Download CIPP US Practice Exam Questions With 100% Correct Answers 2024 and more Exams Advanced Education in PDF only on Docsity! CIPP US Practice Exam Questions With 100% Correct Answers 2024 What kind of liability may only be asserted in court by governmental authorities and not by a private citizen? A. Civil B. Negligence C. Criminal D. Invasion of privacy - Correct Answer-C Which of the following preemployment screening activities would turn a regular consumer report into an investigative report? A. The report includes information about prior bankruptcies. B. The CRA furnishing the report includes information about a job seeker's mortgage payments. C. The preemployment screening includes a criminal background check. D. A third party agent interviews a job seeker's neighbors ‐ about their character. - Correct Answer-D pg. 1 professoraxe l Dana is frustrated because she continues to receive telemarketing calls from her current internet service provider (ISP), even though she added her number to the national do‐ not call list. Is Dana's ISP breaking the law?‐ A. Yes, because it is the responsibility of the ISP to maintain an updated copy of the national do not call registry.‐ ‐ B. No, because she is a customer of the ISP and the TSR provides an exemption for firms that have an existing business relationship with a consumer. C. No, because Dana's ISP may not know she has added her number to the do not call registry.‐ ‐ D. Yes, because the DNC does not provide an exemption for existing customers. - Correct Answer-B Nick and Jenny often meet with other employees in the company cafeteria to advocate for collective bargaining. One day, Jenny notices that a security camera has suddenly been installed in the cafeteria, near where they usually sit. Why might this be a problem? A. Employees have not consented to video surveillance during their lunch hours when not conducting company business. B. Video surveillance may inadvertently reveal an employee's physical disability and lead to compliance risks under the Americans with Disabilities Act (ADA). pg. 2 professoraxe l B. SCA C. BSA D. EPCA - Correct Answer-C What term is used to describe a voluntary agreement between a firm and the federal government where the firm agrees to engage or not engage in certain business practices? A. Conviction B. Retainer agreement C. Theory of liability D. Consent decree - Correct Answer-D What article in the U.S. Constitution defines the powers of the judicial branch? A. Article I B. Article II C. Article III D. Article IV - Correct Answer-C pg. 5 professoraxe l What federal privacy law contains specific requirements for how organizations must dispose of sensitive personal information when it is no longer needed? A. FERPA B. FACTA C. GLBA D. SOX - Correct Answer-B What individual within an organization is likely to bear overall responsibility for a privacy program? A. CIO B. CFO C. CPO D. CEO - Correct Answer-C Tom recently filled out a survey about his political and religious views. The survey data is maintained by a nonprofit research organization. What term best describes Tom's role with respect to this data? A. Data controller B. Data processor C. Data steward pg. 6 professoraxe l D. Data subject - Correct Answer-D It is probably permissible to use a polygraph test in preemployment screening for all of the following jobs, except: A. U.S. Treasury employee B. Daycare worker C. Armored car driver D. Pharmacist - Correct Answer-B Which one of the following firms was sanctioned by the Federal Trade Commission (FTC) after an investigation showed that they were not diligently carrying out privacy program recertifications of their clients? A. Snapchat B. Nomi C. TRUSTe D. GeoCities - Correct Answer-C The Washington State Biometric Privacy Law protects all of the following forms of biometric data except: A. Fingerprint pg. 7 professoraxe l 1. What check and balance does the legislative branch hold ‐ ‐ over the executive branch? A. Power of the purse B. Veto power C. Prosecutorial discretion D. Judicial review - Correct Answer-A 2. What portion of the U.S. Constitution defines the powers of the legislative branch of government? A. Article I B. Article II C. Article III D. Article IV - Correct Answer-A 3. Which amendment to the U.S. Constitution explicitly grants individuals the right to privacy? A. First Amendment B. Fourth Amendment C. Fifth Amendment D. None of the above - Correct Answer-D pg. 10 professoraxe l 4. What source contains much of the administrative law created by the U.S. government? A. U.S. Code B. Bill of Rights C. Code of Federal Regulations D. U.S. Constitution - Correct Answer-C 5. Which one of the following is the best description of the legal principle of stare decisis? A. Courts should be guided by precedent. B. Federal law overrules state law. C. Laws must be consistent with the constitution. D. Common law guides areas where legislation is unclear. - Correct Answer-A 1. In a contract between two organizations, the parties mutually agree that disputes will be settled in the courts of the state of New York. What type of jurisdiction does this language establish? A. Personal