Download Free IAPP CIPP-US Real Exam Questions Download [Q65-Q81]

Share

Download Free IAPP CIPP-US Real Exam Questions Download

Latest IAPP CIPP-US Real Exam Dumps PDF


The CIPP-US certification exam is a rigorous exam that requires candidates to have a solid understanding of the principles of data privacy and protection. CIPP-US exam is designed to test the knowledge of the candidates in areas such as privacy laws and regulations, data protection, security, and management. CIPP-US exam is generally taken by professionals who have several years of experience in the field of data privacy and protection.


The CIPP-US certification exam consists of 90 multiple-choice questions, and candidates are given 2.5 hours to complete the exam. The questions are designed to test the candidate's knowledge and understanding of the US privacy laws and regulations, as well as their ability to apply this knowledge in real-world scenarios. CIPP-US exam is administered by Pearson VUE, and candidates can take the exam at any of the Pearson VUE testing centers worldwide.

 

NEW QUESTION # 65
What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

  • A. The right to request removal from e-mail lists
  • B. The truncation of account numbers on credit card receipts
  • C. Consumer notice when third-party data is used to make an adverse decision
  • D. The ability for the consumer to correct inaccurate credit report information

Answer: B

Explanation:
The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) that was enacted in 2003. FACTA aims to enhance consumer protection against identity theft and fraud by requiring various measures, such as free annual credit reports, fraud alerts, and identity theft prevention programs. One of the consumer protections that FACTA requires is the truncation of account numbers on credit card receipts. This means that only the last four or five digits of the account number can be printed on the receipt, while the rest must be masked or deleted. This reduces the risk of unauthorized access or use of the account number by third parties who may obtain the receipt. References:
* IAPP CIPP/US Body of Knowledge, Section III, B, 1
* [IAPP CIPP/US Study Guide, Chapter 3, Section 3.2]
* [FACTA, Section 113]


NEW QUESTION # 66
What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?

  • A. Process requests for changes to user preferences within a designated time frame
  • B. Conduct annual consumer surveys regarding satisfaction with user preferences
  • C. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter's own use
  • D. Provide consumers with the opportunity to opt out of receiving telemarketing phone calls

Answer: C


NEW QUESTION # 67
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data.
However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Which of the following would be HealthCo's best response to the attorney's discovery request?

  • A. Turn over all of the compromised patient records to the plaintiff's attorney
  • B. Respond with a request for satisfactory assurances such as a qualified protective order
  • C. Reject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations
  • D. Respond with a redacted document only relative to the plaintiff

Answer: B

Explanation:
The HIPAA privacy rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as "protected health information") and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (collectively defined as "covered entities")1 The rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual's authorization1 The rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections1 The HIPAA privacy rule permits a covered entity to disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512 (e) for disclosures for judicial and administrative proceedings are met2 These requirements include:
* In response to a court order or administrative tribunal order, the covered entity may disclose only the protected health information expressly authorized by such order2
* In response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order or administrative tribunal order, the covered entity must receive satisfactory assurances that the party seeking the information has made reasonable efforts to ensure that the individual who is the subject of the information has been given notice of the request, or that the party seeking the information has made reasonable efforts to secure a qualified protective order2
* A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested andrequires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding2 Option A is incorrect because the HIPAA privacy rule does not only permit disclosure for payment, treatment or healthcare operations. The rule also allows disclosure for other purposes, such as public health, research, law enforcement, judicial and administrative proceedings, as long as the applicable conditions and limitations are met1 Option B is correct because it is consistent with the HIPAA privacy rule's requirement for disclosures for judicial and administrative proceedings. By responding with a request for satisfactory assurances such as a qualified protective order, HealthCo is ensuring that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2 Option C is incorrect because it is not consistent with the HIPAA privacy rule's requirement for disclosures for judicial and administrative proceedings. By turning over all of the compromised patient records to the plaintiff's attorney, HealthCo is disclosing more information than necessary and may violate the privacy rights of other individuals who are not parties to the lawsuit2 Option D is incorrect because it is not consistent with the HIPAA privacy rule's requirement for disclosures for judicial and administrative proceedings. By responding with a redacted document only relative to the plaintiff, HealthCo is not providing satisfactory assurances that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2 References: 1: Summary of the HIPAA Privacy Rule | HHS.gov 2: May a covered entity use or disclose protected health information for litigation? | HHS.gov


NEW QUESTION # 68
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?

  • A. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
  • B. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
  • C. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.
  • D. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.

