最高で有効なCIPP-US試験問題と解答PDF CIPP-US問題集(最近更新された194問あります) [Q38-Q60]

Share

最高で有効なCIPP-US試験問題と解答PDF CIPP-US問題集(最近更新された194問あります)

試験問題解答はCIPP-US学習ガイド

質問 # 38
SCENARIO
Please use the following to answer the next QUESTION
Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.
One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still be sitting in the office, unsecured.
Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.
Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills - all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.
In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.
After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal informationwas compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Based on the scenario, which legislation should ease Noah's worry about his credit report as a result of applying at Arnie's Emporium?

  • A. The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA).
  • B. The Red Flags Rule under the Fair and Accurate Credit Transactions Act (FACTA).
  • C. The Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).
  • D. The Privacy Rule under the Gramm-Leach-Bliley Act (GLBA).

正解:A

解説:
The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the
U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19
* IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective
I.B: Identify the major federal agencies with a role inprivacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7
* IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B:
Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3


質問 # 39
Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?

  • A. 10 days
  • B. 15 days
  • C. 21 days
  • D. 7 days

正解:A

解説:
According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient's opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.
References:
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing
* Practice Exam - International Association of Privacy Professionals


質問 # 40
Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?

  • A. Financial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing
  • B. Financial institutions must use a prescribed level of encryption for most types of customer records
  • C. Financial institutions must help ensure a customer's understanding of products and services
  • D. Financial institutions must avoid collecting a customer's sensitive personal information

正解:C

解説:
The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services. The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123 References: 1: Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011. 2: Consumer Financial Protection Bureau, Wikipedia. 3: Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.


質問 # 41
Which federal act does NOT contain provisions for preempting stricter state laws?

  • A. The Telemarketing Consumer Protection and Fraud Prevention Act
  • B. The Children's Online Privacy Protection Act (COPPA)
  • C. The Fair and Accurate Credit Transactions Act (FACTA)
  • D. The CAN-SPAM Act

正解:A

解説:
The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children's Online Privacy Protection Rule ("COPPA") | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155


質問 # 42
SCENARIO
Please use the following to answer the next QUESTION
Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.
One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still be sitting in the office, unsecured.
Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.
Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills - all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.
In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.
After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Based on the scenario, which legislation should ease Noah's worry about his credit report as a result of applying at Arnie's Emporium?

  • A. The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA).
  • B. The Red Flags Rule under the Fair and Accurate Credit Transactions Act (FACTA).
  • C. The Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).
  • D. The Privacy Rule under the Gramm-Leach-Bliley Act (GLBA).

正解:C


質問 # 43
In March 2012, the FTC released a privacy report that outlined three core principles for companies handling consumer dat a. Which was NOT one of these principles?

  • A. Providing greater transparency.
  • B. Practicing Privacy by Design.
  • C. Simplifying consumer choice.
  • D. Enhancing security measures.

正解:D


質問 # 44
A company based in United States receives information about its UK subsidiary's employees in connection with the centralized HR service it provides.
How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?

  • A. By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.
  • B. By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.
  • C. By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.
  • D. By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.

正解:D

解説:
The UK company can ensure an adequate level of data protection for the restricted data transfer to the US parent company by using the EU Standard Contractual Clauses (SCCs), which are contractual terms that provide safeguards for personal data transferred from the UK to third countries. The UK GDPR recognizes the validity of the EU SCCs adopted before the end of the Brexit transition period, and allows the UK Information Commissioner's Office (ICO) to issue new SCCs in the future. The other options are not correct because:
* A. Signing up to an approved code of conduct under the UK GDPR is not sufficient to ensure an adequate level of data protection for restricted transfers, as it is not a transfer mechanism on its own.
The UK company would still need to use another appropriate safeguard, such as SCCs or Binding Corporate Rules (BCRs), to transfer personal data to the US parent company.
* C. Submitting a new application for the UK BCRs is not necessary, as the UK GDPR recognizes the existing authorized EU BCRs as valid for restricted transfers from the UK. The UK company can continue to rely on its EU BCRs, as long as they are updated to reflect the UK GDPR requirements and the role of the ICO as the competent supervisory authority.
* D. Allowing each employee the option to opt-out to the restricted transfer is not a valid transfer mechanism under the UK GDPR, as it does not provide adequate safeguards for the personal data of the employees. The UK company would need to obtain the explicit consent of each employee for the restricted transfer, which must be freely given, specific, informed, and unambiguous. References:
* UK GDPR, Chapter V, Article 46
* UK GDPR, Chapter V, Article 47
* UK GDPR, Chapter V, Article 49
* ICO guidance on international transfers
* IAPP CIPP/US Study Guide, Chapter 10, Section 10.3.2


質問 # 45
Which federal agency plays a role in privacy policy, but does NOT have regulatory authority?

  • A. The Department of Transportation.
  • B. The Office of the Comptroller of the Currency.
  • C. The Federal Communications Commission.
  • D. The Department of Commerce.

