Weekend Special - 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: av54zq84

Exact2Pass Menu

Question # 4

Which of the following accurately describes the purpose of a particular federal enforcement agency?

A.

The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).

B.

The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.

C.

The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites’ posted privacy disclosures.

D.

The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.

Full Access
Question # 5

What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?

A.

Describing the policy changes on its website.

B.

Obtaining affirmative consent from its customers.

C.

Publicizing the policy changes through social media.

D.

Reassuring customers of the security of their information.

Full Access
Question # 6

SCENARIO

Please use the following to answer the next QUESTION:

Matt went into his son’s bedroom one evening and found him stretched out on his bed typing on his laptop. “Doing your network?” Matt asked hopefully.

“No,” the boy said. “I’m filling out a survey.”

Matt looked over his son’s shoulder at his computer screen. “What kind of survey?” “It’s asking Questions about my opinions.”

“Let me see,” Matt said, and began reading the list of Questions that his son had already answered. “It’s asking your opinions about the government and citizenship. That’s a little odd. You’re only ten.”

Matt wondered how the web link to the survey had ended up in his son’s email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son’s inbox, and he decided it was time to report the incident to the proper authorities.

How could the marketer have best changed its privacy management program to meet COPPA “Safe Harbor” requirements?

A.

By receiving FTC approval for the content of its emails

B.

By making a COPPA privacy notice available on website

C.

By participating in an approved self-regulatory program

D.

By regularly assessing the security risks to consumer privacy

Full Access
Question # 7

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants’ postings on social media, ask QUESTION NO:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Based on Felicia’s Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?

A.

Reconsider the plan in favor of a policy of dedicated work devices.

B.

Adopt the same kind of monitoring policies used for work-issued devices.

C.

Weigh any productivity benefits of the plan against the risk of privacy issues.

D.

Make employment decisions based on those willing to consent to the plan in writing.

Full Access
Question # 8

Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.

Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

A.

Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.

B.

Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual’s personal information upon request constitutes an unfair practice.

C.

The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.

D.

The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act requires that businesses under New York’s jurisdiction must delete customers’ personal information upon request.

Full Access
Question # 9

SCENARIO

Please use the following to answer the next QUESTION:

Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer’s privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.

Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.

After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.

Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.

Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.

What is the best reason for Cheryl to follow Janice’s suggestion about classifying customer data?

A.

It will help employees stay better organized

B.

It will help the company meet a federal mandate

C.

It will increase the security of customers’ personal information (PI)

D.

It will prevent the company from collecting too much personal information (PI)

Full Access
Question # 10

Which of the following is an example of federal preemption?

A.

The Payment Card Industry’s (PCI) ability to self-regulate and enforce data security standards for payment card data.

B.

The U.S. Federal Trade Commission’s (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries.

C.

The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there.

D.

The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act prohibiting states from passing laws that impose greater obligations on senders of email marketing.

Full Access
Question # 11

When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?

A.

After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.

B.

After disclosing marketing practices to customers and after giving them an opportunity to opt in.

C.

After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.

D.

After disclosing marketing practices to customers and after giving them an opportunity to opt out.

Full Access
Question # 12

SCENARIO

Please use the following to answer the next QUESTION:

Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer’s privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.

Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.

After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.

Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.

Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.

What is the main problem with Cheryl’s suggested method of communicating the new privacy policy?

A.

The policy would not be considered valid if not communicated in full.

B.

The policy might not be implemented consistency across departments.

C.

Employees would not be comfortable with a policy that is put into action over time.

D.

Employees might not understand how the documents relate to the policy as a whole.

Full Access
Question # 13

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using

artificial intelligence in this manner?

A.

If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

B.

If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.

C.

If the algorithm’s methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.

D.

If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

Full Access
Question # 14

What is the main challenge financial institutions face when managing user preferences?

A.

Ensuring they are in compliance with numerous complex state and federal privacy laws

B.

Developing a mechanism for opting out that is easy for their consumers to navigate

C.

Ensuring that preferences are applied consistently across channels and platforms

D.

Determining the legal requirements for sharing preferences with their affiliates

Full Access
Question # 15

Based on the 2012 Federal Trade Commission report “Protecting Consumer Privacy in an Era of Rapid Change”, which of the following directives is most important for businesses?

A.

Announcing the tracking of online behavior for advertising purposes.

B.

Integrating privacy protections during product development.

C.

Allowing consumers to opt in before collecting any data.

D.

Mitigating harm to consumers after a security breach.

Full Access
Question # 16

Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?

A.

A local nonprofit charity’s fundraiser

B.

An online merchant’s free shipping offer

C.

A national bank’s no-fee checking promotion

D.

A city bus system’s frequent rider program

Full Access
Question # 17

What information did the Red Flag Program Clarification Act of 2010 add to the original Red Flags rule?

A.

The most common methods of identity theft.

B.

The definition of what constitutes a creditor.

C.

The process for proper disposal of sensitive data.

D.

The components of an identity theft detection program.

Full Access
Question # 18

If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

A.

The organization will still be in compliance with most sector-specific privacy and security laws.

B.

The impact of an organizational data breach will be more severe than if the data had been segregated.

C.

Temporary employees will be able to find the data necessary to fulfill their responsibilities.

D.

The organization will be able to address legal discovery requests efficiently without producing more information than necessary.

Full Access
Question # 19

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants’ postings on social media, ask QUESTION NO:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Regarding credit checks of potential employees, Celeste has a misconception regarding what?

A.

Consent requirements.

B.

Disclosure requirements.

C.

Employment-at-will rules.

D.

Records retention policies

Full Access
Question # 20

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients’ Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital’s use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients’ care.

On his first day Declan became familiar with all areas of the hospital’s large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan’s concern about this issue, he was amazed by the hospital’s effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan’s day ended with many Questions, he was pleased about his new position.

What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?

A.

By being present when patients are checking in

B.

By speaking to a patient without prior authorization

C.

By ignoring the conversation about a potential breach

D.

By following through with his plans for his upcoming paper

Full Access
Question # 21

The Family Educational Rights and Privacy Act (FERPA) requires schools to do all of the following EXCEPT?

A.

Verify the identity of students who make requests for access to their records.

B.

Provide students with access to their records within a specified amount of time.

C.

Respond to all reasonable student requests regarding explanation of their records.

D.

Obtain student authorization before releasing directory information in their records.

Full Access
Question # 22

The “Consumer Privacy Bill of Rights” presented in a 2012 Obama administration report is generally based on?

A.

The 1974 Privacy Act

B.

Common law principles

C.

European Union Directive

D.

Traditional fair information practices

Full Access