[Q63-Q84] 2025 Reliable Study Materials & Testing Engine for CIPP-US Exam Success!

Share

2025 Reliable Study Materials & Testing Engine for CIPP-US Exam Success!

Validate your Skills with Updated CIPP-US Exam Questions & Answers and Test Engine


Prerequisites

Commonly, candidates do not have specific conditions to meet before they sit for the CIPP-US exam. However, one needs to have a basic understanding of data protection policies and concepts in the country. If a candidate does not have prior experience in the industry that will have exposed them to the concepts and skills tested, they should study the Body of Knowledge for this certificate, the certification handbook, as well as the exam outline.


IAPP CIPP-US exam consists of 90 multiple-choice questions, and individuals have 2.5 hours to complete the exam. CIPP-US exam covers four main categories: U.S. privacy laws and regulations, privacy program governance, data breaches, and privacy issues in the workplace. Passing the exam requires a score of 300 out of 500 possible points.

 

NEW QUESTION # 63
What was the original purpose of the Foreign Intelligence Surveillance Act?

  • A. To further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.
  • B. To further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect's home, stemming from the Olmstead v. United States decision.
  • C. To further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.
  • D. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.

Answer: D


NEW QUESTION # 64
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S.
Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?

  • A. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
  • B. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
  • C. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
  • D. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

Answer: B

Explanation:
The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.
According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.
Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.
References: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and- Notifying-Data-Breaches-under-the-PDPA-15-Mar-2021.pdf?la=en
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf


NEW QUESTION # 65
According to FERPA, when can a school disclose records without a student's consent?

  • A. If the disclosure is to practitioners who are involved in a student's health care
  • B. If the disclosure would not reveal a student's student identification number
  • C. If the disclosure is to provide transcripts to a school where a student intends to enroll
  • D. If the disclosure is not to be conducted through email to the third party

Answer: C

Explanation:
According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student's education records without consent if the disclosure meets one of the exceptions in 34 CFR § 99.31.
One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student's enrollment or transfer (34 CFR §
99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student's admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR §
99.34(a)(1)). References: https://studentprivacy.ed.gov/ferpa
https://studentprivacy.ed.gov/ferpa


NEW QUESTION # 66
SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
How can the radiology department address Declan's concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

  • A. State the privacy policy to the patient verbally
  • B. Direct patients to the correct area of the hospital website
  • C. Confirm that patients are given the privacy notice on their first visit Section: (none) Explanation
  • D. Post the privacy notice in a prominent location instead

Answer: B


NEW QUESTION # 67
What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

  • A. The ability for the consumer to correct inaccurate credit report information
  • B. Consumer notice when third-party data is used to make an adverse decision
  • C. The right to request removal from e-mail lists
  • D. The truncation of account numbers on credit card receipts

Answer: D

Explanation:
The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) that was enacted in 2003. FACTA aims to enhance consumer protection against identity theft and fraud by requiring various measures, such as free annual credit reports, fraud alerts, and identity theft prevention programs. One of the consumer protections that FACTA requires is the truncation of account numbers on credit card receipts. This means that only the last four or five digits of the account number can be printed on the receipt, while the rest must be masked or deleted. This reduces the risk of unauthorized access or use of the account number by third parties who may obtain the receipt. References:
* IAPP CIPP/US Body of Knowledge, Section III, B, 1
* [IAPP CIPP/US Study Guide, Chapter 3, Section 3.2]
* [FACTA, Section 113]


NEW QUESTION # 68
Which of the following best describes what a "private right of action" is?

  • A. The right of individuals harmed by a violation of a law to file a lawsuit against the violation.
  • B. The right of individuals harmed by data processing to have their information deleted.
  • C. The right of individuals to submit a request to access their information.
  • D. The right of individuals to keep their information private.

Answer: A


NEW QUESTION # 69
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S.
and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

  • A. That business contact information could be considered personal information governed by CCPA.
  • B. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
  • C. That CCPA only applies to companies based in California, which exempts the company from compliance.
  • D. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.

Answer: A

Explanation:
The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:
* CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p.
181-182.
* California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).
* CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).


NEW QUESTION # 70
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?