正解:D

解説:
The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the
U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19
* IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective
I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7
* IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B:
Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3


質問 # 46
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the main problem with Cheryl's suggested method of communicating the new privacy policy?

  • A. The policy would not be considered valid if not communicated in full.
  • B. Employees might not understand how the documents relate to the policy as a whole.
  • C. Employees would not be comfortable with a policy that is put into action over time.
  • D. The policy might not be implemented consistency across departments.

正解:D

解説:
Cheryl's suggested method of communicating the new privacy policy by creating documents listing applicable parts of the new policy for each department and implementing it gradually over several months may create confusion and inconsistency among employees and customers. Different departments may have different interpretations and expectations of the policy, and customers may not be aware of the changes or their rights under the policy. This may lead to errors, complaints, and violations of the policy and the applicable laws. A better approach would be to communicate the policy in full to all employees and customers at once, and provide training and guidance on how to comply with it. The policy should also be easily accessible and updated on the company's website and other channels. References:
* Privacy Policy for Health Coaches
* Privacy Policies for Online Coaches
* Privacy Policy - Coaching.com


質問 # 47
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed.
Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Based on the problems with the company's privacy security that Roberta identifies, what is the most likely cause of the breach?

  • A. Lost company property such as a computer or flash drive.
  • B. Mishandling of information caused by lack of access controls.
  • C. Unintended disclosure of information shared with a third party.
  • D. Fraud involving credit card theft at point-of-service terminals.

正解:B

解説:
The scenario describes how the company had no adequate rules about access to customer information and how low-level employees had access to all of the company's customer data, including financial records. This indicates that the company did not implement proper access controls to limit who can access, use, or disclose customer information based on their roles and responsibilities. Access controls are one of the key elements of information security and privacy, as they help prevent unauthorized or inappropriate access to sensitive data.
Without access controls, the company's customer information was vulnerable to mishandling by employees or outsiders who could exploit the weak security measures. Therefore, the most likely cause of the breach was mishandling of information caused by lack of access controls. References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Information Management from a U.S. Perspective, Section 4.2: Information Security, p. 113-114
* IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.C: Describe the role of information security in privacy, Subobjective I.C.1: Identify the key elements of information security, p. 8


質問 # 48
Which law provides employee benefits, but often mandates the collection of medical information?

  • A. The Family and Medical Leave Act.
  • B. The Occupational Safety and Health Act.
  • C. The Americans with Disabilities Act.
  • D. The Employee Medical Security Act.

正解:A

解説:
The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child, the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.
The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee' s ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:
* Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee's own serious health condition or that of a family member.
* Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee's own serious health condition or that of a family member, or for planned medical treatment.
* A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.
* Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.
The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:
* Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees' family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.
* Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.
* Limit the disclosure of such records to supervisors and managers who need to know about an employee' s FMLA leave, first aid and safety personnel when an employee's medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.
* Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee's health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.
* Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee's complete medical records or information unrelated to the FMLA leave request.
* Respect the employee's right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.
References:
* The Family and Medical Leave Act (FMLA)
* FMLA Employee Guide
* FMLA Employer Guide
* FMLA Regulations
* FMLA Forms


質問 # 49
SCENARIO
Please use the following to answer the next QUESTION
Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.
One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still be sitting in the office, unsecured.
Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.
Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills - all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.
In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.
After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Consumers today are most likely protected from situations like the one Noah had buying stock because of which federal action or legislation?

  • A. The creation of the Consumer Financial Protection Bureau.
  • B. Investigations of "abusive" acts and practices under the Dodd-Frank Wall Street Reform and Consumer Protection Act.
  • C. Federal Trade Commission investigations into "unfair and deceptive" acts or practices.
  • D. The rules under the Fair Debt Collection Practices Act.

正解:B


質問 # 50
Sarah lives in San Francisco, Californi
a. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.
Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

  • A. Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.
  • B. The New York "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act requires that businesses under New York's jurisdiction must delete customers' personal information upon request.
  • C. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual's personal information upon request constitutes an unfair practice.
  • D. The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.

正解:D


質問 # 51
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

  • A. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.
  • B. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
  • C. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.
  • D. The EPPA requires that employers post essential information about the Act in a conspicuous location.

正解:B

解説:
Section: (none)
Explanation


質問 # 52
Which of the following is most likely to provide privacy protection to private-sector employees in the United States?

  • A. The U.S. Department of Health and Human Services (HHS)
  • B. Amendments one, four, and five of the U.S. Constitution
  • C. The Federal Trade Commission Act (FTC Act)
  • D. State law, contract law, and tort law

正解:D


質問 # 53
Which of the following federal agencies does NOT have regulatory authority related to privacy?

  • A. Federal Reserve
  • B. Consumer Financial Protection Bureau.
  • C. U.S. Department of Commerce.
  • D. U.S. Department of Transportation.

