CIPP/US Certification Exam Prep Test

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Themes
T
Themes
Community Contributor
Quizzes Created: 416 | Total Attempts: 700,873
Questions: 266 | Attempts: 148

SettingsSettingsSettings
Certification Quizzes & Trivia

Questions and Answers
  • 1. 

    Which is the best description of the U.S. legal concept of "preemption"?

    • A.

      States are prevented by federal law from passing any laws that regulate financial privacy.

    • B.

      The superior government has the right to supersede the lesser government’s laws. The lesser government cannot pass a law that is inconsistent with the superior government’s law.

    • C.

      State laws supersede federal law in certain areas such as marketing.

    • D.

      The EU General Data Protection Regulation (GDPR) takes precedence over U.S. law, federal or state.

    Correct Answer
    B. The superior government has the right to supersede the lesser government’s laws. The lesser government cannot pass a law that is inconsistent with the superior government’s law.
    Explanation
    The correct answer is B: [States are prevented by federal law from enforcing laws that impose different or stricter laws in the same area.]

    Article VI, Section 2, of the U.S. Constitution provides that the "…Constitution, and the Laws of the United States … shall be the supreme Law of the Land." This Supremacy Clause has come to mean that the national government, in exercising any of the powers enumerated in the Constitution, must prevail over any conflicting or inconsistent state exercise of power. The federal preemption doctrine is a judicial response to the conflict between federal and state legislation. When it is clearly established that a federal law preempts a state law, the state law must be declared invalid. Also, a doctrine of state law that holds that a state law displaces a local law or regulation that is in the same field and is in conflict or inconsistent with the state law. West's Encyclopedia of American Law, edition 2. Copyright 2008 The Gale Group, Inc.

    Rate this question:

  • 2. 

    What is one reason consent decrees are posted publicly on the FTC website?

    • A.

      To announce the amount of civil penalties the FTC levies

    • B.

      To prove that companies have complied with FTC rulings

    • C.

      To punish companies that violate FTC rulings

    • D.

      To provide guidance about what practices the FTC finds inappropriate

    Correct Answer
    D. To provide guidance about what practices the FTC finds inappropriate
    Explanation
    The correct answer is D: [To provide guidance about what practices the FTC finds inappropriate.]

    FTC privacy enforcement actions have been settled through consent decrees and accompanying consent orders. Consent decrees are posted publicly on the FTC website, and the details of these decrees provide guidance about what practices the FTC finds inappropriate.

    Rate this question:

  • 3. 

    Which of the following is considered an acceptable method for U.S.-based multinational transportation companies to achieve compliance with the EU General Data Protection Regulation?

    • A.

      Global consent

    • B.

      Transparency

    • C.

      Binding corporate rules

    • D.

      Disclosure

    Correct Answer
    C. Binding corporate rules
    Explanation
    The correct answer is C: [Binding corporate rules.]

    Binding corporate rules (BCRs) are data protection policies adhered to by companies established in the EU. They are one method through which organizations can transfer data to non-EU member states under the GDPR. Supervisory authorities participate in the review and approval process of BCRs.

    Rate this question:

  • 4. 

    Which statement is true regarding transfers of personal information to locations outside of the U.S.?

    • A.

      U.S. laws generally do not restrict geographic transfers of personal information.

    • B.

      U.S. data exporters are not liable for any inappropriate uses of the personal information.

    • C.

      U.S. data exports are immune from legal enforcement if handled by service providers.

    • D.

      U.S. laws have "reciprocity" arrangements with most national data protection laws.

    Correct Answer
    A. U.S. laws generally do not restrict geographic transfers of personal information.
    Explanation
    The correct answer is A: [U.S. laws generally do not restrict geographic transfer of personal information.]

    This stands in contrast to the restrictions imposed by Chapter V of the EU General Data Protection Regulation (GDPR), which states, in part, “ Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organization...” GDPR Chapter V then outlines specific data transfer mechanisms, including “an adequacy decision,” “appropriate safeguards,” “binding corporate rules,” and “derogations.”

    Rate this question:

  • 5. 

    What is the primary basis of common law?

    • A.

      Statutes enacted by legislative bodies.

    • B.

      statutes enacted by legislative bodies.

    • C.

      Laws guaranteed by the Constitution of the United States of America.

    • D.

      Regulations that are promulgated by state and federal agencies.

    Correct Answer
    B. statutes enacted by legislative bodies.
    Explanation
    The correct answer is B: [Legal precedent and social custom.]

    In the absence of statutes, common law has long drawn on precedent to provide special privilege rules such as attorney-client privilege and doctor-patient confidentiality.

    Rate this question:

  • 6. 

    What should a U.S.-based organization do before it shares personal information with a U.S.- based third party?

    • A.

      Convert personal data from opt-out to opt-in

    • B.

      Have a Standard Model Clause in place

    • C.

      Assure appropriate privacy terms and conditions are included in a contract with the third party

    • D.

      Perform a test of the vendor's disaster recovery / business contingency plan

    Correct Answer
    C. Assure appropriate privacy terms and conditions are included in a contract with the third party
    Explanation
    The correct answer is C: [Assure appropriate privacy terms and conditions are included in a contract with the third party.]

