Pass the IAPP Certified Information Privacy Professional CIPP-US Questions and answers with CertsForce

 The most likely reason that states have adopted their own data breach notification laws is that many types of organizations are not currently subject to federal laws regarding breaches. As explained in the Data Breach Response: A Guide for Business from the Federal Trade Commission (FTC), certain federal laws govern obligations to report data breaches in particular industries, such as health care, financial services, or telecommunications. However, these laws do not cover all types of businesses or all types of personal information that may be compromised in a data breach. Therefore, states have enacted their own data breach notification laws to fill the gaps and protect the privacy and security of their residents. According to the National Conference of State Legislatures, as of January 2022, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These state laws vary in terms of the definitions of personal information, the triggers for notification, the methods and timing of notification, the exemptions and exceptions, and the penalties and enforcement mechanisms.

References: 1: Data Breach Response: A Guide for Business, Section 2 2: 2022 Security Breach Legislation

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

Uses the transferred data only for limited and specified purposes;

Provides the same level of privacy protection as is required by the Privacy Shield Principles;

Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

The Fair and Accurate Credit Transactions Act (FACTA) is a U.S. federal law enacted in 2003 that amended the Fair Credit Reporting Act (FCRA). It introduced a variety of provisions designed to combat identity theft and protect consumer information. One of the key consumer protections required by FACTA is the truncation of credit and debit card numbers on receipts to prevent identity theft.

Details of the Truncation Requirement:

FACTA Section 113 (15 U.S.C. § 1681c(g)):Retailers are prohibited from printing more than the last five digits of a credit or debit card number on electronically generated receipts. Additionally, the card’s expiration date must also be excluded.

This requirement applies to point-of-sale and other electronically printed receipts and aims to reduce the risk of credit card fraud and identity theft.

Explanation of Options:

A. The ability to correct inaccurate credit report information:This right is protected under the Fair Credit Reporting Act (FCRA), not FACTA specifically.

B. The truncation of account numbers on credit card receipts:This is correct, as it is one of the most notable protections introduced by FACTA to prevent identity theft.

C. The right to request removal from email lists:This right is not provided under FACTA but may be addressed by other laws, such as the CAN-SPAM Act.

D. The issuing of notice when third-party data is used in an adverse decision:This requirement is a provision of the FCRA, not FACTA.

References from CIPP/US Materials:

FACTA Section 113 (15 U.S.C. § 1681c(g)): Details the truncation requirements for credit and debit card receipts.

IAPP CIPP/US Certification Textbook: Highlights FACTA’s measures to protect consumer financial information and prevent identity theft.

Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to provide their customers with an annual privacy notice that explains how they collect, share, and protect customers' personal information. However, the GLBA Privacy Rule (16 CFR Part 313) was amended by the Fixing America’s Surface Transportation Act (FAST Act) in 2015, which introduced an exception to this requirement.

According to the FAST Act, financial institutions are not required to provide annual privacy notices if they meet two conditions:

No changes have been made to their privacy policy or practices since the last notice was sent to customers.

The financial institution does not share customers’ nonpublic personal information with nonaffiliated third parties in a way that triggers an opt-out requirement under GLBA.

Explanation of Options:

A. An insurance company that has no privacy department: This is irrelevant. The requirement to provide privacy notices depends on whether the organization falls under GLBA's definition of a "financial institution" and their compliance with privacy practices, not on the presence of a privacy department.

B. An auction house that also acts as a financial institution: If the auction house qualifies as a financial institution under GLBA (e.g., if it arranges financing), it would still need to comply with GLBA privacy requirements, including issuing annual privacy notices unless it qualifies for the exception.

C. A credit union that has made changes to its privacy notice from last year: If any changes are made to the privacy policy, the credit union must issue an updated privacy notice to its customers.

D. A credit union that has not made changes to its privacy notice from last year: This is the correct answer. If the credit union has not made any changes to its privacy notice and meets the FAST Act exception criteria (outlined above), it is not required to issue an annual privacy notice.

References from CIPP/US Materials:

GLBA Privacy Rule (16 CFR Part 313): This rule outlines the requirements for financial institutions to provide privacy notices.

FAST Act (2015) Amendment to GLBA Privacy Rule: This amendment introduced exceptions to the annual notice requirement for institutions that meet specific criteria.

IAPP CIPP/US Certification Textbook: Details the conditions under which GLBA exceptions apply and describes how the FAST Act impacted annual privacy notice requirements.

A cure provision in state data privacy laws gives businesses an opportunity to remediate violations of the law within a specified timeframe after receiving notice of the alleged violation. This provision is intended to promote compliance rather than immediately imposing penalties or enforcement actions.

Key Aspects of Cure Provisions:

Notice and Cure Period:

Businesses are given a timeframe (e.g., 30 days) to address the alleged violation before formal enforcement actions are taken by state authorities.

Encouraging Compliance:

Cure provisions incentivize businesses to implement corrective actions and ensure compliance without incurring fines or penalties for minor or first-time violations.

State-Specific Examples:

The California Consumer Privacy Act (CCPA) initially included a 30-day cure provision, though it was later limited under the California Privacy Rights Act (CPRA).

Other state laws, such as Virginia’s Consumer Data Protection Act (VCDPA), also include cure provisions.

Explanation of Options:

A. To allow a business a limited timeframe to fix alleged violations before facing enforcement:This is correct. Cure provisions are specifically designed to give businesses an opportunity to address violations before facing enforcement actions.

