Exam 5

27. What is the main purpose of the Fair Credit Reporting Act ("FCRA")? A. Enable data reporters to efficiently report valid debts on a consumer's credit report B. Allow employers to quickly access financial data of their employees C. Increase the ability of the government to access consumer reports of suspected criminals D. Increase the accuracy and fairness of credit reporting and limit the use of consumer reports to permissible purposes

ANS WER: D. The FCRA was originally enacted in 1970 and more recently was updated by the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") . The FCRA applies to consumer reporting agencies (" CRAs"), such as Experian, TransUnion, and Equifax, and to users of consumer reports. The main purpose of the FCRA was to increase the accuracy and fairness of credit reporting and limit the use of consumer reports to permissible purposes, such as for employment reasons and the underwriting of insur ance.

22. Whi ch of the following states have a data breach notificat ion law that mandates the notice contain the approximate date of the breach? A. Massa chusetts B. Califor nia C. Oregon D. New York

ANSW ER: C. Oregon Rev. Stat. § 646A.604 requires that notice of a data breach include (1) a description of the incident in general terms; (2) the approximate date of the breach of security; (3) the type of personal infor mat ion obtained as a result of the breach of security; (4) contact information of the person responsible for the breach; (5) contact information for national consumer reporting agencies; and (6) advice to the consumer to report suspected identity theft to law enforcement and the Federal Trade Commission (" FTC").

100. What are the primary mechanisms for financial institutions to comply with the Bank Secrecy Act? A. Currency Transaction Reports and Suspicious Activity Reports B. Currency Transaction Reports and Com pliance Audits C. Compliance Audits Suspic ious Act ivity Reports D. Information Security Aud its and Compliance Reports

ANSWER : A. The Bank Secrecy Act of 1970, also known as the Currency and Foreign Transactions Reporting Act , requires financial institutions in the Uni ted States to assist government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash purchases of these negotiable instruments of more than $10,000 (daily aggregate amount), and report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. Cur rency Transact ion Reports ("CTRs") and Suspicious Activity Reports (" SARs") are the primary means used by banks to satisfy the requirements of the BSA.

92. When may the government right full y seize work product materials from a journalist? A. When there is reason to believe that the seizure of the materials may prevent harm B. When there is probable cause to believe that the journalist has committed a criminal offense to which the materials relate C. When the source of the materials has provided consent D. Never; the work product of a journalist is unconditionally protected

ANSWER : B. The Privacy Protection Act ("PPA") was enacted in 1980 to protect journalists and newsrooms from searches by government officials. The PPA provides two general exceptions to its protections: (1) when there is probable cause to believe that the person possessing such materials has com mitted or is committing the criminal offense to which the materials relat e and (2) there is reason to believe that the immediate seizure of such materials is necessary to prevent the death of, or serious bodily injury to, a human being. General notions of "harm" are not enough. The exception requires serious bodily injury or death.

33. Which of the following statements accur at ely describe Nat ional Security Letters (" NSLs")? A. The y may only be issued by offi cials in FBI headquart ers B. They may only request info rmation pertaining to a foreign power or the agent of a foreign power C. The y do not require prior judicial aut hor izat ion D. They may not contain nondisclosure provisions prohibiting the recipient from disclosing the contents of the letter

ANSWER : C. A national security letter ("NSL") is an administrat ive subpoena issued by the Federal Bureau of I nvestigat ion (" FBI ") in an aut hor ized national securit y investigat ion " to protect again st int ernational terrorism or clandestine intelligence activities." The USA PATR I OT Act made several change s t o NSL pract ice, including ( 1) expanding issuing authority beyond FBI headquarter officials to include the heads of the FBI field offices, also known as Special Agents in Charg e (" SACs"); ( 2) eliminated the requirement that t he record informat ion sought pertain to a for eign power or the agent of a foreign power; (3) required instead that the NSL request be relevant to an investigat ion to protect against international terrorism or foreign spying; and ( 4) added the caveat that no such investigation of an American can be predicated exclusively on First Amendment-protected act ivit ies. The FBI may issue NSLs without obtaining prior judicial authorization. NSLs may also contain a nondisclosure provision preventing the recipient from revealing the contents of the NSL or even that fact that it was received. The nondisclosure provision is intended to prevent the recipient of an NSL from compromising an FBI invest igat ion.

65. Which of the followi ng are types of risk associated wit h the improper use of personal informat ion? A. Stat ut ory risk and environm ent al risk B. Legal risk an d implicit risk C. Legal ris k and reputational risk D. I nvestm ent risk and inherent risk

ANSWER : C. There are many benefits and risks associat ed with using personal information at an organ izat ion. An obvious benefit is the ability to creat e a more personalized experience for your users. For example, an online dating website may use personal information to help match its users based on age, gender, and personal preferences. There are four prim ary types of risk associated with the use of personal information. They are (1) legal risk, (2) operationaI risk, (3) reputationaI risk, and (4) investment risk.

White House proposed consumer privacy bill of rights

1. Individual control 2. Transparency 3. Respect for context 4. Security 5. Access and accuracy 6. Focused Collection 7. Accountability

93. What standard must be satisfied before the government may install a pen register on a telephone line for surveillance purposes? A. The information likely to be obtained is relevant to an ongoing crim inal investigation B. Probable cause exists that the person using the line has committed a crime C. Specific and articulable facts justifying the use of the pen register D. The use of a pen register does not constitute a search and therefore may be freely installed by the government

ANSWER: A. A pen register is a device which records or decodes electronic or other impulses which identify the numbers called or otherwise transmitted on the telephone line to which such device is installed. While a pen register records only outgoing phone numbers dialled, a " t rap and trace" device logs incoming phone numbers. If a court finds that the attorney for the government has adequately certified to the court that the information likely to be obtained by installation of a pen register or trap and trace device is relevant to an ongoing criminal investigation, the court shall enter an order authorizing the installation and use of the device.