    This question involves data transfers within the U.S., so no special restrictions apply other than those imposed on certain sectors, such as healthcare or financial. As a matter of best practices, however, an organization should apply due diligence to ensure that a third party treats personal information with at least the same protections as the originating organization. A contract with appropriate privacy terms and conditions is a good way to assure such is the case.

    Rate this question:

  • 7. 

    What is the role of a U.S.-based software-as-a-service provider that stores employee personal data for a global company headquartered in the U.S. with subsidiaries in the EU?

    • A.

      Data controller

    • B.

      Data owner

    • C.

      data processor

    • D.

      Data subject

    Correct Answer
    C. data processor
    Explanation
    The correct answer is C: [Data processor.]

    The terms “data subject,” “data processor” and “data controller” originated in the EU Data Protection Directive and are not universally used in the U.S. A data subject is an individual about whom information is being processed. A data controller is an organization or individual with the authority to decide how and why information about data subjects is to be processed. A data processor is an organization or individual that processes data on behalf of the data controller. In the question then, the U.S. SaaS provider is processing data of behalf of the data controller, it is a data processor.

    Rate this question:

  • 8. 

    Which federal agency has specific statutory responsibility for issues such as children's privacy online and commercial email marketing?

    • A.

      Securities and Exchange Commission

    • B.

      Consumer Financial Protection Bureau

    • C.

      Department of Justice

    • D.

      Federal Trade Commission

    Correct Answer
    D. Federal Trade Commission
    Explanation
    The correct answer is D: [Federal Trade Commission.]

    In addition to its general authority to enforce “unfair and deceptive trade practices,” the Federal Trade Commission (FTC) has been legislatively charged with enforcing specific privacy-related laws. COPPA required the FTC to issue and enforce a rule concerning children’s online privacy, which the Commission did in 1999. The Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, became effective on April 21, 2000. CAN-SPAM authorized the FTC to enforce the CAN-SPAM Act, and the Commission subsequently issued the “Telemarketing Sales Rule” (TSR). Between these actions and many others, including
    consent decrees, the FTC has indeed played a prominent role in the development of U.S. privacy standards. See also web-based information sources, such as http://www.ftc.gov/privacy/coppafaqs.shtm

    Rate this question:

  • 9. 

    Under the Children's Online Privacy Protection Act, which is an accepted means for an organization to validate parental consent when it intends to disclose a child's information to a third party?

    • A.

      Email a consent form. The parent can provide consent by responding to the email.

    • B.

      Email a consent form. The parent can provide consent by signing and mailing back the form.

    • C.

      Request in an email that the parent consent by reply email and also provide email, phonenumber, or fax.

    • D.

      Email a consent form to the parent allowing 30 days to object to the data disclosure.

    Correct Answer
    B. Email a consent form. The parent can provide consent by signing and mailing back the form.
    Explanation
    The correct answer is B: [E-mail a consent form and the parent can provide consent by signing and mailing back the form.]

    According to the FTC website, if a website operator is going to disclose children’s personal information to third parties…then it must use one of the more reliable methods to obtain verifiable parental consent enumerated in the rule:

    • provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method);

    • require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card).

    • maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or

    • obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods. http://www.ftc.gov/privacy/coppafaqs.shtm#consent

    Rate this question:

  • 10. 

    In addition to the Security Rule, what other rule was promulgated by Health and Human Services and and mandated by the Health Insurance Portability and Accountability Act?

    • A.

      Operations Rule

    • B.

      Transaction Rule

    • C.

      Privacy Rule

    • D.

      Disclosure Rule

    Correct Answer
    C. Privacy Rule
    Explanation
    The correct answer is C: [The Privacy Rule.]

    HIPAA required the Department of Health and Human Services (HHS) to promulgate regulations to protect the privacy and security of healthcare information, and HHS issued the Privacy Rule in December 2000 (revised in 2002) and the Security Rule in February 2003. HHS also promulgated the Transactions Rule, but this related not to privacy or data security but to standard electronic formats to fulfill another important reason for the legislation—to improve the efficiency of healthcare delivery. There is no “operations rule” under HIPAA.

    Rate this question:

  • 11. 

    Which of the following examples best illustrates the concept of "consumer report" for preemployment screening as defined under the U.S. Fair Credit Reporting Act?

    • A.

      Library records released by a municipal body

    • B.

      Driving history obtained from an information aggregator

    • C.

      Academic records obtained from an accredited university

    • D.

      Purchase transactions obtained from an online retailer

    Correct Answer
    B. Driving history obtained from an information aggregator
    Explanation
    The correct answer is B: [Driving history obtained from an information aggregator.]

    Under the Fair Credit Reporting Act (FCRA), users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.

    Rate this question:

  • 12. 

    Which of the statements about the requirements for privacy under the U.S. Gramm-Leach-Bliley Act (GLBA) is true?

    • A.

      Financial institutions can share customer information with non-affiliated third-party companieswithout obtaining an opt-in from the customer.

    • B.