jurisdiction B. Geographic jurisdiction C. Subject matter jurisdiction pg. 11 professoraxe l D. Consensual jurisdiction - Correct Answer-A 2. Which one of the following entities would not normally be considered a person under the laws of the United States? A. A U.S. citizen B. A U.S. corporation C. A legal resident of the United States D. None of the above - Correct Answer-D 1. Which one of the following laws contains a private right of action? A. CCPA B. FERPA C. GLBA D. HIPAA - Correct Answer-A 2. During a negligence lawsuit, the court determined that the respondent was not at fault because the plaintiff did not present evidence that they suffered some form of harm. What element of negligence was missing from this case? A. Duty of care pg. 12 professoraxe l A. Establishment clause B. Supremacy clause C. Commerce clause D. Incompatibility clause - Correct Answer-B 1. What nation was the original source of the common law used in many parts of the world? A. Roman Empire B. England C. France D. Egypt - Correct Answer-B 2. What category of law best describes the HIPAA Privacy Rule? A. Constitutional law B. Common law C. Legislative law D. Administrative law - Correct Answer-D 3. What court has subject matter jurisdiction specifically tailored to matters of national security? pg. 15 professoraxe l A. U.S. District Court B. State Supreme Courts C. U.S. Supreme Court D. Foreign Intelligence Surveillance Court - Correct Answer-D 4. Under what standard might a company located in one state become subject to the jurisdiction of the courts of another state by engaging in transactions with customers located in that other state? A. Physical presence B. Place of business C. Consent D. Minimum contracts - Correct Answer-D 5. In a recent invasion of privacy lawsuit, the plaintiff claimed that the respondent disclosed information that caused them to be falsely perceived by others. What tort is involved in this case? A. Appropriation B. Disclosure of private facts C. Invasion of solitude D. False light - Correct Answer-D pg. 16 professoraxe l 1. Which of the following types of information should be protected by a privacy program? A. Customer records B. Product plans C. Trade secrets D. All of the above - Correct Answer-A 2. Barry is consulting with his organization's cybersecurity team on the development of their cybersecurity program. Which one of the following would not be a typical objective of such a program? A. Privacy B. Confidentiality C. Availability D. Integrity - Correct Answer-A 3. Howard is assisting his firm in developing a new privacy program and wants to incorporate a privacy risk assessment process into the program. If Howard wishes to comply with industry best practices, how often should the firm conduct these risk assessments? pg. 17 professoraxe l A. Management B. Board of directors C. Regulators D. All of the above - Correct Answer-D 9. Which element of a privacy program is likely to remain unchanged for long periods of time? A. Mission B. Goals C. Objectives D. Procedures - Correct Answer-A 10. Tonya is seeking to de identify a set of records about her ‐ organization's customers. She is following the HHS guidelines for de identifying records and is removing ZIP codes ‐ associated with small towns. What is the smallest population size for which she may retain a ZIP code? A. 1,000 B. 2,000 C. 10,000 D. 20,000 - Correct Answer-D pg. 20 professoraxe l 11. Which one of the following statements is not correct about privacy best practices? A. Organizations should maintain personal information that is accurate, complete, and relevant. B. Organizations should inform data subjects of their privacy practices. C. Organizations should retain a third party dispute resolution‐ service for handling privacy complaints. D. Organizations should restrict physical and logical access to personal information - Correct Answer-C 12. Which one of the following is not a common responsibility for an organization's chief privacy officer? A. Managing privacy risks B. Encrypting personal information C. Developing privacy policy D. Advocating privacy strategies - Correct Answer-B 13. When designing privacy controls, an organization should be informed by the results of what type of analysis? A. Impact analysis pg. 21 professoraxe l B. Gap analysis C. Business analysis D. Authorization analysis - Correct Answer-B 14. Which one of the following is an example of active online data collection? A. Users completing an online survey B. Collecting IP addresses from website visitors C. Tracking user activity with web cookies D. Analyzing the geographic locations of site visitors - Correct Answer-A 15. Which one of the following would not normally appear in an organization's privacy notice? A. Types of information collected B. Contact information for the data controller C. Detailed descriptions of security controls D. Categories of recipients to whom persona information is disclosed - Correct Answer-C pg. 22 professoraxe l B. De identification‐ C. Aggregation D. Redaction - Correct Answer-C 1. Which one of the following is not part of the three pronged‐ test used to determine whether a trade practice unfairly injures