  • A. Making student education records publicly available
  • B. Disclosing education records without obtaining required consent
  • C. Relying on verbal consent for a disclosure of education records
  • D. Scanning emails sent to and received by students

Answer: D

Explanation:
The lawsuit, filed in 2014, claimed that Google violated the federal and state wiretap and privacy laws by scanning and indexing the emails of millions of students who used its Apps for Education suite, which included Gmail as a key feature. The plaintiffs alleged that Google used the information from the scans to build profiles of students that could be used for targeted advertising or other commercial purposes, without their consent or knowledge. The lawsuit also challenged Google's argument that the students consented to the scans when they first logged in to their accounts, saying that such consent was not valid under FERPA, which requires written consent for any disclosure of education records. Google denied the allegations and argued that the scans were necessary for providing security, spam protection, and other functionality to the users. The case was settled in 2016, with Google agreeing to change some of its practices and policies regarding the scanning of student emails.


NEW QUESTION # 71
What was the original purpose of the Federal Trade Commission Act?

  • A. To ensure privacy rights of U.S. citizens
  • B. To enforce antitrust laws
  • C. To negotiate consent decrees with companies violating personal privacy
  • D. To protect consumers

Answer: B

Explanation:
The Federal Trade Commission Act (FTCA) was adopted in 1914 as part of the Progressive Era reforms that aimed to curb the power and influence of monopolies and trusts in the U.S. economy. The FTCA created the Federal Trade Commission (FTC) as an independent agency to investigate and prevent unfairmethods of competition and unfair or deceptive acts or practices in or affecting commerce. The FTCA also gave the FTC the authority to issue cease and desist orders, seek injunctions, and impose civil penalties for violations of the law. The FTCA was intended to complement and supplement the existing antitrust laws, such as the Sherman Act and the Clayton Act, that prohibited restraints of trade, price-fixing, mergers, and other anticompetitive conduct.
The other options are not correct, because:
* The FTCA did not explicitly address privacy rights of U.S. citizens, although the FTC later used its authority under the FTCA to enforce against unfair or deceptive privacy practices, such as making false or misleading claims, failing to disclose material information, or violating consumers' choices or expectations regarding their personal data.
* The FTCA did not specifically focus on consumer protection, although the FTC later expanded its scope to include consumer protection issues, such as advertising and marketing, credit and finance, privacy and security, and consumer education. The FTC also enforced other consumer protection laws, such as the Truth in Lending Act, the Fair Credit Reporting Act, the Children's Online Privacy Protection Act, and the CAN-SPAM Act.
* The FTCA did not authorize the FTC to negotiate consent decrees with companies violating personal privacy, although the FTC later used consent decrees as a common tool to settle privacy cases and impose remedial measures, such as audits, reports, and compliance programs. Consent decrees are agreements between the FTC and the parties involved in a case that resolve the FTC's charges without admitting liability or wrongdoing.
References:
* FTC website, Federal Trade Commission Act
* Britannica website, Federal Trade Commission Act (FTCA)
* IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 11-12
* IAPP website, Federal Trade Commission Act, Section 5 of


NEW QUESTION # 72
The FTC often negotiates consent decrees with companies found to be in violation of privacy principles. How does this benefit both parties involved?

  • A. It avoids potentially harmful publicity.
  • B. It spares the expense of going to trial.
  • C. It standardizes the amount of fines.
  • D. It simplifies the audit requirements.

Answer: A


NEW QUESTION # 73
SCENARIO
Please use the following to answer the next question:
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking Questio ns about my opinions."
"Let me see," Matt said, and began reading the list of Questio ns that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd.
You're only ten."
Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Based on the incident, the FTC's enforcement actions against the marketer would most likely include what violation?

  • A. Collecting information from a child under the age of thirteen.
  • B. Intruding upon the privacy of a family with young children.
  • C. Disregarding the privacy policy of the children's marketing industry.
  • D. Failing to notify of a breach of children's private information.

Answer: A

Explanation:
Based on the incident, the FTC's enforcement actions against the marketer would most likely include the violation of collecting information from a child under the age of thirteen without obtaining verifiable parental consent, as required by the Children's Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under .
The COPPA Rule also applies to websites or online services that are directed to children under
13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child's personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child's personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data.