21. In accordance with the Bank Secrecy Act, under which circum stance must a financial institution file a suspicious activity report? A. When the bank detects a suspicious transaction of $25,000 even if the bank does not know the identity of the perpetrator B. For all transactions over $10,000 C. For all transactions over $5,000 D. When the bank detects a suspicious cash transaction of $1,000 coupled with a credit transaction of $3,000

ANSWER: A. The Bank Secrecy Act of 1970, also known as the Currency and Foreign Transactions Reporting Act, requires financial institutions in the United States to assist government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash purchases of these negotiable instruments of more than $10,000 (daily aggregate amount), and report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. Currency Transaction Reports ("CTRs") and Suspicious Activity Reports ("SARs") are the primary means used by banks to satisfy the requirements of the BSA. A SAR must be filed when a bank detects a suspicious transaction of $25,000 or more even if the identity of the perpetrator is unknown. A SAR must also be filed when a bank detects a suspicious currency transaction of $5,000 or more.

43. Common law is derived from which of the followin g? A. Statutes created by the legislat ure B. The United States Const it ution C. Societal customs and expectations D. Executive orders

ANSWER: C. Common law is developed by judges through decisions of courts (caIled " case law"), as opposed to statutes adopted through the legislative process or regulat ions issued by the executive branch. Common law is based on societal customs and expectations.

7. The FederaI Trade Commission (" FTC") was originally founded to enforce which body of law? A. Employee privacy B. Antitrust C. Tax and banking D. International trade

ANSWER: B. The FTC was created on September 26, 1914, when President Woodrow Wilson signed the Federal Trade Com mission Act into law. The FTC opened its doors on March 16, 1915. The FTC's original mission was to enforce the rules of a competitive marketplace (that is, antitrust law). Ant it r ust law promotes competition and protects consumers from anticompetitive mergers and business pract ices.

34. Which of the following is NOT a source of American law? A. Regulatory bodies B. Legislature C. Common law D. Court decisions

ANSWER: C. In the United States, law is derived from vario us sources. The legislature (that is, Congress) creates statutory law. Regulatory bodies and administrative agencies, such as the Federal Trade Commission ("FTC") and Federal Communication Commission ("FCC"), create administrative law. Court decision s are the basis of common law (also sometimes referred to as "case law ") . Therefore, regulatory bodies, the legislature, and court decisions are all primary sources of Am erican law. Common law, on the other hand, is a type of law and not a source of law. Common law is the class of law develop ed by judges through decisions of courts and similar tribunals, as opposed to statutes adopted through the legislative process or regulations issued by the executive branch.

3. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), a school must provide parents or eligible students with their educational records within how many days of a request for the records? A. 10 days B. 30 days C. 45 days D. 90 days

ANSWER: C. Under FERPA, a school must provide a parent or eligible student with an opportunity to inspect and review the student's education records within 45 days following receipt of a request by the parent or eligible student.

59. Which of the following in a statute enables an individual to directly bring a lawsuit against a person who violates the statute? A. Private right of action B. Confi den t iality provision C. Preemption clause D. Indemnity provision

ANSWER: A. A privat e right of action is a clause in a statute that expressly permits a private party or individual to bring a lawsuit against a person who violates the statute and causes harm to the privat e party.

85. How promptly must businesses that send unsolicited commercial emails process opt-out requests received from consumers? A. 7 days B. 10 days C. 30 days D. 45 days

ANSWER: B. In accordance with the CAN-SPAM Act, businesses must honor a recipient's opt-out request within 10 business days. Businesses are not allowed to charge a fee, require the recipient give any personally id entifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an I nternet website as a condition for honoring an opt-out request. In addition, businesses must continue to process opt-out requests for at least 30 days after transm ission of a commercial message.

96. Which of the following should be redacted from a document before it is filed with a federal court? A. All but the last four digits of a Social Security or taxpayer-identification number B. All financial accounts numbers C. A minor's initials D. The date of birth of a party

ANSWER: A. Rule 5.2 of the Federal Rules of Civil Procedure states that both electronic and paper filings made with the court should only include ( 1) the last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual 's birth; (3) a minor's initials; and (4) the last four digits of a financial account number. Therefore, a party should redact all but the last four digits of a Social Security or taxpayer-identification number from a document before it is filed with a federal court.

The FTC announced five priority ares for attention?

1. Do Not Track. The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes. 2.Mobile. The FTC encourages greater self-regulation in the swiftly evolving area of location and other mobile-related services. 3. Data brokers. The FTC supports targeted legislation to provide consumers with access to information held about them by data brokers who are not already covered by the Fair Credit Reporting Act. 4. Large Platform Providers. The FTC is examining special issues raised by very large online companies that may do what the FTC calls "comprehensive" tracking. 5. Promotions enforceable self-regulatory codes. The FTC will work with multi-stakeholder processes that are being facilitated by the DoCommerce

FTC report emphasized 3 areas:

1. Privacy by Design - privacy becomes an ubiquitous principle across the organization. 2. Simplified consumer choice - clarified if and when companies need to obtain expressed choice. 3. Transparency - privacy notice should be clear, succinct and standardized.