consumers? A. The injury must be substantial. B. The injury must not be outweighed by countervailing benefits. C. The injury must be directed at a specific group of consumers. D. The injury must not be reasonably avoidable. - Correct Answer-C 2. Which one of the following firms was charged by the FTC with failing to conduct required privacy recertifications of its clients? A. TrustE B. Geocities C. DesignerWare D. Nomi - Correct Answer-A pg. 25 professoraxe l 3. What federal agency has lead responsibility for enforcing the privacy and security obligations of healthcare providers under HIPAA? A. FTC B. CFPB C. HHS D. FCC - Correct Answer-C 4. Your firm was the target of an FTC investigation into unfair trade practices. Rather than engaging in litigation, you negotiated a formal settlement with the agency. What type of document did you most likely sign? A. Consent decree B. Court order C. Negotiated agreement D. Merchant agreement - Correct Answer-A 5. Acme Widgets failed to implement reasonable security controls and was the subject of an FTC enforcement action. What criterion did the FTC most likely use to bring this action? A. The action was deceptive. pg. 26 professoraxe l B. The action was unfair. C. The action was both deceptive and unfair. D. The action was neither deceptive nor unfair. - Correct Answer-B 6. What firm received the largest privacy related fine in FTC ‐ history? A. Snapchat B. Facebook C. Google D. Amazon - Correct Answer-B 7. What industry is subject to the privacy regulations found in Family Educational Rights and Privacy Act (FERPA)? A. Healthcare B. Financial services C. Education D. Brokerages - Correct Answer-C 8. What self regulatory scheme includes detailed ‐ requirements for the protection of credit card information? pg. 27 professoraxe l A. Administrative law judge B. FTC commissioners C. US District Court judge D. US Circuit Court judge - Correct Answer-A 14. In 2014, the FCC reached a settlement with Verizon related to the firm's use of customer information for marketing purposes without consent. What law did the FCC accuse Verizon of violating? A. Federal Trade Commission Act B. Telecommunications Act C. Telemarketing Sales Rule D. Broadband Privacy Rule - Correct Answer-B 15. Who is the chief law enforcement officer of a state who may bring enforcement actions against firms under the laws of that state? A. Governor B. Lieutenant Governor C. Solicitor general D. Attorney general - Correct Answer-D pg. 30 professoraxe l 16. What decision by the EU Court of Justice invalidated the EU/US Privacy Shield? A. Schrems II B. Colburn I C. Riley II D. Granger I - Correct Answer-A 17. What federal agency is responsible for the supervision of federally chartered credit unions? A. CFPB B. FDIC C. OCC D. NCUA - Correct Answer-D 18. Which one of the following is not an element of the definition of deceptive practices? A. There must be a representation, omission, or practice that is likely to mislead the consumer. B. The practice must be examined from the perspective of a consumer acting reasonably in the circumstances. pg. 31 professoraxe l C. The injury must not be outweighed by countervailing benefits to consumers and to competition. D. The representation, omission, or practice must be material. - Correct Answer-C 19. Which one of these firms was charged with an unfair trade practice after installing sensors in retail stores that collected information from mobile devices without consumer consent? A. DesignerWare B. Wyndham C. Snapchat D. Nomi - Correct Answer-D 20. What federal regulatory agency has the primary authority to take enforcement actions against unfair and deceptive practices? A. Federal Trade Commission B. Federal Communications Commission C. Federal Regulatory Commission D. Department of Commerce - Correct Answer-A pg. 32 professoraxe l 3. What type of malicious software uses encryption to render data inaccessible to authorized users? A. Virus B. Worm C. Ransomware D. Trojan horse - Correct Answer-C 2. Kelly is investigating a situation where an employee's computer was infected with malware and that malware was used to steal the employee's password. What term best describes this situation? A. Event B. Adverse event C. Social engineering D. Incident - Correct Answer-D 2. Which of the following are common sources of security alerts that may indicate a need for an incident response effort? (Select all that apply). A. Third party monitoring services‐ B. Intrusion detection systems pg. 35 professoraxe l C. Security information and event management systems D. File integrity checking software - Correct Answer-A,B,C,D 3. Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response? A. Limit the damage caused by an incident. B. Identify the attackers and attacking systems. C. Recover normal business operations. D. Detect a potential security incident. - Correct Answer-D 4. Who is the most effective person to lead a lessons learned ‐ session in the wake of a cybersecurity incident? A. Independent third party B. Chief privacy officer (CPO) C. Chief information officer (CIO) D. Incident response team leader - Correct Answer-A 2. Which one of the following laws includes a data breach notification requirement that applies to many different categories of personal information? pg. 36 professoraxe l A. GDPR B. HIPAA C. GLBA D. FERPA - Correct Answer-A 2. Gwen is entering into a long term relationship with a ‐ consulting firm that will provide project based services to her ‐ organization. She would like to have an overarching agreement with the organization that includes general terms. What type of agreement is most appropriate for this situation? A. SOW B. BPA C. MOU D. MSA - Correct Answer-D 2. Referring to the scenario in question 12, after the overarching agreement is signed, what instrument would Gwen use to document the requirements of a specific project engagement? A. SOW B. BPA pg. 37 professoraxe l C. Script D. Malware - Correct Answer-A 2. Which one of the following is not an acceptable method for the disposal of paper records containing personal information? A. Shredding B. Incineration C. Degaussing D. Use of a third party disposal firm - Correct Answer-C‐ 2. Rob is concerned that individuals in his organization are unsure of the appropriate cybersecurity controls to apply to different types of information. Which one of the following practices would best address this need? A. Data destruction B. Data flow mapping C. Data classification D. Data lifecycle management - Correct Answer-C 1. Which one of the following problems was the Red Flags Rule primarily designed to help detect? pg. 40 professoraxe l A. A data security breach B. Consumer identity theft C. Unauthorized access to information by an employee of a financial institution D. Inaccurate information contained in a consumer credit report - Correct Answer-B 2. The Dodd-Frank Act created which federal agency empowered with broad enforcement authority for financial privacy regulations? A. The Bureau of Consumer Protection B. The Commodity Futures Trading Commission C. The Consumer Financial Protection Bureau D. The Securities and Exchange Commission - Correct Answer- C 3. NetBank is a new online financial institution that has engaged a marketing firm for a telephone advertising campaign without bothering to check the national Do Not‐ ‐ Call registry. NetBank may be investigated by which agency? A. FTC B. CFPB pg. 41 professoraxe l C. FCC D. HHS - Correct Answer-C 2. eMaps, Inc., has been investigated for failing to perform an annual review of its privacy policy and procedures as promised in its privacy notice. eMaps enters into an agreement to perform its annual reviews as promised and submits to annual monitoring by the government. This enforcement action is most likely which of the following? A. An FTC civil complaint B. An FTC consent decree C. A civil ruling resulting from a private right of action D. A penalty imposed by the Office of Civil Rights - Correct Answer-B 2. Soomin's 11 year old son is working at the family computer‐ ‐ when she notices her son uploading a picture and typing in his mother's cell phone number. When she asks why, he says he's just registered for the kid's video game he wants to play online. Soomin is immediately suspicious. The online video game provider is most likely violating which of the following? A. The COPPA requirement to post a privacy notice clearly explaining how data are collected, used, and stored pg. 42 professoraxe l accident because the business forgot to download an updated DNC list last month. D. The organizations is a business calling recent customers to advertise new products. - Correct Answer-D 2. Which of the following best describes FACTA's primary purpose? A. To reduce predatory behaviors by creditors B. To regulate unsecured credit offers C. To protect people from identity theft D. To enable consumers to choose which credit reporting agency handles their credit reports - Correct Answer-C 3. Under HIPAA, which of the following is not an acceptable reason to share PHI without the consent of a patient? A. Limited records were provided to the CDC for a study on infectious diseases. B. Patient contact information was shared with a third party ‐ debt collector. C. A patient verbally directed their spouse to pick up a prescription. pg. 45 professoraxe l D. A patient's diagnosis was shared with a prospective employer as part of a preemployment background check. - Correct Answer-D 4. Which of the following is not a common feature of information security safeguards required by private sector privacy and security regulations? A. A documented information security program or policy B. Designated personnel with responsibility for information security C. Employee training on information security practices D. An information security forensics team to analyze cyberattacks - Correct Answer-D 2. In addition to regulating unfair and deceptive practices, the Dodd-Frank Act prohibits financial institutions from engaging in another set of business practices known as which of the following? A. Abusive B. Negligent C. Harmful D. Wrongful - Correct Answer-A pg. 46 professoraxe l 2. Bella is a senior at Planeville College. She is about to complete her BA and is applying to graduate schools in her area. Planeville College may legally