SCENARIO

Please use the following to answer the next question:

Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.

The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.

LBH's privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.

The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.

The Privacy Team is conducting a Privacy Impact Assessment (PIA) for the new Light Blue Health application currently in development. Which of the following best describes a risk that is likely to result in a privacy breach?

A. Limiting access to the app to authorized personnel.

B. Including non-transparent policies, terms and conditions in the app.

C. Insufficiently deleting personal data after an account reaches its retention period.

D. Not encrypting the health record when it is transferred to the Light Blue Health servers.

Which of the following is an example of the privacy risks associated with the Internet of Things (loT)?

A. A group of hackers infiltrate a power grid and cause a major blackout.

B. An insurance company raises a person's rates based on driving habits gathered from a connected car.

C. A website stores a cookie on a user's hard drive so the website can recognize the user on subsequent visits.

D. A water district fines an individual after a meter reading reveals excess water use during drought conditions.

Which activity should the privacy technologist undertake to reduce potential privacy risk when evaluating options to process data in a country other than where it would be collected? ^

A. Review the Data Life Cycle.

B. Review data retention policies.

C. Create enterprise data flow diagrams.

D. Recommend controls for data transfers.

SCENARIO

You have just been hired by Ancillary.com, a seller of accessories for everything under the sun, including waterproof stickers for pool floats and decorative bands and cases for sunglasses. The company sells cell phone cases, e-cigarette cases, wine spouts, hanging air fresheners for homes and automobiles, book ends, kitchen implements, visors and shields for computer screens, passport holders, gardening tools and lawn ornaments, and catalogs full of health and beauty products. The list seems endless. As the CEO likes to say, Ancillary offers, without doubt, the widest assortment of low-price consumer products from a single company anywhere.

Ancillary's operations are similarly diverse. The company originated with a team of sales consultants selling home and beauty products at small parties in the homes of customers, and this base business is still thriving. However, the company now sells online through retail sites designated for industries and demographics, sites such as "My Cool Ride" for automobile-related products or "Zoomer" for gear aimed toward young adults. The company organization includes a plethora of divisions, units and outrigger operations, as Ancillary has been built along a decentered model rewarding individual initiative and flexibility, while also acquiring key assets. The retail sites seem to all function differently, and you wonder about their compliance with regulations and industry standards. Providing tech support to these sites is also a challenge, partly due to a variety of logins and authentication protocols. You have been asked to lead three important new projects at Ancillary:

The first is the personal data management and security component of a multi-faceted initiative to unify the company's culture. For this project, you are considering using a series of third- party servers to provide company data and approved applications to employees.

The second project involves providing point of sales technology for the home sales force, allowing them to move beyond paper checks and manual credit card imprinting.

Finally, you are charged with developing privacy protections for a single web store housing all the company's product lines as well as products from affiliates. This new omnibus site will be known, aptly, as "Under the Sun." The Director of Marketing wants the site not only to sell Ancillary's products, but to link to additional products from other retailers through paid advertisements. You need to brief the executive team of security concerns posed by this approach.

What technology is under consideration in the first project in this scenario?

A. Server driven controls.

B. Cloud computing

C. Data on demand

D. MAC filtering

Which of the following best describes the basic concept of "Privacy by Design?"

A. The adoption of privacy enhancing technologies.

B. The integration of a privacy program with all lines of business.

C. The implementation of privacy protection through system architecture.

D. The introduction of business process to identify and assess privacy gaps.

An organization must terminate their cloud vendor agreement immediately. What is the most secure way to delete the encrypted data stored in the cloud?

A. Transfer the data to another location.

B. Invoke the appropriate deletion clause in the cloud terms and conditions.

C. Obtain a destruction certificate from the cloud vendor.

D. Destroy all encryption keys associated with the data.

What privacy risk is NOT mitigated by the use of encrypted computation to target and serve online ads?

A. The ad being served to the user may not be relevant.

B. The user's sensitive personal information is used to display targeted ads.

C. The personal information used to target ads can be discerned by the server.

D. The user's information can be leaked to an advertiser through weak de-identification techniques.

A healthcare provider would like to data mine information for research purposes however the Chief Privacy Officer is concerned medical data of individuals may be disclosed overcome the concern, which is the preferred technique for protecting such data while still allowing for analysis?

A. Access Control

B. Encryption

C. Isolation

D. Perturbation

When releasing aggregates, what must be performed to magnitude data to ensure privacy?

A. Value swapping.

B. Noise addition.

C. Basic rounding.

D. Top coding.

All of the following can be indications of a ransomware attack EXCEPT?

A. The inability to access certain files.

B. An increased amount of spam email in an individual's inbox.

C. An increase in activity of the CPU of a computer for no apparent reason.

D. The detection of suspicious network communications between the ransomware and the attacker's command and control servers.