Free IAPP CIPP-US Practice Exam with Questions & Answers | Set: 4

 Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed. References: IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1, IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

Financial institutions (FIs) collect and process a large amount of personal data from their customers, such as name, address, account number, transaction history, credit score, etc. Customers may have different preferences regarding how their data is used, shared, or protected by the FIs. For example, some customers may want to receive marketing offers from the FIs or their affiliates, while others may opt out of such communications. Some customers may prefer to access their accounts online, while others may use mobile apps, phone calls, or physical branches. Some customers may want to enable biometric authentication, while others may rely on passwords or PINs.

Managing these diverse and dynamic user preferences is a challenge for FIs, as they need to ensure that they respect and honor the choices of their customers across all the channels and platforms they use. This requires FIs to have arobust and integrated system that can capture, store, update, and apply user preferences consistently and accurately. Failing to do so may result in customer dissatisfaction, loss of trust, regulatory fines, or legal disputes.12

References: 1: The Top Three Digital Challenges Faced By Financial Institutions And How To Overcome Them3, paragraph 42: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 127.

Data classification is the process of categorizing data based on its sensitivity and importance to determine its level of confidentiality and protection. Data classification helps organizations apply appropriate security and compliance measures to ensure each category receives proper protection1. Data classification also helps organizations identify which data is subject to specific privacylaws and regulations, such as the GDPR, HIPAA, or CCPA, and how to handle data subject requests, data breaches, or legal discovery2. If an organization maintains data classified as high sensitivity, such as personal information, financial information, or health information, in the same system as data classified as low sensitivity, such as public information or internal information, it increases the risk of exposing the high sensitivity data in the event of a data breach. A data breach can result in legal consequences, reputational damage, and loss of trust from customers and stakeholders. Therefore, it is advisable to segregate data based on its classification and apply different levels of encryption, access control, and monitoring to each category3. This way, the organization can minimize the impact of a data breach and protect the privacy and security of its data assets. References:

Why Is Data Classification Important?

Data Classification for GDPR Explained

Data classification and privacy considerations

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.

IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

The Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the online collection and use of personal information from children under 13 years of age. COPPA requires operators of websites or online services that are directed to children, or that knowingly collect personal information from children, to obtain verifiable parental consent before collecting, using, or disclosing such information. Verifiable parental consent means any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, the child’s parent receives notice of the operator’s information practices and consents to those practices. COPPA also imposes other obligations on operators, such as providing parents with access to their children’s information, maintaining reasonable security measures, and limiting data retention. References: COPPA, IAPP CIPP/US Study Guide, Chapter 2, Section 2.3.1

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.

17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).

IAPP CIPP/US Study Guide, page 65.

 The Federal Trade Commission (FTC) is the primary federal agency that enforces consumer privacy and data security laws in the United States. The FTC has the authority to bring enforcement actions against businesses that engage in unfair or deceptive acts or practices that affect commerce, under Section 5 of the FTC Act. Unfair acts or practices are those that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or competition. Deceptive acts or practices are those that involve a material representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances.

The FTC’s action against B.J.'s Wholesale Club in 2005 was unique because it was based on matters of fairness rather than deception. The FTC alleged that B.J.'s Wholesale Club, a retailer that operates warehouse stores and gas stations, failed to provide reasonable security for the sensitive information of its customers, such as name, card number, and expiration date, that it collected from the magnetic stripes of credit and debit cards. The FTC claimed that this information was used by unauthorized persons to make millions of dollars of fraudulent purchases. The FTC did not allege that B.J.'s Wholesale Club made any false or misleading statements or omissions about its data security practices, but rather that its failure to take appropriate security measures was an unfair practice that violated Section 5 of the FTC Act. The FTC argued that B.J.'s Wholesale Club’s lax security caused or was likely to cause substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by any benefits to consumers or competition.

The FTC’s action against B.J.'s Wholesale Club was one of the first cases in which the FTC used its unfairness authority to address data security issues,and it set a precedent for future enforcement actions against businesses that fail to protect consumer data. The settlement required B.J.'s Wholesale Club to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. References:

FTC Complaint, Paragraphs 1-23

FTC Agreement Containing Consent Order, Paragraphs 1-9

FTC Analysis of Proposed Consent Order to Aid Public Comment, Pages 1-3

[IAPP CIPP/US Study Guide], Pages 69-70

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:

The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.

The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.

The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.

The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.

The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.

The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.

The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.

The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:

IAPP CIPP/US Body of Knowledge, Section III.C.2

IAPP CIPP/US Textbook, Chapter 3, pp. 113-115

FTC Mobile Device Security

The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.

The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.

The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:

The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.

The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.

The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.

The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.

The Board of Governors of the Federal Reserve System (FRB), which has authority over state-chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.

The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.

The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.

The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.

The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.

References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]