release her transcripts to which of the following parties without her express consent? (Choose all that apply.) A. The graduate schools where Bella is applying B. Bella's legal guardians C. A state research study on graduation and retention rates D. The foundation providing Bella's scholarship funds - Correct Answer-A,C,D 3. Under HIPAA, patients have the right to view all of the following in their medical files except: A. Psychotherapy notes B. Medical diagnoses C. Treatment records D. Billing records - Correct Answer-A 4. Mary is collecting background information on a potential client. Which of the following types of information would pg. 47 professoraxe l 2. CureSearch is a medical research firm that analyzes electronic results from new medical drug trials. Assuming that the information sharing is appropriate under the law, which piece of legislation most likely allows CureSearch to readily access the study results? A. HIPAA B. HITECH C. The 21st Century Cures Act D. The Confidentiality of Substance Use Disorder Patient Records Rule - Correct Answer-C 1. Which of the following legislative acts were enacted to regulate government surveillance powers after the Watergate scandal? A. The USA Patriot Act B. EPCA C. FISA D. CALEA - Correct Answer-C 2. CISA encourages companies to share cyber threat ‐ intelligence with the government by removing disincentives that may have made companies hesitant to share information. pg. 50 professoraxe l All of the following are reasons that corporations may have been reluctant to share information except: A. Fear of liability for any compliance lapses revealed by sharing information B. Fear of making proprietary company information public C. Fear of revealing customer PII D. Fear of reprisal from cybercriminals - Correct Answer-D 2. Which of the following statements best describes the third‐ party doctrine? A. Information that has been transferred to third parties in the course of doing business is no longer protected by the Fourth Amendment. B. The legal obligation of third parties holding customer financial records is to keep records private even when requested by law enforcement. C. The Supreme Court precedent holds that information held by third parties, such as financial records, is protected by the Fourth Amendment and may only be disclosed in response to search warrants D. The legal obligation of any third parties holding financial records is to report suspicious financial activities to federal law enforcement. - Correct Answer-A pg. 51 professoraxe l 2. The PPA is enforced by which of the following? A. A private right of action B. The FBI C. State attorneys general D. The FCC - Correct Answer-A 3. Which of the following best describes the primary legislative purpose for implementing the Right to Financial Privacy Act (RFPA)? A. To compel financial institutions to cooperate with government investigations related to national security B. To better protect the privacy of financial information held by third parties C. To protect banks from liability for financial crimes committed by account holders D. To ensure that financial records remain the legal property of account holders and not the bank - Correct Answer-B 4. The Patriot Act amended all of the following laws except: A. FISA B. ECPA pg. 52 professoraxe l C. The Supreme Court decision in Zurcher v Stanford Daily D. The Privacy Protection Act (PPA) - Correct Answer-D 3. Jada is an attorney serving as legal counsel for Zbits Co. Zbits is being sued by a customer claiming the company violated their privacy rights. Jada has just sent a notice to company data custodians to place a legal hold on any records related to this customer. She has also asked Zbits's IT staff to avoid automatically deleting any log files related to that customer. Which step of the eDiscovery process has Jada just completed? A. Identification B. Preservation C. Processing D. Production - Correct Answer-B 4. Which of the following best illustrates the minimization principle? A. Surveillance requests must be kept to a minimum under the USA Freedom Act and only authorized in emergencies where national security is at stake. B. Under the ECPA, internet service providers must destroy all records not deemed essential for conducting business. pg. 55 professoraxe l C. Raw intelligence gathered under FISA is reviewed by a third party, who redacts any information not connected to the investigation before transmitting the intelligence to government investigators. D. All information gathered through government surveillance is reviewed by federal investigators in case any intelligence that was collected incidentally unrelated to the original investigation may reveal another previously unknown crime. - Correct Answer-C 5. Who usually leads an eDiscovery process within a company? A. Chief executive officer B. Information technology office C. Chief privacy officer D. Legal counsel - Correct Answer-D 6. All of the following conditions must be met in order for a federal agency to issue a formal written request for financial records under the RFPA except: A. The request must be in the scope of the federal agency's statutory