Free Access to IAPP.CIPP-US.v2024-04-26.q101 with Valid Practice Test (Page 2)

Question 1

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.
Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?

A.If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
B.If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.
C.If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
D.If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

Question 2

Once a breach has been definitively established, which task should be prioritized next?

A.Involving law enforcement and state Attorneys General.
B.Determining what was responsible for the breach and neutralizing the threat.
C.Providing notice to the affected parties so they can take precautionary measures.
D.Implementing remedial measures and evaluating how to prevent future breaches.

Question 3

Which of the following state laws has an entity exemption for organizations subject to the Gramm-Leach-Bliley Act (GLBA)?

A.Nevada Privacy Law.
B.California Privacy Rights Act.
C.California Consumer Privacy Act.
D.Virginia Consumer Data Protection Act

Correct Answer: B

The Virginia Consumer Data Protection Act (VCDPA) is a state law that provides comprehensive privacy rights and obligations for consumers and businesses in Virginia. The VCDPA applies to any entity that conducts business in Virginia or produces products or services that are targeted to residents of Virginia and that either: (a) controls or processes personal data of at least 100,000 consumers; or (b) controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. However, the VCDPA also provides several exemptions for certain types of entities and data, including an entity exemption for financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA). This means that organizations that are regulated by the GLBA are not subject to the VCDPA, regardless of the type or source of data they collect or process. The GLBA is a federal law that regulates the collection, use, and disclosure of personal financial information by financial institutions and their affiliates. The GLBA applies to any business that is significantly engaged in financial activities, such as banks, credit unions, securities firms, insurance companies, and certain fintech companies. The GLBA requires financial institutions to provide notice and choice to consumers about their privacy practices, to safeguard the security and confidentiality of consumer information, and to limit the sharing of consumer information with third parties. The GLBA also preempts state laws only to the extent that they are inconsistent with the GLBA, unless the state law provides greater protection to consumers.
The other state laws listed in the question do not have an entity exemption for organizations subject to the GLBA, but they may have partial or data exemptions for certain types of information that are regulated by the GLBA. For example, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are state laws that provide comprehensive privacy rights and obligations for consumers and businesses in California. The CCPA and the CPRA apply to any business that collects or sells the personal information of California residents and that meets one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million; (b) alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of its annual revenues from selling consumers' personal information. However, the CCPA and the CPRA also provide several exemptions for certain types of entities and data, including a data exemption for personal information collected, processed, sold, or disclosed pursuant to the GLBA, if it is in conflict with the GLBA. This means that information that is subject to the GLBA is exempt from the privacy requirements of the CCPA and the CPRA, but not from the data breach liability provisions. The CCPA and the CPRA do not exempt financial institutions or other entities that are regulated by the GLBA from their scope, unless they only collect or process information that is subject to the GLBA.
The Nevada Privacy Law is a state law that provides privacy rights and obligations for consumers and operators of websites or online services in Nevada. The Nevada Privacy Law applies to any person who owns or operates an Internet website or online service for commercial purposes that collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service.
Covered information includes any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: (a) a first and last name; (b) a home or other physical address which includes the name of a street and the name of a city or town; an electronic mail address; (d) a telephone number; (e) a social security number; (f) an identifier that allows a specific person to be contacted either physically or online; or (g) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. However, the Nevada Privacy Law also provides several exemptions for certain types of entities and data, including a data exemption for any data that is subject to the GLBA. This means that information that is regulated by the GLBA is exempt from the Nevada Privacy Law, regardless of the type or source of data. The Nevada Privacy Law does not exempt financial institutions or other entities that are subject to the GLBA from its scope, unless they only collect or process information that is subject to the GLBA. References:
* VCDPA, Section 59.1-572 (A) (1)
* GLBA, 15 U.S.C. § 6801 et seq.
* CCPA, Section 1798.145 (e)
* CPRA, Section 1798.121
* Nevada Privacy Law, Section 603A.340 (1) (a)

Question 4

Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?

A.Delete their personal information.
B.Correct their personal information.
C.Disclose their personal information to them.
D.Refrain from selling their personal information to third parties.

Question 5

SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data.
However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as aresult of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

A.Administrative Safeguards
B.Technical Safeguards
C.Physical Safeguards
D.Security Safeguards

Correct Answer: D

The HIPAA Security Rule requires covered entities and their business associates to implement three types of safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI): administrative, physical, and technical1. Security safeguards is not a separate category of safeguards, but rather a general term that encompasses all three types. Therefore, it is not a correct answer to the question.
* Administrative safeguards are the policies and procedures that govern the conduct of the workforce and the security measures put in place to protect ePHI. They include risk analysis and management, training, contingency planning, incident response, and evaluation12.
* Physical safeguards are the locks, doors, cameras, and other physical measures that prevent unauthorized access to ePHI. They include workstation and device security, locks and keys, and disposal of media12.
* Technical safeguards are the software and hardware tools that protect ePHI from unauthorized access, alteration, or destruction. They include access control, encryption, audit controls, integrity controls, and transmission security12.
In the scenario, HealthCo's actions have potentially violated all three types of safeguards. For example:
* HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures. This could be a breach of the administrative safeguard of risk analysis and management12.
* HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. This could be a breach of the technical safeguard of encryption12.
* HealthCo provides its investigative report of the breach and a copy of the PHI of the individuals affected to law enforcement. This could be a breach of the physical safeguard of disposal of media, if HealthCo did not ensure that the media was properly erased or destroyed after the transfer12.
References: 1: Summary of the HIPAA Security Rule, HHS.gov. 2: What is the HIPAA Security Rule?
Safeguards ... - Secureframe, Secureframe.com.

Question 1

Question 2

Question 3

Question 4

Question 5

Download PDF File