Reliable IAPP CIPP/US Exam Dumps - Pass in 1st Attempt

Question No: 1

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan's day ended with many Questions, he was pleased about his new position.

Based on the scenario, what is the most likely way Declan's supervisor would answer his question about the hospital's use of a billing company?

Options

ABy suggesting that Declan look at the hospital's publicly posted privacy policy

BBy assuring Declan that third parties are prevented from seeing Private Health Information (PHI)

CBy pointing out that contracts are in place to help ensure the observance of minimum security standards

DBy describing how the billing system is integrated into the hospital's electronic health records (EHR) system

Question No: 2

MultipleChoice

SCENARIO

Please use the following to answer the next question;

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevad

a. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have virtual appointments with on-site doctors via a phone app.

For this new initiative. Miraculous is considering a product built by MedApps. a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices" branding. MedApps provides technical support for the app. which it hosts in the cloud MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service

Riya is the Privacy Officer at Miraculous, responsible for the practice s compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements Riya is currently reviewing the suitability of the MedApps app from a pnvacy perspective

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedApps

Which option best would accurately describe the relationship of the parties if they enter into a contract for use of the app?

Options

AMiraculous Healthcare would be the covered entity because Us name and branding are on the app. MedApps would be a business associate because it Is hosting the data that supports the app

BMedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app.

CMiraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it.

DMiraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous.

Answer
DExplanation

Under the Health Insurance Portability and Accountability Act (HIPAA), entities involved in the handling of protected health information (PHI) are classified as either covered entities or business associates based on their roles and activities.

Definitions Under HIPAA:

Covered Entity (CE):

A healthcare provider, health plan, or healthcare clearinghouse that creates, receives, maintains, or transmits PHI.

Miraculous Healthcare qualifies as a covered entity because it is a medical practice directly providing healthcare services to patients.

Business Associate (BA):

An organization or individual that performs functions, activities, or services involving the use or disclosure of PHI on behalf of a covered entity.

MedApps qualifies as a business associate because it is providing a telehealth app service to Miraculous, which involves hosting and maintaining PHI (e.g., appointment details, patient information).

Analysis of the Relationship:

Miraculous Healthcare: As the healthcare provider, it is responsible for patient care and compliance with HIPAA. Since it directly provides healthcare services to patients, it is the covered entity in this scenario.

MedApps: Although MedApps designed, hosts, and supports the telehealth app, it is providing these services on behalf of Miraculous Healthcare. As such, MedApps is a business associate under HIPAA. This designation requires MedApps to comply with HIPAA regulations through a Business Associate Agreement (BAA), ensuring that it appropriately safeguards the PHI it handles on behalf of Miraculous Healthcare.

Consideration of the Benchmarking Service:

The optional benchmarking service also reinforces MedApps' role as a business associate. Miraculous Healthcare would need to assess whether the PHI uploaded for benchmarking meets HIPAA's minimum necessary standard and that MedApps implements appropriate safeguards for PHI used for benchmarking. The BAA would need to address these specific uses.

Explanation of Options:

A . Miraculous Healthcare would be the covered entity because its name and branding are on the app. MedApps would be a business associate because it is hosting the data that supports the app: While this is close, it oversimplifies the reasoning by focusing solely on branding. The covered entity designation is determined by the healthcare services provided, not just branding.

B . MedApps would be the covered entity because it built and hosts the app and all the data. Miraculous Healthcare would be a business associate because it only provides its brand on the app: This is incorrect because MedApps is not directly providing healthcare services. Hosting and maintaining PHI does not make it a covered entity but rather a business associate.

C . Miraculous Healthcare would be a covered entity because it is the healthcare provider; MedApps would also be a covered entity because the data in the app is being shared with it: This is incorrect because MedApps does not independently provide healthcare services to patients. Its role is solely as a service provider to Miraculous.

D . Miraculous Healthcare would be the covered entity because it is the healthcare provider; MedApps would be a business associate because it is providing a service to support Miraculous: This is the correct answer. Miraculous is the covered entity, and MedApps, by hosting the telehealth app and handling PHI on Miraculous' behalf, is a business associate.