B. To allow consumers a period of time to discover their data has been mishandled:This describes consumer rights related to data breach notifications, not cure provisions.

C. To allow a state to initiate formal enforcement actions for a fixed time period:Cure provisions delay enforcement actions rather than initiate them.

D. To allow certain provisions of a law to expire after a defined time period:This describes sunset provisions, not cure provisions.

References from CIPP/US Materials:

CCPA and CPRA: Discuss the cure provisions and their role in enforcement.

IAPP CIPP/US Certification Textbook: Highlights the purpose and impact of cure provisions in state privacy laws.

HIPAA requires covered entities to provide a notice of privacy practices (NPP) to individuals who receive health care services from the covered entity. The NPP must describe how the covered entity may use and disclose protected health information (PHI), the individual’s rights with respect to their PHI, and the covered entity’s obligations to protect the privacy of PHI. The NPP must be provided to the individual no later than the date of the first service delivery, either in person or electronically. The covered entity must also make the NPP available on request and post it on its website if it has one. The covered entity must also make a good faith effort to obtain a written acknowledgment from the individual that they received the NPP. If the individual refuses to sign the acknowledgment, the covered entity must document the attempt and the reason for the refusal.

The other options are not sufficient to comply with HIPAA. Stating the privacy policy verbally (option A) does not provide the individual with a written or electronic copy of the NPP that they can keep for future reference. Posting the privacy notice in a prominent location (option B) does not ensure that the individual receives the NPP or has an opportunity to review it before receiving services. Directing patients to the correct area of the hospital website (option C) does not provide the individual with the NPP at the time of service delivery, unless the individual agrees to receive the NPP electronically and has access to the website at that time. References:

Notice of Privacy Practices for Protected Health Information

Model Notices of Privacy Practices

Sample Notice: Availability of Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices (NPP) Distribution and Acknowledgement

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services. The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123 References: 1: Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011. 2: Consumer Financial Protection Bureau, Wikipedia. 3: Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.

The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.

The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:

The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.

The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.

The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.

The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.

The Board of Governors of the Federal Reserve System (FRB), which has authority over state-chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.

The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.

The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.

The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.

The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.

References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]

Under the California Consumer Privacy Act (CCPA), businesses are required to respond to consumer requests for access, deletion, or information about how their data is processed. However, the responsibilities differ depending on whether the entity is acting as a business or a service provider under the CCPA.

Key CCPA Definitions:

Business:

The entity that determines the purposes and means of processing personal information.

In this scenario, Miraculous Healthcare is the business because it determines how the app and its associated data are used to deliver healthcare services.

Service Provider:

The entity that processes personal information on behalf of the business pursuant to a contractual agreement.

MedApps acts as a service provider because it is hosting and managing the app and the data on behalf of Miraculous Healthcare.

As a service provider, MedApps is restricted in how it can handle consumer data and must follow the instructions of the business (Miraculous Healthcare) for any data-related requests. Therefore, if MedApps receives an access or deletion request from a California-based user, it must forward the request to Miraculous Healthcare, which is responsible for determining how to respond in compliance with the CCPA.

Explanation of Options:

A. MedApps should immediately begin deleting the user's data:This is incorrect because MedApps cannot act independently in responding to access or deletion requests under CCPA. As a service provider, it must follow the instructions of the business (Miraculous Healthcare).

B. MedApps should provide the privacy notice in an easily readable format:This is irrelevant to the question. While providing a privacy notice in a readable format is a CCPA requirement, it does not address how to handle an access request.

C. MedApps should decline the request because MedApps is not based in California:This is incorrect. CCPA applies to businesses and service providers that collect or process personal data of California residents, regardless of whether the entity itself is physically located in California.

D. MedApps should promptly forward the request to Miraculous for instructions on handling:This is correct. Under CCPA, service providers are required to cooperate with the business and must forward consumer requests to the business for guidance and action. MedApps’ role as a service provider obligates it to defer to Miraculous Healthcare's instructions.

Relevant References from CIPP/US Materials:

CCPA Section 1798.140(v): Defines a service provider and outlines its obligations to process personal information only on behalf of the business and in accordance with contractual terms.

CCPA Section 1798.105(c): States that service providers are not required to delete personal information unless instructed to do so by the business.

IAPP CIPP/US Certification Textbook: Discusses the roles of businesses and service providers under the CCPA and their respective responsibilities regarding consumer requests.

Practical Considerations:

Riya, as the Privacy Officer at Miraculous Healthcare, should ensure that the Business Associate Agreement (BAA) and any CCPA-specific contract provisions with MedApps clearly define:

The process for handling consumer requests under CCPA.

The requirement for MedApps to promptly notify and defer to Miraculous Healthcare for any such requests.

Conclusion:

MedApps, as a service provider, is not authorized to respond to CCPA access or deletion requests independently. It must forward the request to Miraculous Healthcare for instructions.

 The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions. Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student’s personally identifiable information (PII) from the education records without consent. A student’s signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12 A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12 Therefore, the school must obtain the student’s (or the parent’s, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA. Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12 Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12 However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records. FERPA only applies to education records that are directly related to a student and maintained by the school or a party acting for the school12 A newspaper’s publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper’s own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent. FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123 If the university police provide an arrest report to the student’s hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.

References: 1: Family Educational Rights and Privacy Act - Wikipedia 2: Family Educational Rights and Privacy Act (FERPA) | CDC 3: What is FERPA? | Protecting Student Privacy - ed