NEW QUESTION # 74
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

  • A. The Federal Trade Commission
  • B. The Department of Health and Human Services
  • C. The Office of the Comptroller of the Currency
  • D. The Consumer Financial Protection Bureau

Answer: B

Explanation:
* The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.
* The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.
* The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:
* The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.
* The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.
* The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.
* The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.
* The Board of Governors of the Federal Reserve System (FRB), which has authority over state-chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.
* The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.
* The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.
* The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.
* The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.
References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]


NEW QUESTION # 75
Which is an exception to the general prohibitions on telephone monitoring that exist under the U.S. Wiretap Act?

  • A. Ordinary course of business exception
  • B. Call center exception
  • C. Inter-company communications exception
  • D. Internet calls exception

Answer: A

Explanation:
The U.S. Wiretap Act prohibits the interception and disclosure of wire, oral, or electronic communications, unless one of the statutory exceptions applies. One of these exceptions is the ordinary course of business exception, which allows an employer or service provider to intercept communications that are made in the ordinary course of its business, such as for quality control, training, or security purposes. This exception does not apply to communications that are not related to the business, such as personal calls or emails, or to communications that are intercepted for other reasons, such as harassment, discrimination, or retaliation. The scope and applicability of this exception may vary depending on the context, the consent of the parties, and the state law. The other options are not valid exceptions under the Wiretap Act. References: 1, 2, 3, 4


NEW QUESTION # 76
Although an employer may have a strong incentive or legal obligation to monitor employees' conduct or behavior, some excessive monitoring may be considered an intrusion on employees' privacy? Which of the following is the strongest example of excessive monitoring by the employer?

  • A. An employer who records all employee phone calls that involve financial transactions with customers completed over the phone.
  • B. An employer who installs data loss prevention software on all employee computers to limit transmission of confidential company information.
  • C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment.
  • D. An employer who installs a video monitor in physical locations, such as a warehouse, to ensure employees are performing tasks in a safe manner and environment.

Answer: C

Explanation:
The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees' privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes.
Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization.
Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms.


NEW QUESTION # 77
Due to cookie deprecation, businesses will be required to simplify their tracking practices by doing what?

  • A. Running analytics only in dedicated sandboxes
  • B. Deleting their existing data sets of any third-party cookies
  • C. Ensuring only registered users are tracked.
  • D. Purging existing IDs that identify visitors by browser.

Answer: B

Explanation:
With the impending deprecation of third-party cookies, businesses must simplify their tracking practices and shift to more privacy-conscious technologies. Third-party cookies are being phased out by major web browsers, such as Google Chrome, to improve user privacy and reduce cross- site tracking.
One of the most critical actions businesses need to take is deleting existing data sets of third- party cookies, as they will soon become obsolete. This action ensures compliance with emerging privacy standards and helps organizations transition to alternative methods of tracking, such as first-party data collection or consent-based tracking mechanisms.


NEW QUESTION # 78
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data.
However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as aresult of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

  • A. Technical Safeguards
  • B. Administrative Safeguards
  • C. Security Safeguards
  • D. Physical Safeguards

Answer: C

Explanation:
The HIPAA Security Rule requires covered entities and their business associates to implement three types of safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI): administrative, physical, and technical1. Security safeguards is not a separate category of safeguards, but rather a general term that encompasses all three types. Therefore, it is not a correct answer to the question.
* Administrative safeguards are the policies and procedures that govern the conduct of the workforce and the security measures put in place to protect ePHI. They include risk analysis and management, training, contingency planning, incident response, and evaluation12.
* Physical safeguards are the locks, doors, cameras, and other physical measures that prevent unauthorized access to ePHI. They include workstation and device security, locks and keys, and disposal of media12.
* Technical safeguards are the software and hardware tools that protect ePHI from unauthorized access, alteration, or destruction. They include access control, encryption, audit controls, integrity controls, and transmission security12.
In the scenario, HealthCo's actions have potentially violated all three types of safeguards. For example:
* HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures. This could be a breach of the administrative safeguard of risk analysis and management12.
* HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. This could be a breach of the technical safeguard of encryption12.
* HealthCo provides its investigative report of the breach and a copy of the PHI of the individuals affected to law enforcement. This could be a breach of the physical safeguard of disposal of media, if HealthCo did not ensure that the media was properly erased or destroyed after the transfer12.
References: 1: Summary of the HIPAA Security Rule, HHS.gov. 2: What is the HIPAA Security Rule?
Safeguards ... - Secureframe, Secureframe.com.


NEW QUESTION # 79
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In what area does Larry have a misconception about private-sector employee rights?

