IAPP CIPP-US Certified Information Privacy Professional/United States CIPP/US Exam Practice Test

Page: 1 / 14
Total 195 questions

Want more questions? Get Premium Access.
()

Question 1

SCENARIO

Please use the following to answer the next question;

Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Secunty Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign

Ever since the pandemic. Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each togin conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.

Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers The secondary data center, managed by Amazon AWS. is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile delense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data

When storing Jane's fingerprint for remote authentication. Jones Labs should consider legality issues under which of the following9

AThe Privacy Rule of the HITECH Act.

BThe California loT Security Law (SB 327).

CThe applicable state law such as Illinois BIPA

DThe federal Genetic Information Nondiscrimination Act (GINA).

Answer : C

When storing biometric data, such as fingerprints, organizations in the U.S. must comply with state-specific biometric privacy laws if they operate in states that regulate biometric information. The most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), but similar laws also exist or are developing in other states, such as Texas and Washington.

Key Considerations for Storing Biometric Data:

Illinois Biometric Information Privacy Act (BIPA): BIPA (740 ILCS 14) is a leading and highly influential state law regulating the collection, storage, and use of biometric information. It requires organizations to:

Obtain informed, written consent before collecting biometric data.

Establish a publicly available policy governing the retention and destruction of biometric data.

Use a reasonable standard of care to protect biometric data from unauthorized access or use.

Prohibit the sale or transfer of biometric data without consent.

California and Biometric Data: While California's California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide general protections for personal information, including biometric data, they do not have the specific consent and handling requirements that BIPA does. Nevertheless, California residents have rights related to access, deletion, and the sale of biometric information.

Explanation of Options:

A. The Privacy Rule of the HITECH Act: The HITECH Act applies to the protection of protected health information (PHI) under HIPAA. While the Privacy Rule regulates healthcare-related information, it does not apply to Jane's biometric data used for remote authentication unless it is tied to PHI. This scenario is unrelated to healthcare, so this answer is incorrect.

B. The California IoT Security Law (SB 327): California's IoT Security Law primarily focuses on ensuring security requirements for connected devices. It does not regulate the collection or storage of biometric information. This is not relevant to the question.

C. The applicable state law such as Illinois BIPA: This is correct. State biometric privacy laws, such as Illinois BIPA, explicitly govern the collection, storage, and use of biometric data like fingerprints. Organizations like Jones Labs must ensure compliance with such laws, including obtaining consent and properly securing and destroying biometric information.

D. The federal Genetic Information Nondiscrimination Act (GINA): GINA prohibits discrimination based on genetic information in employment and health insurance. However, it does not regulate the storage of biometric data like fingerprints. This is not applicable to this scenario.

Best Practices for Compliance:

Jones Labs should:

Understand the applicable state biometric laws: If Jane resides in Illinois or other states with biometric laws, Jones Labs must comply with those specific legal requirements.

Obtain informed consent: Ensure that employees like Jane sign a written consent form before storing their fingerprints for authentication.

Secure biometric data: Use strong encryption and other security measures to protect the biometric information.

Define retention and destruction policies: Clearly establish how long biometric data will be stored and how it will be destroyed after its purpose is fulfilled.

Reference from CIPP/US Materials:

Illinois Biometric Information Privacy Act (BIPA): Sets the standard for biometric privacy regulations in the U.S.

California Consumer Privacy Act (CCPA): Protects personal information but does not specifically regulate biometric data like fingerprints with the same rigor as BIPA.

IAPP CIPP/US Certification Textbook: Discusses the emergence of state-specific biometric privacy laws and their applicability in different scenarios.

Question 2

Which of the following would best provide a sufficient consumer disclosure under the Fair Credit Reporting Act (FCRA) prior to a consumer report being obtained for employment purposes?

AA verbal notice provided with a conditional offer of employment

BA notice provision in an electronic employment application.

CA notice provision in a mailed offer letter.

DA standalone notice document.

