CIPP-US Online Practice Questions and Answers

SCENARIO

Please use the following to answer the next question:

Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company

for ten years and has always been concerned about protecting customers' privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.

Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.

After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a

customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the

customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide

crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.

Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity.

However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any

employee can access if needed.

Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a

period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.

What is the main problem with Cheryl's suggested method of communicating the new privacy policy?

A. The policy would not be considered valid if not communicated in full.

B. The policy might not be implemented consistency across departments.

C. Employees would not be comfortable with a policy that is put into action over time.

D. Employees might not understand how the documents relate to the policy as a whole.

SCENARIO

Please use the following to answer the next question:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the

letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and

request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened

the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete. What is the data privacy leader's next best source of information to aid the investigation?

A. Reports on recent purchase histories

B. Database schemas held by the retailer

C. Lists of all customers, sorted by country

D. Interviews with key marketing personnel

Who has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA)?

A. State Attorneys General

B. The Federal Trade Commission

C. The Department of Commerce

D. The Consumer Financial Protection Bureau

What practice do courts commonly require in order to protect certain personal information on documents, whether paper or electronic, that is involved in litigation?

A. Redaction

B. Encryption

C. Deletion

D. Hashing

What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

A. Where one of the parties has given consent

B. Where state law permits such interception

C. If an organization intercepts an employee's purely personal call

D. Only if all parties have given consent

Which federal act does NOT contain provisions for preempting stricter state laws?

A. The CAN-SPAM Act

B. The Children's Online Privacy Protection Act (COPPA)

C. The Fair and Accurate Credit Transactions Act (FACTA)

D. The Telemarketing Consumer Protection and Fraud Prevention Act

Which federal law or regulation preempts state law?

A. Health Insurance Portability and Accountability Act

B. Controlling the Assault of Non-Solicited Pornography and Marketing Act

C. Telemarketing Sales Rule

D. Electronic Communications Privacy Act of 1986

SCENARIO

Please use the following to answer the next question:

Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.

One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting

agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He

noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still

be sitting in the office, unsecured.

Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this

when he applied.

Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he

made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills ?all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still

affecting him today.

In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large

investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.

After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a

victim of identity theft and whether this may have negatively affected his credit.

Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.

Based on the scenario, which legislation should ease Noah's worry about his credit report as a result of applying at Arnie's Emporium?

A. The Privacy Rule under the Gramm-Leach-Bliley Act (GLBA).

B. The Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).

C. The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA).

D. The Red Flags Rule under the Fair and Accurate Credit Transactions Act (FACTA).

Which of the following became the first state to pass a law specifically regulating the collection of biometric data?

A. California.

B. Texas.

C. Illinois.

D. Washington.

In 2011, the FTC announced a settlement with Google regarding its social networking service Google Buzz. The FTC alleged that in the process of launching the service, the company did all of the following EXCEPT?

A. Violated its own privacy policies.

B. Engaged in deceptive trade practices.

C. Failed to comply with Safe Harbor principles.

D. Failed to employ sufficient security safeguards.