Answer: A


NEW QUESTION # 69
In 2011, the FTC announced a settlement with Google regarding its social networking service Google Buzz. The FTC alleged that in the process of launching the service, the company did all of the following EXCEPT?

  • A. Violated its own privacy policies.
  • B. Engaged in deceptive trade practices.
  • C. Failed to employ sufficient security safeguards.
  • D. Failed to comply with Safe Harbor principles.

Answer: C

Explanation:
https://www.ftc.gov/news-events/news/press-releases/2011/03/ftc-charges-deceptive-privacy-practices-googles-rollout-its-buzz-social-network


NEW QUESTION # 70
John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John's personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information.
Which of the following answers most accurately reflects John's ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?

  • A. John has no right to sue the corporation because the CCPA does not address any data breach rights.
  • B. John cannot sue the corporation for the data breach because only the state's Attoney General has authority to file suit under the CCPA.
  • C. John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm.
  • D. John can sue the corporation for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.

Answer: C

Explanation:
California Code, Civil Code Section 1798.150(a)(1))


NEW QUESTION # 71
Under the California Consumer Privacy Act (as amended by the California Pnvacy Rights Act), a consumer may Initiate a civil action against a business for?

  • A. Any personal information that is subject to unauthorized access or disclosure.
  • B. Failure to implement and maintain security practices set out in regulations issued by the California Privacy Protection Agency (CPPA).
  • C. Failure to implement and maintain reasonable security procedures and practices to protect the personal information held.
  • D. A security breach of certain categories of personal information that is nonencrypted and nonredacted

Answer: D

Explanation:
Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), consumers have the right to initiate a civil action if a business fails to adequately protect their personal information and a security breach occurs. This right applies specifically to breaches of certain categories of personal information that are unencrypted and unredacted.
Key Details of CCPA/CPRA Civil Actions:
* Security Breaches:
* A consumer can sue a business if the breach involves personal information such as Social Security numbers, driver's license numbers, or financial account information, provided that the data was unencrypted and unredacted.
* Reasonable Security Practices:
* Businesses are required to implement and maintain reasonable security practices to protect personal information. Failure to do so may expose the business to liability in case of a breach.
* Categories of Data Covered:
* The law specifies that only certain sensitive categories of personal information are actionable under a civil suit.
Explanation of Options:
* A. Any personal information that is subject to unauthorized access or disclosure:This is incorrect.
The civil action is limited to specific sensitive data categories, not all personal information.
* B. A security breach of certain categories of personal information that is nonencrypted and nonredacted:This is correct. Civil actions under the CCPA/CPRA apply to breaches involving specific sensitive data that is not encrypted or redacted.
* C. Failure to implement and maintain reasonable security procedures and practices to protect the personal information held:While this is a requirement under the law, it does not by itself provide grounds for a civil action. A security breach must occur for a consumer to sue.
* D. Failure to implement and maintain security practices set out in regulations issued by the California Privacy Protection Agency (CPPA):This is incorrect. Civil actions are tied to breaches of sensitive data, not a failure to meet specific agency guidelines.
References from CIPP/US Materials:
* CCPA/CPRA (Civil Code § 1798.150): Outlines the private right of action for security breaches involving certain unencrypted and unredacted data.
* IAPP CIPP/US Certification Textbook: Discusses the conditions under which consumers may bring civil actions under the CCPA/CPRA.


NEW QUESTION # 72
Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?

  • A. Refrain from selling their personal information to third parties.
  • B. Disclose their personal information to them.
  • C. Delete their personal information.
  • D. Correct their personal information.

Answer: B

Explanation:
https://oag.ca.gov/privacy/ccpa


NEW QUESTION # 73
According to the FTC Report of 2012, what is the main goal of Privacy by Design?

  • A. Implementing a system of standardization for privacy notices
  • B. Establishing a system of self-regulatory codes for mobile-related services
  • C. Obtaining consumer consent when collecting sensitive data for certain purposes
  • D. Incorporating privacy protections throughout the development process

Answer: D

Explanation:
Privacy by Design is a concept that the FTC endorsed in its 2012 report on protecting consumer privacy1. It seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice2. It asserts that data held by an organization ultimately belongs to the consumer and organizations should ensure that data subjects are properly informed about how their data is collected and used3. Privacy by Design requires companies to build in consumers' privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy1. References: 1: FTC Report of 2012, p. 22-23; 2: Global Data Review3; 3: Termly4.


NEW QUESTION # 74
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

  • A. Enters a contract with the organization that states the third party will process data according to the consent agreement
  • B. Notifies the organization if it can no longer meet its requirements for proper data handling
  • C. Uses the transferred data for limited purposes
  • D. Provides the same level of privacy protection as the organization

Answer: A

Explanation:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and
; 3: Privacy Shield Framework.