84. The CAN-SPAM Act applies to what type of electronic messages? A. Where the secondary purpose of the message is transactional B. Where the secondary purpose of the message is commercial C. Where the primary purpose of the message is transactionaI D. Where the primary purpose of the message is commercial

ANSWER : D. Despite its name, the CAN-SPAM Act doesn't apply just to bulk email. It covers all commercial messages, which the law defines as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service," including email that promotes content on commercial websites.

90. The California Online Privacy Protection Act (" CalOPPA " ) was amended in 2013 to address what issue? A. Online tracking B. Social networking C. Unsolicited commercial email D. Credit card fraud

ANSWER: A. CalOPPA was the first law in the nation to require operat ors of commercial web sites and online services to post a privacy policy. CalOPPA applies to operat ors of commercial web sites and online services that collect personally identifiable informat io n about Califor nians. It requires them to say what they do and do what they say (that is, to conspicuously post a privacy policy and to comply with it). The Act was amended in 2013 to address the issue of online tracking (that is, the collection of personal information about consumers as they move acros s web sites and online services).

68. Wha t was the original purpose of the Health I nsurance Portability and Accountability Act (" HI PAA")? A. To improve the efficiency and effectiveness of the health care system B. To mandate affordable healthcare for all citizens of the United States C. To protect sensitive health informat ion D. To prevent pharmaceutical companies from char ging unfair prices for lifesaving medication

ANSWER: A. HIPAA was originally enacted to improve the efficiency and effectiveness of the health care system. Speci fically, HIPAA included Administrative Sim plificat ion provisions that required the U.S. Department of Health and Human Services ("HHS") to adopt national standards for electronic health care transa ctions and medical data code sets, unique health identifiers, and security. At the same time, Congr ess recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of federal privacy protections for individually identifiable healt h information.

5. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), which of the following records does· NOT constitute educational records? A. Campus police records B. School employment records C. School discipline records D. Educational transcripts

ANSWER: A. In 1992, FERPA was amended to exempt from the definition of educational records those records maintained by a law enforcement unit of the educational agency or institution. Educational records are defined in FERPA as "those records, files, documents, and other materials which (i) contain information directly related to a student and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution." School employment records, disciplinary records, and education transcripts are all forms of " educat iona l records" under FERPA. Campus police records are not educational records under FERPA.

14. If an infor mat ion technology auditor working on behalf of a hospital inadvertently loses the unencrypted medical billing records of 400 individuals, what type of notification is NOT required? A. The hospital must provide notice to prominent media outlets serving the state or jurisdiction B. The hospital or auditor must provide individual notice to the affected individuals C. The hospital must notify the Secretary of the Department of Health and Human Services ("HHS") D. The auditor must notify the hospital following discovery of the breach

ANSWER: A. In accordance with the Health Information Technology for Economic and Clinical Health ("HITECH") Act, a covered entity or its business associates must provide individual notification following a breach of unsecured protected health information. A " business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Therefore, an information technology auditor working on behalf of a medical billing company is a business associate of the medical billing company. Notice to the media is only required for breaches affecting more than 500 residents of a state or jurisdiction. With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notice to the business associate. The covered entity and business associate should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the affected individuals.

35 . The Com munications Assistance for Law Enf orcement Act ("CALEA") requires telecommunication providers to do which of the following ? A. Design their equipment and services to enable law enforcem ent officials to conduct electronic sur veilla nce B. Moni tor their customers for suspicious activity C. Report suspiciou s activity to law enforcement D. Protect children under the age of 13 by prohibiting users from co llect ing personal information related to children

ANSWER: A. In response to concerns that emerging technologies, such as digital .and wireless communic at ions, were making it increasingly difficult for law enforcement agencies to execute authorized sur vei llance, Congress enacted the Communications Assistance for Law Enforcement Act ("CALEA") in 1994. CALEA requires telecommunications carriers to ensure that their equipment, facilities, and services are designed so that enforcement officials can conduct electronic sur veillance pursuant to a court order or other lawfuI authorization.

76. When enforcing the Gramm-Leach-Bliley Act (" GLBA" ) , how does the FTC interpret the term " financial instit ution" ? A. A business that is significantly engaged in financial activities B. A lender regulated by federal banking laws C. A bank operating in the United States D. A business whose main function is to lend money

ANSWER: A. In the GLBA, "financial institution" is defined as "any institution the business of which is engaging in financial activities." The FTC, however, interprets the term to only cover businesses "significantly engaged" in financial activities. Examples of such businesses include mortgage lenders, loan brokers, and check-cashing businesses.

2. Which of the following may be classified as an unfair trade practice by the Federal Trade Commission ("FTC")? A. A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website does not, in fact, encrypt the data B. An organization promises to honor opt-out requests within 10 days but fails to honor opt-out requests C. A rogue employee steals credit card information even though the organization took reasonable precautions to protect the credit card information D. A federally insured bank does not comply with a regulation prohibiting the bank from revealing information about its customers

ANSWER: A. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." Answer A is an example of an unfair trade practice because the website is not being deceptive, but the potential harm caused by the website's failure to encrypt sensitive data clearly outweighs the cost of providing encryption (a commonplace and inexpensive security control). Answer B is an example of a deceptive trade practice. When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement act ion to make sure that companies live up to these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade practice. Answer C would not be an unfair trade practice because the organization has implemented reasonable security measures, and the employee simply committed a crime, which is generally considered an unforeseeable event. Answer D is incorrect because the FTC does not have jurisdiction over banks and common carriers, which are under the supervision of other governmental agencies.

