitor CloudHealth’s security measures

C.

Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred

D.

Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI

Question 4

SCENARIO

Please use the following to answer the next QUESTION

Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop. “Doing your homework?” Matt asked hopefully.

“No,” the boy said. “I’m filling out a survey.”

Matt looked over his son’s shoulder at his computer screen. “What kind of survey?” “It’s asking QUESTION NO:s about my opinions.”

“Let me see,” Matt said, and began reading the list of QUESTION NO:s that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”

Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer QUESTION NO:s about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.

Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

Options:

A.

Investigative Consumer Reporting Agencies Act.

B.

Unfair and Deceptive Acts and Practices laws.

C.

Consumer Bill of Rights.

D.

Red Flag Rules.

Question 5

Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?

Options:

A.

A local nonprofit charity’s fundraiser

B.

An online merchant’s free shipping offer

C.

A national bank’s no-fee checking promotion

D.

A city bus system’s frequent rider program

Question 6

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company’s directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company’s customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees’ access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers’ financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company’s executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta’s guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company’s privacy program?

Options:

A.

Consumers have a right to exercise control over how companies use their personal data.

B.

Consumers have a right to reasonable limits on the personal data that a company retains.

C.

Consumers have a right to easily accessible information about privacy and security practices.

D.

Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.

Question 7

The Video Privacy Protection Act of 1988 restricted which of the following?

Options:

A.

Which purchase records of audio visual materials may be disclosed

B.

When downloading of copyrighted audio visual materials is allowed

C.

When a user’s viewing of online video content can be monitored

D.

Who advertisements for videos and video games may target

Question 8

Which of the following is most likely to provide privacy protection to private-sector employees in the United States?

Options:

A.

State law, contract law, and tort law

B.

The Federal Trade Commission Act (FTC Act)

C.

Amendments one, four, and five of the U.S. Constitution

D.

The U.S. Department of Health and Human Services (HHS)

Question 9

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.

Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.

Which statement accurately describes SMH’s notification responsibilities?

Options:

A.

If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.

B.

If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

C.

If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

D.

If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate

notification to individuals in the state of New York.

Question 10

What is a key way that the Gramm-Leach-Bliley Act (GLBA) prevents unauthorized access into a person’s back account?

Options:

A.

By requiring immediate public disclosure after a suspected security breach.

B.

By requiring the amount of customer personal information printed on paper.

C.

By requiring the financial institutions limit the collection of personal information.

D.

By restricting the disclosure of customer account numbers by financial institutions.

Question 11

Which of the following became the first state to pass a law specifically regulating the practices of data brokers?

Options:

A.

Washington.

B.

California.

C.

New York.

D.

Vermont.

Question 12

What is the most likely reason that states have adopted their own data breach notification laws?

Options:

A.

Many states have unique types of businesses that require specific legislation

B.

Many lawmakers believe that federal enforcement of current laws has not been effective

C.

Many types of organizations are not currently subject to federal laws regarding breaches

D.

Many large businesses have intentionally breached the personal information of their customers

Question 13

Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?

Options:

A.

Information about medication errors under the Food, Drug and Cosmetic Act

B.

Money laundering information under the Bank Secrecy Act of 1970

C.

Information about workspace injuries under OSHA requirements

D.

Personal health information under the HIPAA Privacy Rule

Question 14

Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

Options:

A.

The EPPA requires that employers post essential information about the Act in a conspicuous location.

B.

The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.

C.

Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.

D.

Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.

Question 15

Which of the following accurately describes the purpose of a particular federal enforcement agency?

Options:

A.

The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).

B.

The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.

C.

The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites’ posted privacy disclosures.

D.

The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.

Question 16

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the GDPR, the complainant’s request regarding her personal information is known as what?

Options:

A.

Right of Access

B.

Right of Removal

C.

Right of Rectification

D.

Right to Be Forgotten

Question 17

Which law provides employee benefits, but often mandates the collection of medical information?

Options:

A.

The Occupational Safety and Health Act.

B.

The Americans with Disabilities Act.

C.

The Employee Medical Security Act.

D.

The Family and Medical Leave Act.

Question 18

What do the Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act all have in common?

Options:

A.

They require employers not to discriminate against certain classes when employees use personal information

B.

They require that employers provide reasonable accommodations to certain classes of employees

C.

They afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information

D.

They permit employers to use or disclose personal information specifically about employees who are members of certain classes

Question 19

If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

Options:

A.

Uses the transferred data for limited purposes

B.

Provides the same level of privacy protection as the organization

C.

Notifies the organization if it can no longer meet its requirements for proper data handling

D.

Enters a contract with the organization that states the third party will process data according to the consent agreement

Question 20

According to FERPA, when can a school disclose records without a student’s consent?

Options:

A.

If the disclosure is not to be conducted through email to the third party

B.

If the disclosure would not reveal a student’s student identification number

C.

If the disclosure is to practitioners who are involved in a student’s health care

D.

If the disclosure is to provide transcripts to a school where a student intends to enroll

Question 21

What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

Options:

A.

A large amount of money may have to be sent on improved technology and security

B.

Industries may not be strict enough in the creation and enforcement of rules

C.

A new business owner may not understand the regulations

D.

Human rights may be disregarded for the sake of privacy

Question 22

Based on the 2012 Federal Trade Commission report “Protecting Consumer Privacy in an Era of Rapid Change”, which of the following directives is most important for businesses?

Options:

A.

Announcing the tracking of online behavior for advertising purposes.

B.

Integrating privacy protections during product development.

C.

Allowing consumers to opt in before collecting any data.

D.

Mitigating harm to consumers after a security breach.

Demo: 22 questions
Total 150 questions