  • A. The enforceability of local law
  • B. The definition of tort law
  • C. The applicability of federal law
  • D. The strict nature of state law

Answer: C


NEW QUESTION # 80
Which of the following became the first state to pass a law specifically regulating the collection of biometric data?

  • A. Washington.
  • B. Illinois.
  • C. California.
  • D. Texas.

Answer: B

Explanation:
Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys' fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws


NEW QUESTION # 81
Under the Driver's Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?

  • A. Insurance companies needing to investigate claims.
  • B. Attorneys gathering information related to lawsuits.
  • C. Marketers wishing to distribute bulk materials.
  • D. Law enforcement agencies performing investigations.

Answer: C

Explanation:
The Driver's Privacy Protection Act (DPPA) is a federal law that regulates the disclosure of personal information obtained by state departments of motor vehicles (DMVs). The DPPA prohibits DMVs and other entities that receive such information from DMVs from disclosing it to anyone without the express consent of the individual to whom the information pertains, unless the disclosure falls under one of the 14 exceptions listed in the statute.
Some of the exceptions that allow disclosure of personal information from DMV records without consent are:
* For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a government agency in carrying out its functions.
* For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
* For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
* For use in connection with any civil, criminal, administrative, or arbitral proceeding in any federal, state, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state, or local court.
* For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
* For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
* For use in providing notice to the owners of towed or impounded vehicles.
* For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
* For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49.
* For use in connection with the operation of private toll transportation facilities.
* For any other use specifically authorized under the law of the state that holds the record, if such use is related to the operation of a motor vehicle or public safety.
None of the exceptions above apply to the use of personal information from DMV records by marketers wishing to distribute bulk materials. Therefore, such use would require the consent of the individual to whom the information pertains, according to the DPPA. Hence, option D is the correct answer.
Option A is incorrect, as law enforcement agencies performing investigations are exempt from the consent requirement under the first exception.
Option B is incorrect, as insurance companies needing to investigate claims are exempt from the consent requirement under the sixth exception.
Option C is incorrect, as attorneys gathering information related to lawsuits are exempt from the consent requirement under the fourth exception.
References:
* [IAPP CIPP/US Study Guide], Chapter 8: Federal Privacy Laws, pp. 181-182.
* CIPP/US Practice Questions (Sample Questions), Question 31.


NEW QUESTION # 82
SCENARIO
Please use the following to answer the next question:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in statea.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo.
CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals ?ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?

  • A. Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI
  • B. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth's security measures
  • C. Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred
  • D. Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI

Answer: B

Explanation:
According to the HIPAA Security Rule, covered entities are responsible for ensuring that their business associates comply with the security standards and safeguards required by the rule. This includes conducting due diligence to assess the business associate's security capabilities and practices, and monitoring their performance and compliance. Failure to do so may result in a violation of the rule and a penalty by the HHS. In this scenario, HealthCo did not perform due diligence on CloudHealth before entering the contract, and did not conduct audits of CloudHealth's security measures. This is the most significant reason why HHS might impose a penalty on HealthCo, as it indicates a lack of oversight and accountability for the protection of ePHI.


NEW QUESTION # 83
A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?

  • A. The vendor's employee retention rates
  • B. The vendor's employee training program
  • C. The vendor's financial health
  • D. The vendor's reputation

Answer: A

Explanation:
When selecting a vendor to manage personal information, the company should consider various criteria, such as the vendor's reputation, financial health, employee training program, privacy policies, security practices, compliance record, contractual terms, and service quality. However, the vendor's employee retention rates may not be as important as the other factors, as they do not directly affect the vendor's ability to protect and process the personal information entrusted to them. While high employee turnover may indicate some issues with the vendor's management or culture, it may not necessarily impact the vendor's performance or reliability, as long as the vendor has adequate measures to ensure continuity, accountability, and confidentiality of the personal information they handle. References:
* Vendor Selection Process: a Step-by-Step Guide, section "Step 2: Define the vendor selection criteria"
* [IAPP CIPP/US Study Guide], p. 81-82, section 3.4.1
* [IAPP CIPP/US Body of Knowledge], p. 18-19, section C.2.a


NEW QUESTION # 84
......

Regular Free Updates CIPP-US Dumps Real Exam Questions Test Engine: https://practicetorrent.exam4pdf.com/CIPP-US-dumps-torrent.html