Answer : D

Under the Fair Credit Reporting Act (FCRA), employers are required to provide a clear and conspicuous disclosure in a standalone document before obtaining a consumer report (e.g., a background check) for employment purposes. This requirement ensures that the individual is fully aware that a consumer report will be obtained and consents to the process.

Requirements for a Sufficient Consumer Disclosure:

Clear and Conspicuous Disclosure: Employers must inform the individual, in writing, that a consumer report may be obtained for employment purposes.

Standalone Document: The disclosure must be provided in a separate document not combined with other materials, such as an employment application. This ensures the individual's attention is focused on the notice.

Written Authorization: Employers must obtain written authorization from the individual before procuring the consumer report.

Explanation of Options:

A. A verbal notice provided with a conditional offer of employment: Verbal notice is insufficient under FCRA, which requires a written, standalone disclosure.

B. A notice provision in an electronic employment application: Embedding the disclosure in an employment application would not meet the FCRA requirement for a standalone document and could be legally invalid.

C. A notice provision in a mailed offer letter: Including the disclosure in an offer letter does not satisfy the requirement for a separate, standalone document.

D. A standalone notice document: This is the correct answer, as the FCRA explicitly requires the disclosure to be in a separate document to ensure clarity and compliance.

Reference from CIPP/US Materials:

FCRA Section 604(b) (15 U.S.C. 1681b(b)): Requires a clear and conspicuous standalone disclosure before obtaining a consumer report for employment purposes.

IAPP CIPP/US Certification Textbook: Explains the FCRA requirements for employment-related consumer reports, including the disclosure and authorization process.

Question 3

What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

AThe ability to correct inaccurate credit report information

BThe truncation of account numbers on credit card receipts

CThe right to request removal from email lists.

DThe issuing of notice when third-party data is used in an adverse decision

Answer : B

The Fair and Accurate Credit Transactions Act (FACTA) is a U.S. federal law enacted in 2003 that amended the Fair Credit Reporting Act (FCRA). It introduced a variety of provisions designed to combat identity theft and protect consumer information. One of the key consumer protections required by FACTA is the truncation of credit and debit card numbers on receipts to prevent identity theft.

Details of the Truncation Requirement:

FACTA Section 113 (15 U.S.C. 1681c(g)): Retailers are prohibited from printing more than the last five digits of a credit or debit card number on electronically generated receipts. Additionally, the card's expiration date must also be excluded.

This requirement applies to point-of-sale and other electronically printed receipts and aims to reduce the risk of credit card fraud and identity theft.

Explanation of Options:

A. The ability to correct inaccurate credit report information: This right is protected under the Fair Credit Reporting Act (FCRA), not FACTA specifically.

B. The truncation of account numbers on credit card receipts: This is correct, as it is one of the most notable protections introduced by FACTA to prevent identity theft.

C. The right to request removal from email lists: This right is not provided under FACTA but may be addressed by other laws, such as the CAN-SPAM Act.

D. The issuing of notice when third-party data is used in an adverse decision: This requirement is a provision of the FCRA, not FACTA.

Reference from CIPP/US Materials:

FACTA Section 113 (15 U.S.C. 1681c(g)): Details the truncation requirements for credit and debit card receipts.

IAPP CIPP/US Certification Textbook: Highlights FACTA's measures to protect consumer financial information and prevent identity theft.

Question 4

SCENARIO

Please use the following to answer the next question;

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevad

a. Miraculous normally treats patients in person, but has recently decided to start offering tliehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app

For this new initiative. Miraculous is considering a product built by MedApps, a company that makes quality teleheaith apps for healthcare practices and licenses them to be used with the practices" branding. MedApps provides technical support for the app. which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service

Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedAppsa

If MedApps receives an access request under CCPAfrom a California-based app user, how should It handle the request?

AMedApps should immediately begin deleting the user's data.

BMedApps should provide the privacy notice in an easily readable format

CMedApps should decline the request because MedApps is not based In California.