61. Which of the following is arguably the most important law protecting privacy in the United States because of its broad scope? A. Section 5 of the FTC Act B. Childr en's Online Privacy Protection Act ("COPPA") C. Foreign Intelligence Surveillance Act (" FISA") D. Communications Assistance for Law Enforcement Act ("CALEA")

ANSWER: A. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." It is a law that applies to a broad range of cir cumstances and affords the FTC broad discretion to enforce privacy rights. The other laws listed are quite specific and limited to protecting privacy in specific circumstances.

6. Which agency is primarily responsible for prot ecting employee privacy in the United States? A. Federal Trade Commission ("FTC") B. Federal Communications Commission ("FCC") C. Federal Bureau of Investigation ("FBI") D. Office of Supervisory Jurisdiction ("OSJ")

ANSWER: A. The FTC is the agency primarily responsible for employee privacy in the United Stat es. The FTC regulates unfair and deceptive commercial trade practices, as well as other laws protecting employee privacy, including the Fair Credit Reporting Act ("FCRA"), which regulates an employer's ability to obtain consumer reports for employment purposes. Other agencies responsible for employee privacy include the U.S. Equal Employment Opportunity Commission ("EEOC"), the Consumer Financial Protection Bureau ("CFPB"), and the National Labor Relations Board ("NLRB").

56. The FTC rece ntly classified which of the following activities as a deceptive trade practice? A. A patent assertion entity sending letters with misrepresentations to thousands of small businesses stating that they were infringing patents related to digital copiers B. A used car salesman making verbal misrepresentations about the quality of a car he was selling C. A postal carrier intentionally delivering mail to the wrong address D. A bank failing to insure all cash deposits

ANSWER: A. The FTC recently filed a complaint against a patent assertion entity that bought patents relating to digital copiers and then sent letters with misrepresentations to thousands of small businesses stating that they were infringing the patent and should purchase a patent license. The consent order agreed to by the patent assertion entity required it to refrain from making certain deceptive representations when asserting patent rights, such as false or unsubstantiated representations that a patent has been licensed in substantial numbers or has been licensed at particular prices. It also prohibited misrepresentations that a lawsuit will be initiated and about the imminence of such a lawsuit.

44. Which of the following agencies does NOT presently have the power to issue regulations related to consumer privacy? A. Office of the Comptroller of Currency ("OCC") B. Federal Trade Commission ("FTC") C. Consumer Financial Protection Board (" CFPB") D. Federal Communication Commission ("FCC")

ANSWER: A. The OCC charters, regulates, and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks. The OCC is an independent bureau of the U.S. Department of the Treasury. On July 21, 2011, the ace removed all regulations relating to privacy of consumer financial information and transferred its rulemaking authority in this area to the Consumer Financial Protection Bureau ("CFPB") pursuant to Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

63. Which of the following is an example of a self- regulatory organization? A. PCI Security Standards Coun cil B. Office of the Comptroller of the Currency C. Office of Thrilt Supervision D. The Nationa l Credit Union Adm inistrat ion

ANSWER: A. The PCI Security Standards Council is the organization responsible for the development, management, education, and awareness of the PCI Secur ity Standards, including the Data Security Standard (" PCI DSS"). The Council therefore acts as a self-regulatory organizat ion for the payment card processing industry. The Council's five founding global payment brands - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. - have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. The PCI DSS was developed to encourage and enhance cardh older data security and facilit at e the broad adoption of consistent data security measures globally. PCI DSS app lies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.

89. Violations of the Children's Online Privacy Protection Act ("COPPA") may result in a civil fine of how much per violation? A. $1,000 B. $10,000 C. $16,000 D. $100,000

ANSWER: C. A court can hold operators who violate COPPA liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court ass esses depends on a number of factors, including the egregiousness of the violat ion s, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company.

12. Which of the following is required of the pharmacy by the Health Insurance Portability and Accountability Act ("HIPAA")? A. The pharmacy must have a notice on its website informing customers about how they may file a complaint with the Office for Civil Rights ("OCR") at the Department of Health and Human Services ("HHS") B. The pharmacy must encrypt all protected health information C. The pharmacy must notify Katie within 10 business days of the data breach D. The pharmacy must report the data breach to secretary of the HHS within 60 days of discovery of the breach

ANSWER: A. The pharmacy is a covered entity, and a covered entity must prominently post and make ava ilab le its notice on any website it maintains that provides information about its customer services or benefits. HIPAA complaints should be lodged with the Off ice for Civil Rights at the Department of Health and Human Services. The pharmacy must also notify Katie of the breach. This individual notificat ion must be provided without unreasonable delay and in no case later than 60 days following the discover y of the breach and must include, to the extent possible, (1) a brief descript ion of the breach, (2) a description of the types of information that were involved in the breach, (3) the steps affected individuals should take to protect them selves from potential harm, (4) a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, and (5) contact information for the pharmacy. Covered ent it ies that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of HSS regardless of the size of the breach. If the breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following the breach. If, however, a breach affects fewer than 500 individuals, as occurred with Katie's insurance identification card, the covered entity only needs to notify the Secretary of such breaches on an annual basis.