      GLBA privacy rules are overseen by many regulatory organizations such as the Department of Commerce.

    • C.

      GLBA retains the legislative power to preempt any financial services laws as currently enforced by U.S. states.

    • D.

      U.S.-based financial institutions may not share any information with companies that are affiliated with financial institutions.

    Correct Answer
    A. Financial institutions can share customer information with non-affiliated third-party companieswithout obtaining an opt-in from the customer.
    Explanation
    The correct answer is A: [Financial institutions can share customer information with non-affiliated third-party companies without obtaining an opt-in from the customer.]

    GLBA does not preempt stricter state laws. The Department of Commerce has no role in enforcing GLBA privacy rules. While financial institutions are prohibited from disclosing consumer account numbers to non-affiliated companies even if the consumer has not opted out of sharing information, other information can be shared without obtaining an opt in, such as information shared the outside companies that provide essential services like data processing.

    Rate this question:

  • 13. 

    What does the "red flags rule" require of financial institutions?

    • A.

      They must develop and implement methods of detecting identity theft.

    • B.

      They must identify who might be a poor credit risk for new mortgages, such as sub-primelending.

    • C.

      They must determine whether their corporate databases have been breached and reactaccording to data breach regulations.

    • D.

      They must locate unencrypted transmissions of their customer's financial data.

    Correct Answer
    A. They must develop and implement methods of detecting identity theft.
    Explanation
    The correct answer is A: [That they develop and implement methods of detecting identity theft.]

    Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires regulators to develop a set of rules to mandate the detection, prevention and mitigation of identity theft.
    http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

    Rate this question:

  • 14. 

    The "Digital Telephony Bill" is another name for which legislation?

    • A.

      Electronic Communications Privacy Act

    • B.

      Stored Communications Act

    • C.

      Telecommunications Act

    • D.

      U.S. Communications Assistance to Law Enforcement Act

    Correct Answer
    D. U.S. Communications Assistance to Law Enforcement Act
    Explanation
    The correct answer is D: [The U.S. Communications Assistance to Law Enforcement Act.]

    CALEA is also known as the Digital Telephony Bill.

    Rate this question:

  • 15. 

    Which condition must be met to satisfy the Right to Financial Privacy Act requirements for disclosure of individual records by financial institutions?

    • A.

      The customer authorizes access.

    • B.

      There is a qualified search warrant.

    • C.

      There is an appropriate judicial subpoena.

    • D.

      The financial records are reasonably described.

    Correct Answer
    D. The financial records are reasonably described.
    Explanation
    The correct answer is D: [The financial records are reasonably described.]

    The Right to Financial Privacy Act of 1978 (RFPA) states that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are
    reasonably described” and meet at least one additional conditions. Options B-D are three of these five conditions and are not absolutely required.

    Rate this question:

  • 16. 

    Which U.S. state requires daily electronic notice in order for an employer to monitor or intercept electronic mail?

    • A.

      New Hampshire

    • B.

      Alaska

    • C.

      Delaware

    • D.

      Connecticut

    Correct Answer
    C. Delaware
    Explanation
    The correct answer is C: [Delaware.]

    Delaware Code, Section 705: Notice of monitoring of telephone transmissions, electronic mail and internet usage states: “No employer, nor any agent or any representative of any employer, shall monitor or otherwise intercept any telephone conversation or transmission, electronic mail or transmission, or Internet access or usage of or by a Delaware employee unless the employer…(p)rovides an electronic notice of such monitoring or intercepting policies or activities to the employee at least once during each day the employee accesses the employer-provided e-mail or Internet access services.”
    http://codes.lp.findlaw.com/decode/19/7/I/705

    Rate this question:

  • 17. 

    Under the USA PATRIOT Act and its amendments, which statement is correct concerning National Security Letters (NSL)?

    • A.

      NSL recipients must fulfill the request, even if compliance is oppressive.

    • B.

      New restrictions reduced the number of NSLs issued.

    • C.

      Issuance of an NSL requires judicial authorization.

    • D.

      An organization receiving an NSL may disclose the request to an attorney for legal assistance.

    Correct Answer
    D. An organization receiving an NSL may disclose the request to an attorney for legal assistance.
    Explanation
    The correct answer is D: [An organization receiving an NSL may disclose the request to an attorney for legal assistance.]

    NSL recipients may disclose the request to those necessary to comply with the request and to an attorney for legal assistance. NSLs can be issued by authorized officials, often the special agent in charge of an FBI field office, and requires no judicial authorization. The number of NSLs issued has increased in recent years. Under the 2006 amendments to the USA Patriot Act, recipients can petition a federal court to modify or set aside an NSL if compliance would be unreasonable or oppressive.

    Rate this question:

  • 18. 

    Which investigative tactic requires a probable cause and other requirements, such as exhausting alternative means of acquiring the evidence?

    • A.

      Telephone wiretap

    • B.

      Access to store emails

    • C.

      Pen register order

    • D.

      traditional search warrant

    Correct Answer
    A. Telephone wiretap
    Explanation
    The answer is A: [A telephone wiretap.]