DMedApps should promptly forward the request to Miraculous for instructions on handling.

Answer : D

Under the California Consumer Privacy Act (CCPA), businesses are required to respond to consumer requests for access, deletion, or information about how their data is processed. However, the responsibilities differ depending on whether the entity is acting as a business or a service provider under the CCPA.

Key CCPA Definitions:

Business:

The entity that determines the purposes and means of processing personal information.

In this scenario, Miraculous Healthcare is the business because it determines how the app and its associated data are used to deliver healthcare services.

Service Provider:

The entity that processes personal information on behalf of the business pursuant to a contractual agreement.

MedApps acts as a service provider because it is hosting and managing the app and the data on behalf of Miraculous Healthcare.

As a service provider, MedApps is restricted in how it can handle consumer data and must follow the instructions of the business (Miraculous Healthcare) for any data-related requests. Therefore, if MedApps receives an access or deletion request from a California-based user, it must forward the request to Miraculous Healthcare, which is responsible for determining how to respond in compliance with the CCPA.

Explanation of Options:

A. MedApps should immediately begin deleting the user's data: This is incorrect because MedApps cannot act independently in responding to access or deletion requests under CCPA. As a service provider, it must follow the instructions of the business (Miraculous Healthcare).

B. MedApps should provide the privacy notice in an easily readable format: This is irrelevant to the question. While providing a privacy notice in a readable format is a CCPA requirement, it does not address how to handle an access request.

C. MedApps should decline the request because MedApps is not based in California: This is incorrect. CCPA applies to businesses and service providers that collect or process personal data of California residents, regardless of whether the entity itself is physically located in California.

D. MedApps should promptly forward the request to Miraculous for instructions on handling: This is correct. Under CCPA, service providers are required to cooperate with the business and must forward consumer requests to the business for guidance and action. MedApps' role as a service provider obligates it to defer to Miraculous Healthcare's instructions.

Relevant Reference from CIPP/US Materials:

CCPA Section 1798.140(v): Defines a service provider and outlines its obligations to process personal information only on behalf of the business and in accordance with contractual terms.

CCPA Section 1798.105(c): States that service providers are not required to delete personal information unless instructed to do so by the business.

IAPP CIPP/US Certification Textbook: Discusses the roles of businesses and service providers under the CCPA and their respective responsibilities regarding consumer requests.

Practical Considerations:

Riya, as the Privacy Officer at Miraculous Healthcare, should ensure that the Business Associate Agreement (BAA) and any CCPA-specific contract provisions with MedApps clearly define:

The process for handling consumer requests under CCPA.

The requirement for MedApps to promptly notify and defer to Miraculous Healthcare for any such requests.

Conclusion:

MedApps, as a service provider, is not authorized to respond to CCPA access or deletion requests independently. It must forward the request to Miraculous Healthcare for instructions.

Question 5

SCENARIO

Please use the following to answer the next question;

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevad

a. Miraculous normally treats patients in person, but has recently decided to start offering teleheaith appointments, where patients can have virtual appointments with on-site doctors via a phone app

For this new initiative. Miraculous is considering a product built by MedApps, a company that makes quality teleheaith apps for healthcare practices and licenses them to be used with the practices' branding. MedApps provides technical support for the app. which it hosts in the cloud MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service

Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.

What is the most practical action Riya can take to minimize the privacy risks of using an app for telehealth appointments?

APrevent MedApps from using copies of the patient data.

BRequire MedApps to obtain consent from all patients.

CRequire MedApps to submit a SOC2 report.

DEngage in active oversight of MedApps

Answer : D

When handling sensitive data, such as protected health information (PHI) in compliance with HIPAA, it is crucial for covered entities, such as Miraculous Healthcare, to ensure that their business associates (e.g., MedApps) appropriately safeguard the data they process. While contracts like Business Associate Agreements (BAAs) establish the obligations of business associates, active oversight by the covered entity is a practical and necessary step to mitigate privacy risks and ensure compliance.