28. What is the basic rule for processing protected healt h inform at ion under the Health Insurance Portability and Accountability Act ("HIPAA")? A. Patients must opt in before their protected health inform at ion is shared with other organizations unless the purpose is for treatment, payment, or healthcare operations B. Patients must opt out to prevent their protected health information from being shared with other organizations unless the purpose is for treatment, payment, or healthcare operations C. Processing of protected health informat ion is prohibited for all purposes without opt-in consent D. Processing of protected health information is prohibited for all purposes without opt -out consent

ANSWER: A. Under HIPAA's Pr ivacy Rule, covered entities may disclose protected heath information ("PHI ") to facilitate treatment, payment, or health care operations without a patient's express written authorization. Any other disclosure of PHI requires the covered entity to obtain written authorization from the data subject for the disclosure (that is, opt-in consent). In addit ion, when a covered entity discloses PHI, it must also make reasonable efforts to disclose only the minimum information necessary to achieve its purpose.

31. Which of the following strategies will prevent a com pany fr om having to notify residents of a data breach involving personal information? A. Encrypt all personal informat ion, including sensitive personal information B. Ensure that al l personal informat ion is protected by adequate safeguards C. Use a firewall to protect all personal informat ion D. Purge all personal information after one year

ANSWER: A. Virt ually all state security breach notifi cation laws exempt encrypted personal information. Therefore, if a company encrypts all personal information, it will not have to notify resident s even if there is a security breach. Although the other strategies may help reduce an organization's risk of a security breach, if a breach of unencrypt ed personal information does occur, the organization will st il l be required to notify the affected residents.

36. When interviewing an applicant for an open position, an organization may ask which of the following questions without violating antidiscrim inat ion laws? A. If the applicant is currently using illegal drugs B. If the applicant was born in the United States C. If there are any religious holidays that the candidate will need to take off from work if hired D. If the applicant is married

ANSWER: A. When conducting employment interviews, organizations should refrain from asking questions that may reveal whether the applicant is a member of a protected class. Therefore, questions that may reveal race, religion, sexual orientation, or national origin should be av oided. An organization may, however, ask an applicant about current illegal drug use as long as the question does not implicate drug addiction, which may be viewed as a disabilit y. Questions about marital status and number and ages of children are frequently used to discriminate against women and may violat e Title VII if used to deny or limit employment opportunities. --------

39. Whic h of the following is considered a best practice after terminat ing an employee? A. The employer should allow the employee a minimum of two weeks to collect his belongings and return all corporate assets B. The employer should restrict or terminate the employee's access to the company's informat ional assets and collect all computing devices storing company information, including personal information C. The employer should immediately change all adm inist rat or passwords and delete the employee's user account D. The employer should forward all mail directed to the former employee to the former employee's new mailing address

ANSWER: B. After termination of an employee, an employer should take steps to ensure that the organization's infor mat ional and physical assets are protected. Generally, the employee's access to such assets should be restricted or removed, and the organization should collect devices containing company information, including personal information. In most cases, the former employee's access should be terminated immediately. The organization should also remind the former employee of his obligation not to inappropriately exploit company data. Although personal mail addressed to the former employee should be forwarded to his new mailin g address, work related messages should be reviewed because they may cont ain proprietary information that the former employee is no longer authorized to access.

48. What is the original purpose of bank secrecy laws? A. To enable banks to better share information B. To protect customer's personal and financial information C. To permit access of financial data by government authorities for national security purposes D. To ensure creditors have appropriate access to a debtor's financial information

ANSWER: B. Bank secrecy is a legal principle in some jurisdictions under which banks are not allowed to provide to authorities personal and account information about their cust omers unless certain condit ions apply (for example, a criminal complaint has been filed). Bank secrecy laws are routinely criticized because they may enable money laundering.

18. Which of the following practices was NOT im plem ented by the Fair and Accurate Credit Transactions Act ("FACTA")? A. Cons umers have the right to obtain one free copy of their credit report from each of the three major national credit bureaus every 12 months B. Merchants may print the first 4 digits of a credit card nu m ber on a receipt C. Implemented the Disposal Rule to ensure that proper disposal of information in consum er reports and records are protected again st unauthorized access to or use of the infor mat ion. D. Implemented the Red Flags Rule to help combat identit y theft

ANSWER: B. FACTA provides that "no person that accepts credit car ds or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." Therefore, the first four digits of the card number may not be printed. In accordance with FACTA, consumers have the right to obtain one free copy of their credit report from each national credit bureau every 12 months. FACTA also implement ed the Disposal Rule and Red Flags Ru le.

51. The Children's Online Privacy Protection Act (" COPPA") prevents website operators from performing which of the following activities? A. Creating a website with content designed for children under 13 years of age B. Collecting personal information from children under 13 years of age C. Displaying a picture of a child after obtaining verifiable parental consent D. Operating a website that is geared towards children in the United States with servers located outside the United States

ANSWER: B. Generally, COPPA appl ies to the online collection of personal information from children under 13 years of age. COPPA details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online, including restrictions on marketing to those under the age of 13.

67. The Health Insurance Portability and Accountability Act ("HIPAA") applies to whom? A. Domestic health institutions B. Covered entities and their business associates C. Book publishers of medical information D. Domestic financial instit utions

ANSWER: B. HIPAA was enacted in 1996 to define policies, procedures and guidelines that "covered ent it ies" must adhere to for maintaining the privacy and security of individually identifiable protected health informat ion (" PHI " ) . Covered entities generally include healt hca re clearinghouses, employer sponsored health plans, health insurers, and healthcare providers. In 2009, the Health I nfor mat ion Technology for Economic and Clin ical Health --------- ("HITECH") Act expanded HI PAA 's Pr ivacy and Security Rules to directly regulat e " business assoc iat es" of covered entities. Therefore, today HIPAA applies to both covered entities and their business associat es.