    A telephone wiretap requires a probable cause and other requirements, such as the exhaustion of alternative means of acquiring the evidence. The Supreme Court has held that police need warrants to use telephone wiretaps, but that police do not need warrants to obtain information from a third party, such as from the telephone company. There may be changes in the near future to the third party exception because of increased technologies.

    Rate this question:

  • 19. 

    Based on Aerospaciale v. S.D. of Iowa, which is NOT a factor American courts will use to reconcile a conflict between U.S. and foreign law regarding electronic discovery requests?

    • A.

      Specificity of the request

    • B.

      Whether the information originated in the U.S.

    • C.

      Whether counsel for both parties are based in the U.S.

    • D.

      Availability of alternative means of acquiring the information

    Correct Answer
    C. Whether counsel for both parties are based in the U.S.
    Explanation
    The correct answer is C: [Whether counsel for both parties are based in the United States.]

    The factors an American court will use to reconcile trans-border eDiscovery conflicts are (1) the importance of the documents or data to the litigation at hand, (2) The specificity of the request, (3) whether the information originated in the United States, (4) the availability of alternative means of securing the information and (5) the extent to which the important interests of the United States and the foreign state would be undermined by an adverse ruling. The location of opposing counsel is irrelevant.

    Rate this question:

  • 20. 

    What changes did the FISA Amendments Act of 2008 make to the original Foreign Intelligence Surveillance Act of 1978?

    • A.

      Express authorization of foreign intelligence wiretaps

    • B.

      Legal authorization of some new surveillance practices

    • C.

      A series of checks and balances on the president and attorney general

    • D.

      Access to stored communication records without judicial authorization

    Correct Answer
    B. Legal authorization of some new surveillance practices
    Explanation
    The correct answer is B: [Legal authorization of some new surveillance practices.]

    FISA gave legal authorization to new surveillance practices, including when one party is reasonably believed to be outside of the United States. It also granted immunity to the telephone companies so they would not be liable for the records they had provided to the government in the wake of September 11. The new rules required more reporting from the government to Congress and put limits on some of the secrecy about NSLs and other government requests for records in the national security realm. FISA itself expressly authorized foreign intelligence wiretaps and put checks and balances on the Administration. Neither FISA nor its amendments authorized access to stored communications without judicial authorization.

    Rate this question:

  • 21. 

    Which two actions are required under the Fair Credit Reporting Act in order for an employer to obtain a consumer report on a job applicant?

    • A.

      Provide notice to applicant after taking adverse action and provide the applicant with a method to appeal the decision

    • B.

      Obtain data only from a qualified credit reporting agency and certify that the agency has administrative, technical and physical safeguards in place

    • C.

      Certify to the credit reporting agency that the employer has a permissible purpose and providea written consent from the employer

    • D.

      Obtain applicant's written consent and provide applicant with a copy of the credit report before taking an adverse action

    Correct Answer
    D. Obtain applicant's written consent and provide applicant with a copy of the credit report before taking an adverse action
    Explanation
    The correct answer is D: [Obtain applicant’s written consent and provide applicant with a copy of the credit report before taking an adverse action.]

    To obtain any consumer report under FCRA, an employer must meet the following standards: (1) provide written notice to the applicant that it is obtaining a consumer report for employment purposes and indicate if an investigative consumer report will be obtained; (2) obtain written consent from the applicant; (3) obtain data only from a qualified consumer reporting agency that has taken steps to assure the accuracy and currency of the data; (4) certify to the consumer reporting agency that the employer has a permissible purpose and has obtained consent from the employee; (5) before taking an adverse action, provide a pre-adverse action notice to the applicant with a copy of the consumer report in order to give the applicant an opportunity to dispute the report and (6) after taking adverse action, provide an adverse action notice.

    Rate this question:

  • 22. 

    All of the following are considered acceptable reasons for sharing records of U.S. employees with third parties without obtaining the consent of the employees except:

    • A.

      Test marketing the company's new products

    • B.

      Determining legal standing or citizen status

    • C.

      Retirement planning

    • D.

      Group insurance underwriting

    Correct Answer
    A. Test marketing the company's new products
    Explanation
    The correct answer is A: [Test marketing the company’s new products.]

    Determining legal standing or citizen status, retirement planning and group insurance underwriting all constitute legitimate organizational activities in the course of doing business or managing employees. Sharing employee records with a third party for the purpose of test marketing the company’s products, however, would be an inappropriate disclosure of the employee’s personal information.

    Rate this question:

  • 23. 

    All of the following are considered acceptable lines of questioning by U.S. employers to applicants in the pre-employment process except:

    • A.

      Questions about the applicant's duration of stay on the job or any anticipated absences

    • B.

      Questions regarding any medical conditions or disabilities that would inhibit the performanceof the job function

    • C.

      Questions on whether an applicant has applied for or received worker's compensation

    • D.

      Questions about the applicant's height or weight as this relates to a specific job function

    Correct Answer
    C. Questions on whether an applicant has applied for or received worker's compensation
    Explanation
    The correct answer is C: [Questions on whether an applicant has applied for or received worker’s compensation.]