Reference from CIPP/US Materials:

HIPAA Privacy Rule (45 CFR 160.103): Defines covered entities and business associates.

Business Associate Agreements (BAAs): HIPAA requires a BAA between covered entities and business associates to ensure PHI is appropriately protected.

IAPP CIPP/US Certification Textbook: Provides detailed examples of covered entities and business associates, along with their roles and responsibilities under HIPAA.

Question No: 3

MultipleChoice

The rules for ''e-discovery'' mainly prevent Which option best?

Options

AA conflict between business practice and technological safeguards

BThe loss of information due to poor data retention practices

CThe practice of employees using personal devices for work

DA breach of an organization's data retention program

Question No: 4

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask QUESTION NO:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Regarding credit checks of potential employees, Celeste has a misconception regarding what?

Options

AConsent requirements.

BDisclosure requirements.

CEmployment-at-will rules.

DRecords retention policies
Celeste has a misconception regarding the consent requirements for conducting credit checks of potential employees in California. She thinks that verbal consent from the applicants is sufficient, and that they only need to be offered access to the results.However, under the California Consumer Credit Reporting Agencies Act (CCRAA), employers who want to obtain a consumer credit report for employment purposes must comply with the following consent and disclosure requirements12:
Before requesting a consumer credit report, the employer must provide the applicant with a clear and conspicuous written disclosure that informs them of the following:
The specific purpose for obtaining the report.
The source of the report.
The applicant's right to obtain a free copy of the report from the source within 60 days.
The applicant's right to dispute the accuracy or completeness of any information in the report.
The employer must also obtain the applicant's written authorization to obtain the report.
If the employer intends to take an adverse action based on the report, such as denying employment, the employer must provide the applicant with a copy of the report and a summary of their rights under the CCRAA before taking the action.
After taking the adverse action, the employer must provide the applicant with a notice that includes the following:
The name, address, and telephone number of the source of the report.
A statement that the source of the report did not make the decision and cannot explain why the decision was made.
A statement that the applicant has the right to obtain another free copy of the report from the source within 60 days.
A statement that the applicant has the right to dispute the accuracy or completeness of any information in the report.
Therefore, Celeste is wrong to assume that verbal consent and optional access to the results are enough to comply with the CCRAA. She should follow the written consent and disclosure requirements to avoid violating the law and potentially facing civil penalties or lawsuits.References:
California Consumer Credit Reporting Agencies Act
Employment Credit Checks: What You Need to Know | Nolo

Question No: 5

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. ''Doing your homework?'' Matt asked hopefully.

''No,'' the boy said. ''I'm filling out a survey.''

Matt looked over his son's shoulder at his computer screen. ''What kind of survey?'' ''It's asking

QUESTIONs about my opinions.''

''Let me see,'' Matt said, and began reading the list of

QUESTION s that his son had already answered. ''It's asking your opinions about the government and citizenship. That's a little odd. You're only ten.''

Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer

QUESTIONs about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.

Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

Options

AInvestigative Consumer Reporting Agencies Act.

BUnfair and Deceptive Acts and Practices laws.

CConsumer Bill of Rights.

DRed Flag Rules.

Question No: 6

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION :

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals -- ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.

Which of the following would be HealthCo's best response to the attorney's discovery request?

Options

AReject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations

BRespond with a request for satisfactory assurances such as a qualified protective order

CTurn over all of the compromised patient records to the plaintiff's attorney

DRespond with a redacted document only relative to the plaintiff

Question No: 7

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION :

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals -- ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.

Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

Options

AAdministrative Safeguards

BTechnical Safeguards

CPhysical Safeguards

DSecurity Safeguards

Question No: 8

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask

QUESTIONs about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Regarding credit checks of potential employees, Celeste has a misconception regarding what?

Options

AConsent requirements.

BDisclosure requirements.

CEmployment-at-will rules.