NEW QUESTION # 75
U.S. federal laws protect individuals from employment discrimination based on all of the following EXCEPT?

  • A. Marital status.
  • B. Pregnancy.
  • C. Genetic information.
  • D. Age.

Answer: A


NEW QUESTION # 76
Which authority supervises and enforces laws regarding advertising to children via the Internet?

  • A. The Office for Civil Rights
  • B. The Department of Homeland Security
  • C. The Federal Communications Commission
  • D. The Federal Trade Commission

Answer: D

Explanation:
The Federal Trade Commission (FTC) is the primary federal agency that regulates advertising and marketing practices in the United States, including those targeting children via the Internet. The FTC enforces the Children's Online Privacy Protection Act (COPPA), which requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The FTC also enforces the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, such as making false or misleading claims in advertising. The FTC has issued guidelines and reports on various aspects of digital advertising to children, such as sponsored content, influencers, data collection, persuasive design, and behavioral marketing. The FTC also hosts workshops and events to examine the impact of digital advertising on children and their ability to distinguish ads from entertainment. References:
* FTC website
* Digital Advertising to Children
* IAPP CIPP/US Study Guide, Chapter 5: Marketing and Privacy, pp. 169-170


NEW QUESTION # 77
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?

  • A. Training on techniques for identifying phishing attempts
  • B. Training on CloudHealth's HR policy regarding the role of employees involved data breaches
  • C. Training on the difference between confidential and non-public information
  • D. Training on the terms of the contractual agreement with HealthCo

Answer: A


NEW QUESTION # 78
SCENARIO
Please use the following to answer the next QUESTION :
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Which of the following would be HealthCo's best response to the attorney's discovery request?

  • A. Turn over all of the compromised patient records to the plaintiff's attorney
  • B. Respond with a request for satisfactory assurances such as a qualified protective order
  • C. Reject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations
  • D. Respond with a redacted document only relative to the plaintiff

Answer: B


NEW QUESTION # 79
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S.
and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for the HR data?

  • A. Ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit.
  • B. Request that the Board sign off in a written document on the choice of cloud provider.
  • C. Negotiate a Business Associate Agreement with the cloud provider to protect any health-related data employees might share with Filtration Station.
  • D. Obtain express consent from employees for storing the HR data in the cloud and keep a record of the employee consents.

Answer: A

Explanation:
The best way for Otto to minimize the privacy risks involved in using a cloud provider for the HR data is to ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit. This would allow Otto to verify that the cloud provider has implemented adequate security measures, such as encryption, access controls, and backup systems, to protect the HR data from unauthorized access, use, or disclosure. It would also allow Otto to check that the cloud provider is complying with the applicable privacy laws and regulations, such as the CCPA, the APEC Privacy Framework, and the breach notification requirements. By conducting an on-site audit, Otto can identify any gaps or weaknesses in the cloud provider's privacy practices and address them promptly. This would also demonstrate due diligence and accountability on the part of Filtration Station, which could mitigate the legal and reputational consequences of a data breach. References:
* [IAPP CIPP/US Study Guide], Chapter 3: Data Assessments, pp. 77-78.
* IAPP CIPP/US Body of Knowledge, Section III: Government and Court Access to Private-sector Information, Subsection B: Cross-Border Data Transfer, Topic 2: APEC Privacy Framework.
* IAPP CIPP/US Practice Questions, Question 125.


NEW QUESTION # 80
According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

  • A. Determine which bodies will be involved in adjudication
  • B. Adhere to its industry's code of conduct
  • C. Appeal decisions made against it
  • D. Decide if any enforcement actions are justified

Answer: B

Explanation:
According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to adhere to its industry's code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition.
The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self-regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs. References:
* Federal Trade Commission Act, Section 5 of
* Self-Regulation | Federal Trade Commission
* [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 3, page 79


NEW QUESTION # 81
......


Target Audience

This evaluation is designed for data protection officials in the US or those who wish to obtain awareness of how such policies work in the US. The exam, in particular, tests their knowledge and understanding in the field and helps them determine the areas they have to work on. It is also ideal for specialists who want to get the affiliated designation.

 

PDF (New 2025) Actual IAPP CIPP-US Exam Questions: https://www.dumpsactual.com/CIPP-US-actualtests-dumps.html

CIPP-US Exam Dumps, CIPP-US Practice Test Questions: https://drive.google.com/open?id=1T0woGqeuFPsHMdRHIPX9oOWuyur2UdPM