authority. pg. 56 professoraxe l B. The agency must have reason to believe that the records being requested are relevant to an investigation. C. The agency must provide the customer with a copy of the request before the disclosure is made. D. The agency must obtain affirmative written consent from the customer before the disclosure is made - Correct Answer- D 7. National Security Letters are best described as which of the following? A. Search warrants B. Administrative subpoenas C. Judicial subpoenas D. Gag orders - Correct Answer-B 8. Which of the following is not a requirement under CALEA? A. Telecommunications companies must design products and services in ways that make them accessible to law enforcement. B. Telecommunications companies are required to prevent the inadvertent collection of private information that is not related to an investigation. pg. 57 professoraxe l c. Political affiliation d. Age - Correct Answer-C 3. Under which conditions are employers prohibited from denying employment based on disability? a. Employers are never permitted to deny employment based on disability, even if the job seeker is unable to perform the essential functions of the position with reasonable accommodations. b. Employers are prohibited from denying employment based on physical disabilities but not mental disabilities. c. When the business is designated as a place of public accommodation under the ADA. d. When the job seeker meets the qualifications for a position and can perform the essential functions with or without reasonable accommodations. - Correct Answer-D 4. Which of the following departments in a given business is most likely to have primary responsibility for implementing company policies that govern workplace privacy? a. Information privacy office B. Human resources C. Legal counsel pg. 60 professoraxe l D. Office of the CEO - Correct Answer-B 2. Which of the following statements is not accurate with respect to workplace drug and alcohol testing? A. The Drug Free Workplace Act of 1988 required many ‐ employers to implement mandatory drug testing programs. B. Employers should use an evenhanded testing protocol that does not single out individuals for drug and alcohol testing. C. Many labor union contracts include procedures for drug and alcohol testing of employees. D. Employers must be careful to avoid collecting private medical information, such as the legal use of prescription medications. - Correct Answer-A 2. Age discrimination is prohibited by which of the following? A. State laws banning employment discrimination based on age B. The Age Discrimination in Employment Act C. The Fair Labor Standards Act D. Tort law arising from court decisions in civil litigation - Correct Answer-B pg. 61 professoraxe l 3. Which of the following is not commonly a reason why employers implement employee monitoring programs? A. To monitor employee performance B. To ensure compliance with company policies C. To prevent cybersecurity incidents D. To prevent unionizing activity - Correct Answer-D 4. What is the main reason that employee background screening is regulated by the federal government? A. Background screening is regulated by the NLRB to prohibit employers from using background screening to discriminate against members of labor unions. B. Employee background screening is monitored by the Department of Justice to ensure that information is not gathered in a way that violates the Fourth Amendment. C. The gathering of background information is regulated by the EEOC because the process may reveal information about an applicant's protected class status. D. Background screening reports furnished by third parties constitute a consumer report as defined by the FCRA. - Correct Answer-D pg. 62 professoraxe l B. OSHA C. NLRB D. DOL - Correct Answer-C 3. Which of the following statements is incorrect when it comes to records retention of personnel files? A. Companies should have written records retention policies. B. Records retention policies may reduce legal risks if the company faces eDiscovery requests C. Records retention policies should ensure that important personnel information is never misplaced or destroyed. D. Records retention policies should include instructions on how long different types of records should be kept. - Correct Answer-C 4. Which of the following statements is not true of employee misconduct investigations? A. All misconduct investigations should be carefully documented. B. Companies should have a written policy for handling misconduct investigations. pg. 65 professoraxe l C. The primary goal of misconduct investigations is to protect the rights of any victims. D. Human resources departments typically coordinate misconduct investigation processes. - Correct Answer-C 5. Why does OSHA's oversight impact workplace privacy? A. OSHA protects the right of employees to file confidential complaints about workplace safety without fear of retaliation. B. OSHA may authorize covert monitoring of workplace safety programs. C. If employees file false complaints to harm a company, OSHA may disclose the complaint to that company. D. OSHA may inadvertently collect personal