    A number of U.S. federal laws prohibit discrimination in employment and place limits on the information an employer is entitled to ascertain in the screening process. Generally speaking questions that specifically relate to a candidate’s ability to perform the job for which he or she has applied are allowable, such as medical conditions, disabilities and physical characteristics and anticipated absences. Questions about past worker’s compensation applications, however, are specifically prohibited by the Americans with Disabilities Act (ADA).

    Rate this question:

  • 24. 

    In terms of U.S. employees' workplace privacy rights, all of the following are acceptable monitoring techniques available to employers except:

    • A.

      Internet access and usage

    • B.

      Badge cards and ID readers

    • C.

      Secret surveillance

    • D.

      Closed-circuit television

    Correct Answer
    C. Secret surveillance
    Explanation
    The correct answer is C: [Secret surveillance.]

    In the United States, private-sector employees in general have limited expectations of privacy at the workplace, and there are sometimes significant incentives to monitor employees. Except as limited by state statute or a collective bargaining agreement, video monitoring is allowable unless placed in a “private place,” such as a restroom or locker rooms. Employers also have a right to monitor internet usage if such a policy is publicized and applied to all employees. Furthermore, employers certainly have the right, and often the obligation, to limit access to company property through the use of badges, readers and other techniques. The key to avoiding a privacy issue, beyond adherence to specific laws and regulations, is to ensure that all policies regarding monitoring are made known to employees—secret surveillance is not acceptable in most settings.

    Rate this question:

  • 25. 

    All of the following are valid privacy protection procedures when terminating an employee who has access to sensitive personal information except:

    • A.

      Removing the employee's access rights to sensitive personal information before escorting theemployee from the premises

    • B.

      Reminding the employee of a non-disclosure agreement signed at the time of employment

    • C.

      Demanding that the employee not remove paper and electronic files, and only remove personal effects under direct observation

    • D.

      Asking the employee to sign the privacy policy immediately before conducting the exit interview

    Correct Answer
    D. Asking the employee to sign the privacy policy immediately before conducting the exit interview
    Explanation
    The correct answer is D: [Asking employees to sign the privacy policy immediately before conducting the exit interview.]

    Employers have the right to terminate a former employee’s access to the physical and informational assets of the organization. In the case of a terminated employee, it is reasonable to require the individual, under observation, to remove only personal effects and to remove the individual’s access right to personal information held by the organization. When an employee signed a non-disclosure agreement at the time of employment, it is also appropriate to remind a terminated employee of that agreement.
    The time to ask employees to sign a privacy policy, however, is not upon termination but upon employment or at the time an employee first has access to personal information stored by the organization.

    Rate this question:

  • 26. 

    Security laws in U.S. states often restrict:

    • A.

      the collection of Social Security numbers via paper employment applications

    • B.

      The business hours during which organizations are allowed to make telemarketing calls

    • C.

      The display of Social Security numbers on identification cards

    • D.

      The disclosure of biometric records to law enforcement agencies

    Correct Answer
    C. The display of Social Security numbers on identification cards
    Explanation
    The correct answer is C: [The display of Social Security numbers on identification cards.]

    While the disclosure of biometric data may be restricted by law, this is a privacy issue, not a security one. Similarly, the FTC Telemarketing Sales Rule (TSR) restricts the hours that organizations may make telemarketing calls, but that is not a security issue. The collection of Social Security numbers in hiring is permissible as long as there is a legitimate purpose and the data is secured. On the other hand, Social Security numbers are widely considered to be personal information and should not therefore be displayed publicly, such as on an identification card. The practice is specifically prohibited by privacy laws in many states.

    Rate this question:

  • 27. 

    For those states that have security breach notification requirements, what general information must the breach-of-personally-identifiable-information notification letter to the individual include?

    • A.

      Name of the affected individual, brief description of the incident, date the incident occurred, and the number for a credit monitoring service

    • B.

      Name and Social Security number of the affected individual, full description of the incident, date the incident occurred, and the number for a credit monitoring service

    • C.

      name, Social Security number and address of the affected individual, full description of the incident, and a toll-free number for answers to questions

    • D.

      Brief description of the incident, type of information involved, and a toll-free number for answers to questions

    Correct Answer
    D. Brief description of the incident, type of information involved, and a toll-free number for answers to questions
    Explanation
    The correct answer is D: [A brief description of the incident, the type of information involved, and a toll-free number for answers to questions.]

    Most states do not specify what must be included in the notification letter. Privacy professionals residing in states that do not provide guidance should use the guidelines of states that do.

    Rate this question:

  • 28. 

    The act of video monitoring the workplace is likely to survive a legal challenge under U.S. law provided that:

    • A.

      The videotaping is proportional to the organization's need for surveillance

    • B.

      Monitoring is limited to "nonprivate" areas of the workplace

    • C.

      Complete video archives are kept by the employer and not edited or altered

    • D.

      Each employee signs an agreement that consents to the surveillance

    Correct Answer
    B. Monitoring is limited to "nonprivate" areas of the workplace
    Explanation
    The correct answer is B: [Monitoring is limited to “non-private” areas of the workplace.]