Why Active Oversight is the Best Option:

Active oversight involves regular monitoring, audits, and reviews of MedApps' practices to ensure they comply with the agreed-upon privacy and security obligations.

This approach allows Miraculous Healthcare to confirm that MedApps is implementing appropriate technical and organizational safeguards, such as encryption, secure access controls, and breach notification processes.

It also ensures that MedApps remains compliant with HIPAA requirements over time, even if there are changes to the app, its services, or legal requirements.

Explanation of Options:

A. Prevent MedApps from using copies of the patient data: While restricting MedApps from creating unnecessary data copies could reduce some risks, it is often impractical, especially for troubleshooting, app hosting, and support purposes. HIPAA does not require outright prevention of data copies, as long as PHI is appropriately safeguarded and used solely for permissible purposes.

B. Require MedApps to obtain consent from all patients: Under HIPAA, covered entities (not business associates) are primarily responsible for obtaining patient consent or authorization where required. MedApps, as a business associate, processes PHI on behalf of Miraculous Healthcare and is not in a position to obtain consent directly from patients.

C. Require MedApps to submit a SOC2 report: A SOC 2 (Service Organization Control 2) report can provide valuable assurance regarding MedApps' security, availability, and confidentiality practices. However, this action alone does not mitigate all risks, as SOC 2 reports are point-in-time assessments and may not reflect ongoing compliance or address specific HIPAA requirements.

D. Engage in active oversight of MedApps: This is the most practical and comprehensive approach. Active oversight includes reviewing MedApps' privacy practices, conducting periodic assessments, and monitoring compliance with the Business Associate Agreement (BAA). It ensures that MedApps continues to protect PHI appropriately and addresses any privacy risks proactively.

Additional Context:

In the context of the optional benchmarking service, Riya should ensure:

The uploaded data is de-identified or aggregated to comply with HIPAA's de-identification standard (45 CFR 164.514) if possible.

The use of PHI for benchmarking is explicitly addressed in the BAA or a separate agreement.

Reference from CIPP/US Materials:

HIPAA Privacy Rule (45 CFR 160.103 and 164.504): Describes the responsibilities of covered entities and business associates, including the need for BAAs and safeguards for PHI.

NIST Privacy Framework and NIST SP 800-53: Provides guidance on implementing oversight mechanisms for third-party risk management.

IAPP CIPP/US Certification Textbook: Discusses the importance of vendor management and active oversight in ensuring privacy compliance.

Conclusion:

Requiring MedApps to submit a SOC 2 report or restricting data use might address specific concerns but would not provide the comprehensive, ongoing protection necessary to reduce risks effectively. Engaging in active oversight is the most practical and effective action to minimize privacy risks while maintaining compliance with HIPAA.

Question 6

Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

AIf the data involved was encrypted.

BIf the data involved was accessed but not exported.

CIf the entity was subject to the GLBA Safeguards Rule.

DIf the entity followed internal notification procedures compatible with state law.

Answer : B

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.

If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.

If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.

[IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.

CIPP/US Practice Questions (Sample Questions), Question 29.

Question 7

In 2011, the FTC announced a settlement with Google regarding its social networking service Google Buzz. The FTC alleged that in the process of launching the service, the company did all of the following EXCEPT?

AViolated its own privacy policies.

BEngaged in deceptive trade practices.

CFailed to comply with Safe Harbor principles.

DFailed to employ sufficient security safeguards.

Answer : D

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

A . Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that was incompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google's privacy policy stated that 'When you sign up for a particular service that requires registration, we ask you to provide personal information.If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.'1

B . Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network.Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user's frequent email contacts, would be made public by default.1

C . Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement.The FTC alleged that Google's conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1Reference:FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network,Google, Inc., In the Matter of,Google settles with FTC over Buzz; Privacy policies to be audited for two decades,Google Settles FTC Complaint over Google Buzz Privacy