information from employees in the course of performing workplace inspections. - Correct Answer-A 6. Which interview practices may HR recommend to reduce the risk of discrimination in hiring? A. Refrain from asking any questions that may reveal a job seeker's status as a member of a protected class. B. Conduct separate confidential interviews with HR to allow job seekers to disclose information about their protected class status pg. 66 professoraxe l C. Invite job seekers to sign legal waivers to allow more candid conversations in job interviews. D. Only inquire about protected class status, such as a disability, if the hiring manager thinks it might impact the job seeker's ability to do the job. - Correct Answer-A 7. Which of the following federal agencies has primary responsibility for enforcing workplace privacy legislation? A. DOL B. EEOC C. FTC D. No single agency has primary responsibility. - Correct Answer-D 8. Which exceptions to the ECPA allow employers to conduct video monitoring in the workplace? A. The business purpose exception and the exception for workplace safety B. Obtaining consent and the business purpose exception C. Obtaining consent and eDiscovery requirements D. Obtaining consent and an exception for data loss prevention (DLP) programs - Correct Answer-B pg. 67 professoraxe l 3. Jorge runs a smartphone app that allows users to take pictures of their faces and alter them to see how they might look as they age. The app collects scans of facial geometry and store those scans as data. Jorge earns revenue by selling the user data to third parties. What is the best way for Jorge to ‐ avoid violating Washington State law? A. Notify users about the use of their data and obtain written consent before storing their facial recognition data. B. Provide users with clear notification about the practice of collecting and selling facial recognition data. C. Notify users about the use of their data and provide a clear opportunity for users to opt out.‐ D. Provide an annual report to the Washington Attorney General detailing information privacy and security safeguards and reporting any breaches. - Correct Answer-A 4. The CCPA may be enforced by which of the following? A. The state attorney general and a limited private right of action B. The state attorney general and the Office of Civil Rights C. The appropriate self regulatory framework, depending on ‐ the industry D. Only through a private right of action - Correct Answer-A pg. 70 professoraxe l 5. NYDFS requires financial organizations to implement a program of data security controls aligned with which of the following? A. GLBA requirements B. The NIST framework C. APEC safe harbor agreements D. FASB accounting rules - Correct Answer-B 6. Which privilege does the CAN SPAM Act grant to states?‐ A. The option for state attorneys general to exempt certain industries from regulation under CAN SPAM‐ B. The option for state legislatures to pass less stringent regulations that may preempt CAN SPAM‐ C. The ability for state regulators to customize the definitions for which communications are in scope under CAN SPAM for ‐ their states D. The ability for states attorneys general to sue violators - Correct Answer-B 2. What is the main reason why each of the 50 states have their own breach notification laws? pg. 71 professoraxe l A. Each state has different circumstances that lead to differing breach notification requirements. B. The federal government has mandated that states must develop breach notification regulations. C. The U.S. Attorney General has referred breach notification authority to the states. D. There is no comprehensive federal breach notification law. - Correct Answer-D 2. State breach notification laws may require organizations to notify which of the following parties? A. Consumers impacted by the breach B. State regulatory authorities C. National credit reporting agencies D. All of the above - Correct Answer-D 3. Tennessee's SB 2005 changed the state's breach notification laws in which respect? A. Encrypted data was no longer automatically exempted from the state's definition of a breach. B. The state's notification timeline was reduced to 30 days. pg. 72 professoraxe l C. Civil actions brought by consumers under a private right of action D. Criminal prosecution of company employees who allowed the breach to occur - Correct Answer-D 8. Which of the following states does not have a specific timeline requirement for breach notifications to consumers? A. Indiana B. Alabama C. Washington D. Colorado - Correct Answer-A 9. All of the following are reasons states may enact privacy regulations, except: A. States enact privacy laws to address privacy concerns that are not regulated under federal law. B. States enact privacy laws to correct perceived flaws in federal regulations. C. States enact privacy regulations to allow states to participate in privacy enforcement actions. D. States enact privacy regulations to impose requirements in addition to those in federal laws. - Correct Answer-B pg. 75 professoraxe l 10. Which of the following was the 50th state to enact a comprehensive breach notification law? A. New Mexico