29. In accordance with the Health Insurance Portabil ity and Accountability Act ("HIPAA"), the Department of Health and Human Services (" HHS") has promulgated which of the following rules to address the handling of protected health information? A. Transaction Rule and Equal Access Rule B. Privacy Rule and the Security Rule C. Privacy Rule and Equal Access Rule D. Secu rit y Rule and the Notification Rule

ANSWER: B. HIPAA was enacted in 1996 to define policies, procedures, and guidelines that covered entities must follow for maintaining the privacy and security of individually identifiable protected health information (" PHI ") . Covered entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers. As directed by Title II of HIPAA, the Department of Health and Human Services ("HHS") has promulgated two important rules to add ress the handling of PHI: ( 1) the Pr ivacy Rul e and (2) the Secu r it y Rule.

16. Whi ch of the following occurred as a result of Health Information Technology for Economic and Clin ical Health (" HITECH") Act? A. Covered entities were required to enter into written contract s with busin ess associat es ensuring privacy and security of protected healt h inform at ion B. The HIPAA Security Rule was extended to business associates of covered entities C. Covered entities were required to take reasonablesteps to limit the use or disclosure of, and requests for, protected health infor mat ion to the minimum necessary to accomplish the intended purpose D. Covered entities were required to take appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information

ANSWER: B. HITECH extended the HIPAA Security Rule to business associates of covered entities. Previously, privacy and security requirements were imposed on business associates through contractual agreements with covered entities. HITECH made business associates directly responsible for complying with the Security Rule. The HIPAA Security Rule estab lishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity or business associate of a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health infor mat ion.

55. Which of the following would be classified as a deceptive trade practice by the FTC? A. A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website does not, in fact, encrypt the data B. An organ izat ion promises to honor opt-out requests within 10 days but fails to honor opt-out requests. C. A rogue employee steals credit card information even though the organization took reasonable precautions to protect the credit card information D. A bank does not comply with a regulation prohibiting the bank from revealing information about its customers

ANSWER: B. If an organization fails to comply with its privacy notice, it may be held liable by the FTC for a deceptive trade practice under Section 5 of the FTC Act , which prohibits "unfair or deceptive acts or practices in or affecting commerce." When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade practice. Answer A would be an example of an unfair trade practice. The organization is not being decept ive, but the potential harm caused by the websit e's failure to encrypt sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control. Answer C would not be a deceptive trade practice because the organization had reasonable security measur es in place, and the employee simply ----- 21 9 commit ted a crime. Answer D is incorrect because the FTC has no jurisdiction over banks and common carriers, which are under the supervision of other governmental agencies.

24. When a website operator states in its privacy notice that it will not share financial information with third parties and then shares financial information with a thir d- part y affiliate, what recourse may occur? A. The FrC may bring an action against the operator for unfair competition B. The FrC may bring an action against the operator for a deceptive trade practice C. A user of the website may bring a criminal complaint against the operator D. The FrC may bring an action under Section 7 of the FrC Act

ANSWER: B. If an organization fails to comply with its privacy notice, it may be held liable by the FrC for a decept ive trade practice under Section 5 of the FrC Act , which prohibits " unfair or deceptive acts or practices in or affecting commerce." When companies tell consumers they will safeguard their personal information, the FrC can and does take law enforcement action to make sure that companies live up to these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade practice. The distinct ion between a deceptive trade practice and an unfair trade practice is often tested on the CIPP/US exam.

42. Which of the following companies was directed by the Federal Trade Commission ("FTC") to implement a comprehensive information security program for allegedly carrying out a deceptive trade practice with respect to its Passport web service? A. Google B. Microsoft C. Gateway Learning D. GeoCities

ANSWER: B. In 2002, Microsoft agreed to settle FTC charges concerning the privacy and security of information collected through its Passport web service. Microsoft's privacy policy claimed, among other things, that Passport "achieves a high level of Web Securit y by using technologies and systems designed to prevent unauthorized access to your personal information." The FTC alleged that Microsoft misrepresented the level of security provided by the Passport service. As part of the consent order, Microsoft agreed to establish and maintain a comprehensive information security program reasonably designed to protect the security, confident ialit y, and integrit y of personal informat ion collect ed from or about its consumers.

69. Which of the following is NOT mandated by the Privacy Rule of the Health Insurance Portability and Accountability Act ("HIPAA")? A. Covered entities with a direct treatment relat ionship with a patient must provide the patient with a privacy notice before the first service encounter B. Covered entities must use and disclose protected health information for treatment, payment, and healthcare operations C. Covered entities must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions D. A covered entity must maintain reasonable and appropriate adm inist rat ive, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information

ANSWER: B. In accordance with the Privacy Rule, a covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) to the individuaI; ( 2) treatment, payment, and healthcare operations; (3) opportunity to agree or obj ect; ( 4) incident to an otherwise permitted use and disclosure; (5) public interest and benefit act ivit ies; and (6) limited data set for the purposes of research, public health or health care operations. Therefore, B is the correct answer because there are other permitted uses besides for treatment, payment, and health care operations. In addit ion, the Privacy Rule permits covere d entities to disclose or use protected health information in certain circum st an ces but never requires disclosure or use. Covered entities may rely on professional ethics and best judgments in deciding which of the permissive uses and disclosures to make. The HIPAA Privacy Rule also requires covered entities to implement app ropriate administrative, technical, and physical safeguards to protect the privacy of protected health informat ion ("PHI").

