Want to pass your Certified Information Privacy Professional/United States (CIPP/US) CIPP-US exam in the very first attempt? Try Pass2lead! It is equally effective for both starters and IT professionals.
VCE
Which of the following accurately describes the purpose of a particular federal enforcement agency?
A. The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).
B. The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.
C. The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites' posted privacy disclosures.
D. The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.
Which of the following would best provide a sufficient consumer disclosure under the Fair Credit Reporting Act (FCRA) prior to a consumer report being obtained for employment purposes?
A. A standalone notice document.
B. A notice provision in a mailed offer letter.
C. A notice provision in an electronic employment application.
D. A verbal notice provided with a conditional offer of employment.
SCENARIO
Please use the following to answer the next question:
You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular tness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.
One Friday, the company's security team contacts you about the discovery of malware on their media server. The team assures you that there was no user data on this server and that, in any case, they found the malware before any damage could be done.
However, on Monday morning the security team contacts you again, this time with the information that they have discovered the same malware on the company's payments server. They suspect it likely that users' credit card information was taken by the attacker. By Monday evening, the situation has gotten dramatically worse, as the security team has also discovered this malware on the company's database server, an in ltration that gives the attacker access to users' pro le, health and location information.
After coordinating with the security team, you are asked to meet with senior management and advise them on the company's obligations in connection with the incident. The Chief Financial O cer asks, "If we decide to notify all our users of this incident, are we obligated to provide any of them with a free credit monitoring offer?" The General Counsel wants to know if providing this notice and offer will help the company avoid liability.
Based on the information the security team provides on Monday morning, what is the company's noti cation obligation?
A. The company does not need to notify anyone since secure credit card information is not subject to breach noti cation laws.
B. The company does not need to notify anyone since the security team is not completely certain the attacker actually took the credit card information.
C. The company must notify its bank and the card brands under its PCI obligations, and potentially provide notice to individuals and state authorities. depending on state law.
D. The company must report the incident to the U.S. Secret Service since the incident involves nancial information, followed by notice to individuals and some state authorities.