    Many states have specific laws prohibiting workplace video monitoring of private places such as restrooms and locker rooms. Even in the absence of a statute, employees may be able to bring a common-law tort claim for invasion of privacy, especially where a jury would find the use of the camera to be offensive. Monitoring of private areas in the workplace would be unlikely to survive a legal challenge.

    Rate this question:

  • 29. 

    The loss of names and what other data point would require an employer to notify affected individuals?

    • A.

      Student records

    • B.

      Intellectual property

    • C.

      Social Security numbers

    • D.

      Street addresses

    Correct Answer
    C. Social Security numbers
    Explanation
    The correct answer is C: [Social Security numbers.]

    The definition of what constitutes personal information varies state by state. However, there are some factors that are included in the definition of personal information in all states. These include the loss of a name combined with another form of personal
    information. Generally, student records and intellectual property are not considered personal information.

    Rate this question:

  • 30. 

    If a company located in Massachusetts maintains all of its employees' personal information in a hosted online database in Florida, what must the third-party service provider agree to?

    • A.

      A confidentiality provision

    • B.

      Periodic audits

    • C.

      A ban on the use of subcontractors

    • D.

      Upgrades in technology

    Correct Answer
    A. A confidentiality provision
    Explanation
    The answer is A: [A confidentiality provision.]

    If a company plans to share personal data with a third-party processor, it is important to consider incorporating a written contract including a confidentiality provision, no further use of shared information, requirement to notify and disclose a breach, and information security provisions.

    Rate this question:

  • 31. 

    Rules that govern the collection and handling of personal information regarding Internet activity can be categorized as what type of privacy?

    • A.

      Communication privacy

    • B.

      Information privacy

    • C.

      Bodily privacy

    • D.

      Territorial privacy

    Correct Answer
    B. Information privacy
    Explanation
    The correct answer is information privacy because the question is asking about the rules that govern the collection and handling of personal information regarding internet activity. Information privacy refers to the protection and control of personal data, ensuring that individuals have the right to determine how their information is collected, used, and shared.

    Rate this question:

  • 32. 

    32. Which authority does not oversee privacy-related issues in the U.S.?

    • A.

      The Federal Trade Commission (FTC)

    • B.

      State attorneys general

    • C.

      The national data protection authority

    • D.

      Federal financial regulators

    Correct Answer
    C. The national data protection authority
    Explanation
    The national data protection authority does not oversee privacy-related issues in the U.S. The Federal Trade Commission (FTC) is responsible for protecting consumers and enforcing privacy laws. State attorneys general also play a role in addressing privacy concerns. Federal financial regulators focus on overseeing financial institutions and ensuring compliance with financial regulations, but they may not have direct authority over privacy matters. Therefore, the national data protection authority is not involved in privacy-related issues in the U.S.

    Rate this question:

  • 33. 

    Which types of personal information may qualify as sensitive personal information? Select all that apply.

    • A.

      Social Security number

    • B.

      Bank account number

    • C.

      Driver’s license number

    • D.

      Home phone number

    • E.

      Professional membership

    • F.

      Medical history

    • G.

      Business email address

    Correct Answer(s)
    A. Social Security number
    B. Bank account number
    C. Driver’s license number
    F. Medical history
    Explanation
    Sensitive personal information refers to personal data that, if disclosed or compromised, could result in harm or discrimination to an individual. In this case, the correct answer includes Social Security number, Bank account number, Driver's license number, and Medical history. These types of information are considered sensitive as they can be used for identity theft, financial fraud, or unauthorized access to personal records.

    Rate this question:

  • 34. 

    True or false? Restrictions on the processing of personal information may differ, depending on the source of the information.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Restrictions on the processing of personal information may differ depending on the source of the information. This means that different rules and regulations may apply to personal information obtained from different sources. For example, there may be stricter restrictions on processing personal information obtained from sensitive sources such as medical records or financial institutions, compared to information obtained from public sources or freely available sources. Therefore, it is true that restrictions on the processing of personal information may vary depending on the source.

    Rate this question:

  • 35. 

    35. True or false? Federal privacy laws will always supersede state laws.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    Federal privacy laws do not always supersede state laws. In some cases, state laws may provide stronger privacy protections than federal laws, and in such instances, the state laws would take precedence. This is because states have the authority to enact their own privacy laws as long as they do not conflict with federal laws. Therefore, it is incorrect to say that federal privacy laws will always supersede state laws.

    Rate this question:

  • 36. 

    What is an agreement or settlement that resolves a dispute between two parties without admission of guilt or liability?

    • A.

      Common law

    • B.

      Tort law

    • C.

      Contract law

    • D.

      Consent decree

    Correct Answer
    D. Consent decree
    Explanation
    A consent decree is an agreement or settlement that resolves a dispute between two parties without admission of guilt or liability. It is a legally binding resolution that allows both parties to avoid admitting fault while still resolving the issue at hand. This type of agreement is often used in legal cases to save time and resources, as it allows parties to come to a mutual understanding without going through a lengthy trial process.

    Rate this question:

  • 37. 