B. Alabama C. Arkansas D. Idaho - Correct Answer-B 2. Which of the following must an organization consider in determining whether they must notify consumers of a breach in a given state? A. The nature of the breach and level of risk for consumers B. The state in which the organization is headquartered C. The state definitions for personal information and breach D. The penalties for noncompliance in a given state - Correct Answer-C 2. The New Jersey Personal Information and Privacy Protection Act addresses privacy for which of the following? A. Survey information collected by retailers about customer purchasing preferences pg. 76 professoraxe l B. Information that retailers scan or collect from customer ID cards C. Customer credit card information collected by retailers D. Retail customer transaction histories - Correct Answer-B 3. Which of the following laws includes regulations to protect the privacy of consumer reading habits? A. Nevada SB 538 B. DOPPA C. The New Jersey Personal Information and Privacy Protection Act D. CCPA - Correct Answer-B 4. CalECPA provides additional privacy protections for which of the following? A. The education sector B. Electronic health information C. Online communications and activities D. Electronic payment transactions - Correct Answer-C pg. 77 professoraxe l 5. Said's U.S. based company holds personal information of ‐ EU data subjects. In the course of an eDiscovery request, Said is asked to turn over datasets that include this personal information. This disclosure is prohibited by the GDPR. What does this scenario illustrate? A. A failure of the U.S. Privacy Shield program B. A multinational compliance conflict C. The weakness of U.S. privacy laws D. Jurisdictional overreach by the EU - Correct Answer-B 6. A large U.S. based multinational corporation wants to ‐ expand into the EU. The company wants to facilitate seamless international data transfers among its many subsidiaries operating in the United States and the EU. What approach should this company take? A. Join the U.S. EU Privacy Shield program‐ B. BCRs C. SCCs D. CBPR - Correct Answer-B pg. 80 professoraxe l 7. Do U.S. based companies have to comply with requests to ‐ exercise data subject rights under the GDPR even if the company is not operating an EU facing business?‐ A. Yes, if the company has assets in the EU. B. Unsure- this is an unsettled jurisdictional issue. C. Yes, if the personal information in question belongs to an EU data subject. D. No, the EU has no jurisdiction over companies in the United States. - Correct Answer-B 8. What is the CBPR system? A. An EU approved mechanism for international data transfer‐ B. An APEC safe harbor program for international data transfer C. An international framework for privacy enforcement D. An APEC program to facilitate better understanding of member nations' privacy laws - Correct Answer-B 9. What was the primary reason that the EU's Court of Justice struck down the U.S. EU Privacy Shield program?‐ A. Concerns that U.S. companies would not comply fully with the program pg. 81 professoraxe l B. Concerns that U.S. requirements for information security safeguards are inadequately enforced C. Concerns that the program couldn't protect personal data of EU subjects from U.S. government surveillance D. Concerns that U.S. companies lack the technical ability to fulfill all of the data subject rights conferred by the GDPR - Correct Answer-C 10. Which of the following is not part of GPEN's mission? A. Encourage dialogue among enforcement agencies. B. Share expertise and professional development. C. Create a clearinghouse for sharing confidential information about ongoing investigations into privacy law violations. D. Exchange information about relevant issues and trends. - Correct Answer-C 2. Pierre lives in Lyon, France, and notices a lot of Internet pop up ads for his local boulangerie. He learns that the ‐ boulangerie uses a digital marketing service based in the United States. Pierre demands the boulangerie stop targeting him with these ads. On what provision is Pierre's demand most likely based? A. The right to erasure pg. 82 professoraxe l A. €30,000,000 B. €20,000,000, or 4% of annual revenue, whatever is greater C. 8% of annual revenue D. €10,000,000 - Correct Answer-B 3. A program that establishes a common regulatory framework to allow trade partners from multiple countries with differing data privacy laws to conduct international data transfers is called: A. Safe harbor program B. Binding corporate rules C. APEC privacy framework 18. D. Bilateral trade agreement - Correct Answer-A 19. Marco runs a creamery in Italy. He wants to send his customer data to a small company in the United States by employing SCCs. Based on the EU's requirements for using SCCs, what role in managing the international data transfers does Marco's company play? A. Data importer B. Data exporter pg. 85 professoraxe l C. Data manager D. Data owner - Correct Answer-B 2. GDPR protects data privacy for which of the following populations? A. EU citizens B. EU data subjects C. EU citizens and foreign nationals D. UK citizens - Correct Answer-B pg. 86 professoraxe l