Free Access to IAPP.CIPP-US.v2024-04-26.q101 with Valid Practice Test (Page 14)

Question 61

The Family Educational Rights and Privacy Act (FERPA) requires schools to do all of the following EXCEPT?

A.Provide students with access to their records within a specified amount of time.
B.Respond to all reasonable student requests regarding explanation of their records.
C.Obtain student authorization before releasing directory information in their records.
D.Verify the identity of students who make requests for access to their records.

Question 62

What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

A.Where one of the parties has given consent
B.Where state law permits such interception
C.If an organization intercepts an employee's purely personal call
D.Only if all parties have given consent

Question 63

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A.A consent decree
B.Stare decisis decree
C.A judgment rider
D.Common law judgment

Question 64

SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S.
and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

A.That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
B.That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
C.That business contact information could be considered personal information governed by CCPA.
D.That CCPA only applies to companies based in California, which exempts the company from compliance.

Question 65

Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:

A.You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.
B.When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.
C.When you are required to provide an individual with notice of a data breach under any state's law, you must provide the individual with an offer for free credit monitoring.
D.The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

Correct Answer: D

Data breach notification laws in the United States vary by state and territory, and there is no comprehensive federal law that applies to all types of personal information. Some federal laws, such as HIPAA, GLBA, and the FDIC rule, impose data breach notification requirements for specific industries or sectors, but they do not cover all types of personal information or all entities that collect, store, or process such information. Therefore, the only obligations to provide data breach notification for the breach of personal information are under state law, unless a specific federal law applies to the entity or the information involved. The other statements are incorrect because:
* A. You do not have to notify the FTC in addition to affected individuals if over 500 individuals are receiving notice, unless you are a health care entity subject to HIPAA, in which case you have to notify the Department of Health and Human Services (HHS) within 60 days of the breach.
* B. When providing an individual with required notice of a data breach, you do not have to identify what personal information was actually or likely compromised, unless the state law requires you to do so.
Some states, such as California, require the notice to include the types of personal information that were or are reasonably believed to have been the subject of the breach, while others, such as Alabama, do not specify the content of the notice.
* C. When you are required to provide an individual with notice of a data breach under any state's law, you do not have to provide the individual with an offer for free credit monitoring, unless the state law requires you to do so. Some states, such as Connecticut, require the offer of appropriate identity theft prevention and mitigation services for at least 12 months, while others, such as Arizona, do not impose such a requirement. References: Data Breach Notification in the United States and Territories, Data Breach Notification Laws in the United States: What is Required and How is that Determined?, US State Data Breach Notification Law Matrix, Breach Notification in United States, Data Breach Notification Laws: How to Manufacture a Confident Response

Question 61

Question 62

Question 63

Question 64

Question 65

Download PDF File