    37. True or false? The word privacy is not mentioned in the U.S. Constitution.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    The word privacy is not explicitly mentioned in the U.S. Constitution. While the Constitution does protect certain individual rights such as freedom of speech and the right to be secure in one's person and property, the concept of privacy is not specifically addressed. However, the Supreme Court has interpreted certain provisions of the Constitution, such as the Fourth Amendment's protection against unreasonable searches and seizures, to encompass a right to privacy.

    Rate this question:

  • 38. 

    Which federal agency plays a role in enforcing privacy and security standards set by organizations?

    • A.

      Department of Homeland Security (DHS)

    • B.

      Department of Commerce (DOC)

    • C.

      Department of State (DOS)

    Correct Answer
    B. Department of Commerce (DOC)
    Explanation
    The Department of Commerce (DOC) plays a role in enforcing privacy and security standards set by organizations. This is because the DOC is responsible for promoting economic growth and technological advancement in the United States. As part of its mission, the DOC oversees the National Institute of Standards and Technology (NIST), which develops and maintains standards for information security and privacy. These standards are used by organizations to protect sensitive information and ensure compliance with regulations. Therefore, the DOC is the federal agency that plays a role in enforcing privacy and security standards.

    Rate this question:

  • 39. 

    39. True or false? An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, and also does not process personal data in a place where member state law applies is not subject to the GDPR. The GDPR only applies to organizations that process personal data in a place where member state law applies or when they process personal data that forms part of a filing system or by automated means.

    Rate this question:

  • 40. 

    What type of international data transfer mechanism was invalidated for EU-U.S. data transfers?

    • A.

      Binding corporate rule

    • B.

      Code of conduct

    • C.

      Standard contractual clause

    • D.

      Adequacy decision

    Correct Answer
    D. Adequacy decision
    Explanation
    The adequacy decision was invalidated for EU-U.S. data transfers. An adequacy decision is a mechanism that allows the transfer of personal data from the European Union to a third country if that country provides an adequate level of data protection. However, in this case, the adequacy decision for EU-U.S. data transfers was invalidated, meaning that the U.S. did not provide an adequate level of data protection according to the European Union's standards.

    Rate this question:

  • 41. 

    From the list below, select the obligations that are directly applicable to both the controller and processor. Select all that apply.

    • A.

      Data breach reporting

    • B.

      Records keeping

    • C.

      Data protection impact assessments

    • D.

      Data protection officer

    • E.

      Security

    Correct Answer(s)
    A. Data breach reporting
    B. Records keeping
    D. Data protection officer
    E. Security
    Explanation
    The obligations that are directly applicable to both the controller and processor are data breach reporting, records keeping, data protection officer, and security. Data breach reporting is necessary for both the controller and processor to ensure that any breaches are promptly reported to the relevant authorities. Records keeping is important for both parties to maintain accurate documentation of their data processing activities. The appointment of a data protection officer is required for both the controller and processor to ensure compliance with data protection regulations. Security measures are essential for both parties to protect the personal data they process from unauthorized access or disclosure.

    Rate this question:

  • 42. 

    True or false? Under the GDPR, both controllers and processors have record-keeping obligations.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Under the GDPR (General Data Protection Regulation), both controllers and processors have record-keeping obligations. This means that both parties are required to maintain documentation of their processing activities. Controllers are responsible for ensuring compliance with the GDPR and must keep records of their processing activities. Processors, on the other hand, are required to keep records of all categories of processing activities they perform on behalf of the controller. These record-keeping obligations help ensure transparency and accountability in the handling of personal data, as well as facilitate regulatory oversight and enforcement.

    Rate this question:

  • 43. 

    Which of the following are data subject rights under the GDPR? Select all that apply.

    • A.

      Data portability

    • B.

      Rectification of inaccurate or incomplete personal data

    • C.

      Erasure

    • D.

      Restriction of processing

    Correct Answer(s)
    A. Data portability
    B. Rectification of inaccurate or incomplete personal data
    C. Erasure
    D. Restriction of processing
    Explanation
    Under the GDPR, data subject rights include data portability, rectification of inaccurate or incomplete personal data, erasure, and restriction of processing. Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Rectification allows individuals to correct any inaccuracies or incompleteness in their personal data. Erasure gives individuals the right to request the deletion of their personal data. Restriction of processing allows individuals to limit the processing of their personal data under certain circumstances.

    Rate this question:

  • 44. 

    True or false? Under the GDPR, the controller is obligated to notify the supervisory authority of a personal data breach without undue delay (and within 72 hours of becoming aware of it) if the breach is likely to result in a risk for the rights and freedoms of natural persons.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Under the GDPR, the controller is indeed obligated to notify the supervisory authority of a personal data breach without undue delay, and within 72 hours of becoming aware of it, if the breach is likely to result in a risk for the rights and freedoms of natural persons. This requirement aims to ensure that the supervisory authority can assess and potentially mitigate the risks associated with the breach in a timely manner. Failure to comply with this obligation can result in penalties and fines under the GDPR.

    Rate this question:

  • 45. 

    Which of the following are required for an entity to be considered a “business” under the California Consumer Privacy Act? Select all that apply.

