IAPP CIPP-US Exam Dumps

What type of material is exempt from an individual’s right to disclosure under the Privacy Act?

What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?

SCENARIO Please use the following to answer the next QUESTION: Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state’s Do Not Call list, as well as the people on it. “If they were really serious about not being bothered,” Evan said, “They’d be on the national DNC list. That’s the only one we’re required to follow. At SunriseLynx, we call until they ask us not to.” Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call “another time.” This, to Larry, is a clear indication that they don’t want to be called at all. Evan doesn’t see it that way. Larry believes that Evan’s arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan’s political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions. Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan’s leadership. Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker’s belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss. Larry wants to take action, but is uncertain how to proceed. In regard to telemarketing practices, Evan the supervisor has a misconception regarding? 

Which of the following best describes how federal anti-discrimination laws protect the privacy of private-sector employees in the United States?

Although an employer may have a strong incentive or legal obligation to monitor employees’ conduct or behavior, some excessive monitoring may be considered an intrusion on employees’ privacy? Which of the following is the strongest example of excessive monitoring by the employer? 

Under state breach notification laws, which is NOT typically included in the definition of personal information?

Why was the Privacy Protection Act of 1980 drafted?  

Once a breach has been definitively established, which task should be prioritized next? 

What practice does the USA FREEDOM Act NOT authorize? 

SCENARIO Please use the following to answer the next QUESTION: Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse. Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’ Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues. On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution. He was also curious about the hospital’s use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients’ care. On his first day Declan became familiar with all areas of the hospital’s large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened. Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide. Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this. In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing. Although Declan’s day ended with many Questions, he was pleased about his new position. Based on the scenario, what is the most likely way Declan’s supervisor would answer his question about the hospital’s use of a billing company? 

Which of the following is most likely to provide privacy protection to private-sector employees in the United States? 

Under the Fair and Accurate Credit Transactions Act (FACTA), what is the most appropriate action for a car dealer holding a paper folder of customer credit reports? 

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to? 

Under the Driver’s Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?

Which of the following best describes private-sector workplace monitoring in the United 

John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John’s personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information. Which of the following answers most accurately reflects John’s ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?

What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide? 

In a case of civil litigation, what might a defendant who is being sued for distributing an employee’s private information face? 

SCENARIO Please use the following to answer the next QUESTION Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework. Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station’s network and was able to steal data relating to employees in the company’s Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself. The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements. What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for the HR data? 

SCENARIO Please use the following to answer the next QUESTION When there was a data breach involving customer personal and financial information at a large retail store, the company’s directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company’s customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s. Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees’ access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers’ financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it. When the breach occurred, the company’s executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta’s guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws. Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee. Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company’s privacy program? 

SCENARIO Please use the following to answer the next QUESTION: A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices. The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.” This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration. As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer. Under the GDPR, the complainant’s request regarding her personal information is known as what? 

What information did the Red Flag Program Clarification Act of 2010 add to the original Red Flags rule? 

What practice do courts commonly require in order to protect certain personal information on documents, whether paper or electronic, that is involved in litigation? 

Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law? 

In which situation would a policy of “no consumer choice” or “no option” be expected?