82. A company with an existing business relationship with a consumer may call the consumer for up to how long after the consumer's last purchase? A. 12 months B. 18 months C. 24 months D. There is no limit so long as there is an existing business relationship

ANSWER: B. In accordance with the Telemarketing Sales Rule, a company with which a consumer has an established business relationship may call for up to 18 months after the consumer's last purchase or last delivery, or last payment, unless the consumer asks the company not to call again. In that case, the company must honor the request not to call.

53. Which of the following is an example of personal information from a public record? A. Heath plan number from an insurance card B. Name and address of an owner of a piece of real estate from a real estate deed C. Driver's license number from a government issued citation D. Genetic informat ion from a private genome project ---------------

ANSWER: B. Public records are informat ion collected and maintained by the government and that are available to the public. Public records include real estate deeds, birth and marriage certificates, tax liens, and other data recorded by the government and made available for public inspection.

19. When an employer obtains an investigative consumer report on an employee suspected of misconduct, which of the following is required? A. The employer must provide advance notice of the invest igat ion to the employee B. The employer must provide a summary of the nature and scope of the investigation if adverse action is taken as a result of the investigation C. The employer must obtain the employee's consent to the investigation D. The employer must certify to the consumer report ing agency that the necessary notices have been provided to the employee

ANSWER: B. The Fair Credit Reporting Act ("FCRA") was amended in 2003 to exempt investigative consumer reports related to suspected employee misconduct from many of the requirements of the FCRA, including consent, advanced notice, and certification. The employer is still required, however, to provide a summary of the nature and scope of the investigation if adverse action is taken as a result of the investigat ion.

95. In civil litigat ion, what is the appropriate mechanism for a party to contest the scope of a discovery request seeking confidential information that would cause serious injury to the party if disclosed? A. Motion to compel B. Subpoena C. Protective order D. Judgment on the merits

ANSWER: C. A court may, for good cause, issue a protective order to protect a party or person from annoyance, embarrassment, oppression or undue burden or expense. In evaluating requests for protective orders, courts have considered variou s factors, including, the confidentiality interests at issue, the need to protect public health and safety, the fairness and efficiency of entering a protective order, and the importance of the litigation to the public.

4 0. The following fact pattern applies to questions 40 and 41. ABC Corporation is a financial instit ution that partners with third-party affiliate wine companies to market and sell high-end wine and spirits on a monthly subscription basis. ABC obtains credit reports on consumers from consumer reporting agencies and stores the credit reports in a database. The database is accessible by the wine companies, which use the information contained in the credit report, including monthly income and credit history, to determine if a particular consumer is eligible to join the program. If eligible, the consumer is sent an informational kit describing the program with an application form. What must the affiliate wine companies do before using the information contained in the credit reports for marketing purposes? A. Obtain prior written authorization from the consumers B. Provide opt-out notice to the consumers C. Provide a copy of the reports to the consumers D. Cert ify to the credit reporting agency that furnished the reports that it is has a permissible purpose

ANSWER: B. The Fair and Accurate Credit Transactions Act (" FACTA" ) imposes obligations on con sum er report ing agencies, as well as users and furnishers of consum er reports. The Act prohibits an affiliate that receives eligibility information from using that informat ion to make a solicitation for marketing purposes unless (1) the consumer receives notice, (2) has a reasonable opportunity and simple method to opt out of such solicit at ions, and (3) the consumer does not opt out.

45. The Red Flags Rule is designed to combat what type of activity? A. Acquisition of personal information from minors B. Identify theft C. Inappropriate disclosure of financial information D. Transfer of personal information out of the United States

ANSWER: B. The Fair and Accurate Credit Transactions Act ("FACTA") provides a Red Flags Rule designed to combat identify theft. Identity theft refers to a fraud committed or attempted using the identifying information of another person without authority. The Red Flags Rule requires creditors and financial institutions to address the risk of identity theft by developing and implementing written identity theft prevention program s to help identify, detect, and respond to patterns, practices, or specific activities - known as "red flags " - that could indicate identity theft. ---------------------- ---,

97. Domestic financial institutions are required to provide an annual privacy notice to which of the following? A. Consumers B. Customers C. Employees D. Contractors

ANSWER: B. The Gramm-Leach-Bliley Act ("GLBA"), also known as the "Financial Services Modernization Act," was enacted in 1999. It applies to institutions that are significantly engaged in financial activities in the United States (also known as "domestic financial instit ut ions"). In accordance with the Privacy Rule, domestic financial institutions are require to provide an initial privacy notice when the customer relationship is established and annually thereafter.

78. The Telemar keting Sales Ru le defines " telemar keting" as which of the followin g? A. An automated telephone call to a consumer for the purposes of effectuating a sale B. A plan, program , or cam paig n to induce the purchase of goods or ser vices or a charitable cont ribution involving more than one interst at e telephone call C. The solicit at ion of goods or services through one or more telephones D. A plan or program to induce the purchase of goods ( excluding charitable contributions) involving more than one interstate telephone cal l

ANSWER: B. The Telemarketing Sales Rule (as amended) regulates " telemar keting" - defined in the Rule as "a plan, pr ogram , or campaign ... to induce the purchase of goods or services or a charitable contribution" involving more than one interstate telephone call. With some important exceptions, any business or individual that takes part in " telemar keting" must comply with the Rule. This is true whet her, as " telemar keters," they initiate or receive telephone calls to or from consumers, or as " sellers," they provide, offer to provide, or arrange to provide goods or services to consumers in exchange for payment. It makes no difference whether a company makes or receives calls using low-tech equipm ent or the newest technology - such as voice response units and other automated systems. Sim ila r ly , it makes no difference whether the calls are made from out side the United States; so long as they are made to consumers in the United States, those maki ng the calls, unless otherwise exempt, must comply wit h the Rule 's provisions. If the calls are made to induce the purchase of goods, services, or a charit ab le contribution, the company is engaging in "telemarketing."