DRecords retention policies

Question No: 9

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask

QUESTIONs about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?

Options

AThe Americans with Disabilities Act (ADA).

BThe Occupational Safety and Health Act (OSHA).

CThe Genetic Information Nondiscrimination Act of 2008.

DThe Health Insurance Portability and Accountability Act (HIPAA).

Question No: 10

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask

QUESTIONs about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Based on Felicia's Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?

Options

AReconsider the plan in favor of a policy of dedicated work devices.

BAdopt the same kind of monitoring policies used for work-issued devices.

CWeigh any productivity benefits of the plan against the risk of privacy issues.

DMake employment decisions based on those willing to consent to the plan in writing.

Question No: 11

MultipleChoice

In which situation would a policy of ''no consumer choice'' or ''no option'' be expected?

Options

AWhen a job applicant's credit report is provided to an employer

BWhen a customer's financial information is requested by the government

CWhen a patient's health record is made available to a pharmaceutical company

DWhen a customer's street address is shared with a shipping company

Question No: 12

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask Question:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?

Options

AThe Americans with Disabilities Act (ADA).

BThe Occupational Safety and Health Act (OSHA).

CThe Genetic Information Nondiscrimination Act of 2008.

DThe Health Insurance Portability and Accountability Act (HIPAA).

Question No: 13

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask Question:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Regarding credit checks of potential employees, Celeste has a misconception regarding what?

Options

AConsent requirements.

BDisclosure requirements.

CEmployment-at-will rules.

DRecords retention policies

Question No: 14

MultipleChoice

Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report, ''Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers''?

Options

AInternational data transfers

BLarge platform providers

CPromoting enforceable self-regulatory codes

DDo Not Track

Question No: 15

MultipleChoice

The ''Consumer Privacy Bill of Rights'' presented in a 2012 Obama administration report is generally based on?

Options

AThe 1974 Privacy Act

BCommon law principles

CEuropean Union Directive

DTraditional fair information practices

Question No: 16

MultipleChoice

In which situation would a policy of ''no consumer choice'' or ''no option'' be expected?

Options

AWhen a job applicant's credit report is provided to an employer

BWhen a customer's financial information is requested by the government

CWhen a patient's health record is made available to a pharmaceutical company

DWhen a customer's street address is shared with a shipping company

Question No: 17

MultipleChoice

SCENARIO

Please use the following to answer the next QUESTION:

Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. ''Doing your network?'' Matt asked hopefully.

''No,'' the boy said. ''I'm filling out a survey.''

Matt looked over his son's shoulder at his computer screen. ''What kind of survey?'' ''It's asking Questions about my opinions.''

''Let me see,'' Matt said, and began reading the list of Questions that his son had already answered. ''It's asking your opinions about the government and citizenship. That's a little odd. You're only ten.''

Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.

How could the marketer have best changed its privacy management program to meet COPPA ''Safe Harbor'' requirements?

Options

ABy receiving FTC approval for the content of its emails

BBy making a COPPA privacy notice available on website

CBy participating in an approved self-regulatory program

DBy regularly assessing the security risks to consumer privacy

Question No: 18

MultipleChoice

In what way does the ''Red Flags Rule'' under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

Options

AIt mandates the use of updated technology for securing credit records

BIt requires the owner to implement an identity theft warning system

CIt is not usually enforced in the case of a small financial institution

DIt does not apply because the owner is not a creditor

Question No: 19

MultipleChoice

The rules for ''e-discovery'' mainly prevent which of the following?

Options

AA conflict between business practice and technological safeguards

BThe loss of information due to poor data retention practices

CThe practice of employees using personal devices for work

DA breach of an organization's data retention program

Question No: 20

MultipleChoice

Which of the following best describes what a ''private right of action'' is?

Options

AThe right of individuals to keep their information private.

BThe right of individuals to submit a request to access their information.

CThe right of individuals harmed by data processing to have their information deleted.

DThe right of individuals harmed by a violation of a law to file a lawsuit against the violation.

Free IAPP CIPP/US Exam Dumps June 2026