IAPP CIPP/US Exam - Topic 4 Question 41 Discussion

Actual exam question for IAPP's CIPP/US exam

Question #: 41
Topic #: 4

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi

a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask QUESTION NO:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense -- like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Based on Felicia's Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?

AReconsider the plan in favor of a policy of dedicated work devices.

BAdopt the same kind of monitoring policies used for work-issued devices.

CWeigh any productivity benefits of the plan against the risk of privacy issues.

DMake employment decisions based on those willing to consent to the plan in writing.
BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:
The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits.References:
IAPP CIPP/US Body of Knowledge, Section III.C.2
IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
FTC Mobile Device Security

Show Suggested Answer

Suggested Answer: C

by Claribel at Apr 24, 2023, 04:09 PM

Limited Time Offer

25%

10 months ago

Celeste seems a bit too relaxed about the privacy and security concerns. I wonder if she's been watching too many episodes of 'Silicon Valley'.

upvoted 0 times

Dana

9 months ago

The business consultant will probably advise them to weigh the benefits against the risks.

upvoted 0 times

...

Cory

10 months ago

Yeah, Felicia's concerns are valid. They need to carefully consider the privacy issues.

upvoted 0 times

...

Virgina

10 months ago

I think Celeste is underestimating the risks of BYOD.

upvoted 0 times

...

12 months ago

I think Felicia's concerns about security are valid.

upvoted 0 times

...