CIPP-US Online Practice Questions and Answers

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A. A consent decree

B. Stare decisis decree

C. A judgment rider

D. Common law judgment

What is the main purpose of the CAN-SPAM Act?

A. To diminish the use of electronic messages to send sexually explicit materials

B. To authorize the states to enforce federal privacy laws for electronic marketing

C. To empower the FTC to create rules for messages containing sexually explicit content

D. To ensure that organizations respect individual rights when using electronic advertising

SCENARIO

Please use the following to answer the next question:

Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they

were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to."

Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.

Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly,

even connecting with employees on social media. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.

Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common

at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.

Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations

sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored

when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an

outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.

Larry wants to take action, but is uncertain how to proceed.

In what area does Larry have a misconception about private-sector employee rights?

A. The applicability of federal law

B. The enforceability of local law

C. The strict nature of state law

D. The definition of tort law

Which federal act does NOT contain provisions for preempting stricter state laws?

A. The CAN-SPAM Act

B. The Children's Online Privacy Protection Act (COPPA)

C. The Fair and Accurate Credit Transactions Act (FACTA)

D. The Telemarketing Consumer Protection and Fraud Prevention Act

Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) "Privacy Rule"?

A. Office for Civil Rights.

B. Office of Social Services.

C. Office of Inspector General.

D. Office of Public Health and Safety.

SCENARIO

Please use the following to answer the next question:

When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was

not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to

customer information nor

procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low-level employees had access to all of the company's customer data, including financial records, and that the company still had in its

possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a

highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely

disposing of it.

When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that

it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now

considered the responsibility of every employee.

Based on the problems with the company's privacy security that Roberta identifies, what

is the most likely cause of the breach?

A. Mishandling of information caused by lack of access controls.

B. Unintended disclosure of information shared with a third party.

C. Fraud involving credit card theft at point-of-service terminals.

D. Lost company property such as a computer or flash drive.

SCENARIO

Please use the following to answer the next question:

Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.

One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting

agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He

noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still

be sitting in the office, unsecured.

Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this

when he applied.

Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he

made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills ?all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still

affecting him today.

In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large

investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.

After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a

victim of identity theft and whether this may have negatively affected his credit.

Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.

Consumers today are most likely protected from situations like the one Noah had buying stock because of which federal action or legislation?

A. The rules under the Fair Debt Collection Practices Act.

B. The creation of the Consumer Financial Protection Bureau.

C. Federal Trade Commission investigations into "unfair and deceptive" acts or practices.

D. Investigations of "abusive" acts and practices under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

In 2012, the White House and the FTC both issued reports advocating a new approach to privacy enforcement that can best be described as what?

A. Harm-based.

B. Self-regulatory.

C. Comprehensive.

D. Notice and choice.

SCENARIO

Please use the following to answer the next question:

Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Security Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign.

Ever since the pandemic, Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are de ned in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law rm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.

Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers. The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS O ce documents are securely stored in a Microsoft O ce 365 data center based in Ireland. Manufacturing data of Jones Labs is stored in Taiwan and managed by a local supplier that has no presence in the U.S.

When storing Jane's ngerprint for remote authentication. Jones Labs should consider legality issues under which of the following?

A. The Privacy Rule of the HITECH Act.

B. The California IoT Security Law (SB 327).

C. The applicable state law such as Illinois BIPA.

D. The federal Genetic Information Nondiscrimination Act (GINA).

Mega Corp. is a U.S.-based business with employees in California, Virginia, and Colorado. Which of the following must Mega Corp. comply with in regard to its human resources data?

A. California Privacy Rights Act.

B. California Privacy Rights Act and Virginia Consumer Data Protection Act.

C. California Privacy Rights Act and Colorado Privacy Act.

D. California Privacy Rights Act, Virginia Consumer Data Protection Act, and Colorado Privacy Act.