正解:C

解説:
The U.S. Department of Commerce (DOC) is a federal agency that promotes economic growth, trade, and innovation, but does not have regulatory authority related to privacy. The DOC administers several voluntary privacy frameworks, such as the Privacy Shield, the APEC Cross-Border Privacy Rules, and the NIST Privacy Framework, but these are not legally binding or enforceable by the DOC12. The DOC also participates in international privacy negotiations and dialogues, but does not have the power to issue rules or regulations on privacy matters3.
The other three options are examples of federal agencies that do have regulatory authority related to privacy. The Consumer Financial Protection Bureau (CFPB) is an independent agency that enforces consumer protection laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Dodd-Frank Act, which contain privacy and data security provisions4. The U.S. Department of Transportation (DOT) is a federal agency that regulates transportation safety, security, and infrastructure, and has issued privacy rules for airlines, motor carriers, and railroads. The FederalReserve (FRB) is an independent agency that oversees the nation's monetary policy, banking system, and financial stability, and has issued privacy rules for financial institutions under its jurisdiction. References: 1: Privacy Shield Program Overview | International Trade Administration 2: NIST Privacy Framework | NIST 3: Privacy and Data Security | U.S. Department of Commerce 4: Consumer Financial Protection Bureau - Wikipedia : [Privacy | US Department of Transportation] : [Privacy - Federal Reserve Board]


質問 # 54
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?

  • A. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth's security measures
  • B. Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI
  • C. Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred
  • D. Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI

正解:A


質問 # 55
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

  • A. If the data involved was encrypted.
  • B. If the entity followed internal notification procedures compatible with state law.
  • C. If the entity was subject to the GLBA Safeguards Rule.
  • D. If the data involved was accessed but not exported.

正解:D

解説:
Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:
* If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.
* If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.
* If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.
However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.
References:
* [IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.
* CIPP/US Practice Questions (Sample Questions), Question 29.


質問 # 56
When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

  • A. When the operational structures of its divisions are not transparent
  • B. When a call is not the result of an error or other unforeseen cause
  • C. When the goods and services sold by its divisions are very similar
  • D. When the entity manages user preferences through multiple platforms

正解:A

解説:
* The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994. The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.
* The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.
* The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.
* A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.
* The TSR requires an entity to share a do-not-call request across its organization when the operational structures of its divisions are not transparent to consumers3. This means that the entity must treat the do- not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.
* The TSR does not require an entity to share a do-not-call request across its organization in the following situations:
* When the goods and services sold by its divisions are very similar. This is not a relevant factor for determining whether the entity must share a do-not-call request across its organization. The key factor is whether the consumers can distinguish between the different divisions based on their operational structures3.
* When a call is not the result of an error or other unforeseen cause. This is not an exception to the requirement to honor a do-not-call request. The TSR prohibits telemarketers and sellers from calling a consumer who has made a do-not-call request, unless the call falls under one of the specific exemptions, such as calls from or on behalf of tax-exempt nonprofit organizations, calls to consumers with whom the seller has an established business relationship, or calls to consumers who have given prior express written consent2.
* When the entity manages user preferences through multiple platforms. This is not an excuse for not sharing a do-not-call request across its organization. The TSR requires telemarketers and sellers to maintain an internal do-not-call list of consumers who have asked them not to call again, and to update the list at least once every 31 days2. The entity must ensure that the do-not- call request is recorded and communicated across all of its platforms that are used for telemarketing purposes3.
References: 1: Telemarketing Sales Rule 2: Q&A for Telemarketers & Sellers About DNC Provisions in TSR 3: Federal Register :: Telemarketing Sales Rule


質問 # 57
Which of the following became the first state to pass a law specifically regulating the practices of data brokers?

  • A. California.
  • B. Washington.
  • C. New York.
  • D. Vermont.

正解:D


質問 # 58
If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

  • A. Temporary employees will be able to find the data necessary to fulfill their responsibilities.
  • B. The impact of an organizational data breach will be more severe than if the data had been segregated.
  • C. The organization will be able to address legal discovery requests efficiently without producing more information than necessary.
  • D. The organization will still be in compliance with most sector-specific privacy and security laws.

正解:B

解説:
"Holding all data in one system can increase the consequences of a single breach" Excerpt From: "IAPP_US_TB_US-Private-Sector-Privacy-3E_1.0." Apple Books.


質問 # 59
What role does the U.S. Constitution play in the area of workplace privacy?

  • A. It provides significant protections to federal and state governments, but not to private-sector employment
  • B. It provides enforcement resources to large employers, but not to small businesses
  • C. It provides contractual protections to members of labor unions, but not to employees at will
  • D. It provides legal precedent for physical information security, but not for electronic security

正解:D


質問 # 60
......

認定問題集でCertified Information Privacy Professional CIPP-USガイド100%有効な:https://jp.fast2test.com/CIPP-US-premium-file.html

問題集であなたのCIPP-US Certified Information Privacy Professional/United States (CIPP/US)は100%一発でパス:https://drive.google.com/open?id=1LCyTnKPzqdpRvcc4IcqG0vnA8DojI-16


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어