    • A.

      An entity that makes $10 million in annual revenue

    • B.

      An entity that holds the personal information of 50,000 people, households or devices

    • C.

      An entity that makes at least half of its revenue from the sale of personal information

    Correct Answer(s)
    B. An entity that holds the personal information of 50,000 people, households or devices
    C. An entity that makes at least half of its revenue from the sale of personal information
    Explanation
    To be considered a "business" under the California Consumer Privacy Act, an entity must meet two criteria. First, it must hold the personal information of 50,000 people, households, or devices. This means that the entity has access to and stores the personal information of a significant number of individuals or devices. Second, the entity must make at least half of its revenue from the sale of personal information. This means that a substantial portion of the entity's income comes from selling personal information. Both of these criteria are necessary for an entity to be classified as a "business" under the California Consumer Privacy Act.

    Rate this question:

  • 46. 

    How does the CCPA define a “consumer”? Select all that apply.

    • A.

      A natural person who is a California resident

    • B.

      Every individual who is in California for other than a temporary or transitory purpose

    • C.

      Every individual who is domiciled in California who is outside the state for a temporaryor transitory purpose

    Correct Answer(s)
    A. A natural person who is a California resident
    B. Every individual who is in California for other than a temporary or transitory purpose
    C. Every individual who is domiciled in California who is outside the state for a temporaryor transitory purpose
    Explanation
    The CCPA defines a "consumer" as a natural person who is a California resident, as well as every individual who is in California for other than a temporary or transitory purpose, and every individual who is domiciled in California who is outside the state for a temporary or transitory purpose. This means that anyone who is a California resident, anyone who is in California for a non-temporary purpose, and anyone who is domiciled in California but temporarily outside the state is considered a consumer under the CCPA.

    Rate this question:

  • 47. 

    The CCPA allows consumers to request and receive records of what personal information? Select all that apply.

    • A.

      The types of PI an organization holds about the requestor

    • B.

      Dates and times that the organization collected PI from the requestor

    • C.

      The sources of PI an organization holds about the requestor

    • D.

      The specific PI an organization holds about the requestor

    • E.

      Information about what’s being done with the related data in terms of both businessuse and third-party sharing

    Correct Answer(s)
    A. The types of PI an organization holds about the requestor
    C. The sources of PI an organization holds about the requestor
    D. The specific PI an organization holds about the requestor
    E. Information about what’s being done with the related data in terms of both businessuse and third-party sharing
    Explanation
    The CCPA allows consumers to request and receive records of the types of personal information (PI) that an organization holds about them, the sources of PI that the organization holds about them, the specific PI that the organization holds about them, and information about what is being done with the related data in terms of both business use and third-party sharing. This means that consumers have the right to know what information is being collected about them, where it is coming from, and how it is being used and shared.

    Rate this question:

  • 48. 

    True or false? Under the CCPA, a business may be required to include a “Do Not Sell My Personal Information” button on its website.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Under the CCPA (California Consumer Privacy Act), businesses are indeed required to include a "Do Not Sell My Personal Information" button on their website. This button allows consumers to opt-out of the sale of their personal information to third parties. This requirement ensures that individuals have control over how their personal information is used and shared by businesses.

    Rate this question:

  • 49. 

    49. What theory of legal liability is described as the absence of or failure to exercise proper or ordinary care?

    • A.

      Defamation

    • B.

      Negligence

    • C.

      Breach of warranty

    • D.

      Strict tort liability

    Correct Answer
    B. Negligence
    Explanation
    Negligence is the theory of legal liability that is described as the absence of or failure to exercise proper or ordinary care. This means that a person or entity is held responsible for their actions or omissions when they fail to meet the standard of care expected in a given situation. In a negligence claim, the plaintiff must prove that the defendant owed a duty of care, breached that duty, and caused the plaintiff's injuries or damages. Defamation, breach of warranty, and strict tort liability are different theories of legal liability that are not directly related to the absence of or failure to exercise proper or ordinary care.

    Rate this question:

  • 50. 

    Which of the following are powers of the FTC? Select all that apply.

    • A.

      Penalizing and halting unfair or deceptive trade practices

    • B.

      Seeking monetary redress for conduct injurious to consumers

    • C.

      Prescribing trade regulation rules

    • D.

      Administering self-certification programs for honest trade practices

    • E.

      Establishing requirements to prevent unfair or deceptive trade practices

    Correct Answer(s)
    A. Penalizing and halting unfair or deceptive trade practices
    B. Seeking monetary redress for conduct injurious to consumers
    C. Prescribing trade regulation rules
    E. Establishing requirements to prevent unfair or deceptive trade practices
    Explanation
    The Federal Trade Commission (FTC) has the power to penalize and halt unfair or deceptive trade practices, seek monetary redress for conduct injurious to consumers, prescribe trade regulation rules, and establish requirements to prevent unfair or deceptive trade practices. These powers allow the FTC to enforce laws and regulations that protect consumers from fraudulent or unfair business practices, ensuring fair competition and promoting consumer welfare in the marketplace.

    Rate this question:

Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.