57. Which branch of the U.S. government is responsible for enforcing laws? A. Legislative B. Executive C. Judicial D. Adm inistrat ive

ANSWER: B. The U.S. Constitution is the supreme law of the United States. It separates the United States government into three main powers, or branches. The legislative branch makes the laws, the executive branch enforces th laws, and the judicial branch evaluates and interprets the laws. The rationale for the separate branches is to ensure that no one person can have too much control of the government, thereby creating a separation of powers.

58. Which of the following is a type of agreement issued by an administrative agency in which the defendant agrees to stop the alleged illegal activity without admitting fault? A. Subpoena B. Judgment C. Consent decree D. National security letter

ANSWER: C. A consent decree is a formal document stating specific steps an entity needs to perform to rect ify an alleged violation. When entering into a consent decree, the charged entity typically does not admit fault or liability. This is an important aspect of a consent decree: the alleged violator does not admit to any wrong-doing. This is beneficial to the charged ent ity because the decree cannot be used as evidence of fault in any other civil action that may be brought by those harmed by the unfair or deceptive practice. Many organizations prefer a consent decree for this reason and because they avoid a prolonged trial and the negat ive publicity associated with a trial.

83. When requesting a consumer's consent to make unsolicited pre-recorded telemarketing calls ("robocalls") to the consumer, what standard is used to evaluate the propriety of the notice? A. Reasonable B. Clear and convincing C. Clear and conspicuous D. Beyond a reasonable doubt

ANSWER: C. A consumer's written consent to receive telemarketing robocalls (unsolicited pre-recorded telemarketing calls) must be signed and be sufficient to show that the consumer: (1) received "clear and conspicuous disclosure" of the consequences of providing the requested consent (that is, the consumer will receive future calls that deliver pre- recorded messages by or on behalf of a specific seller); and (2) having received this informat ion, the consumer agrees unambiguously to receive such calls at a telephone number the consumer designates. In addit ion, the written agreement must be obtained "without requiring, directly or indirectly, that the agreem ent be executed as a condition of purchasing any good or service."

32. The Disposal Rule contained in the Fair and Accurate Credit Transactions Act ("FACTA") applies to which type of documents? A. Educational records B. Financial data C. Consumer reports and records D. Em ployee evaluations

ANSWER: C. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the inf ormat ion . The standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Ru le to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act ("FCRA") defines the term consumer report to include information obtained from a consumer report ing company that is used - or expected to be used - in establishing a consumer's eligibility for credit, employm ent, or insurance, among other purposes. Credit report s and credit scores are types of consumer reports. Reports that businesses or individ uals receive with informat ion relat ing to employment back ground, check writ ing history, insurance claim s, residential or tenant history, or medical history are also considered consu mer report s.

88. May an operator of a general audience website rely on age information submitted by its users to determine if it must comply with the Children's Online Pr ivacy Protection Act (" COPPA") ? A. No, COPPA applies to all general audience websites with users under the age of 13 B. No, an operator will be deemed to have knowledge of the true age of all website users regardless of user-submitted age information C. Yes, the operator may rely on user-submitted age information unless he has actual knowledge that a child under the age of 13 is using the website D. Yes, the operator may rely on user-submitted age informat ion even if he has actual knowledge that children under the age of 13 are using the website

ANSWER: C. COPPA covers operators of general audience websites or online services only when such operat ors have actual knowledge that a child under the age of 13 is the person providing personal information. The Rule does not require operators to ask the age of visit ors. However, an operator of a general audience site or service that chooses to screen its users for age in a neutral fashion may rely on the age information its users enter, even if that age infor mat ion is not accurate. In some circumstances, this may mean that children are able to register on a site or service in violat ion of the operator's Terms of Service. If, however, the operator later determines that a particular user is a child under the age of 13, COPPA's notice and parental consent requirements wil l be triggered.

8. The Chi ldren's Online Privacy Protection Act ("COPPA") was enacted to primarily prevent which of the following activities? A. To prevent children from using a parent 's credit card information without consent B. To protect the privacy of children under 18 years of age C. To protect children from malicious or abusive users of interactive online services D. To educate parents about the danger of the Internet

ANSWER: C. COPPA prohibits unfair and deceptive acts or practices in connection with the collect ion, use, or disclosure of personal information from children under the age of 13 in an online environment. The Act was passed in response to an alarming trend of children posting their personal information in interactive public areas, such as chat rooms and bulletin boards, which were accessible to all online users.

25. The Childr en's Online Privacy Protection Act (" COPPA") ap plies to whom? A. Operators of websites soliciting business in the Unit ed States B. Oper ators of websites soliciting financial information from customers in the United Stat es C. Operators of commercial websites that are directed to children under 13 years of age D. Operators of commercial websites that are directed to children under 18 years of age

ANSWER: C. COPPA was enacted in 1998 to curtail the collection of personal infor mat ion from childr en. The Act applies to websites and online services operated for commercial purposes that are directed to childr en under the age of 13. In addition, the Act applies to operators having actual knowledge that childr en under 13 are providing information online. In addition to requir ing operators of these websites to conspicuously post a privacy notice, COPPA also requir es that website operators obtain verifiable parental consent prior to any collect ion, use, or disclosure of personal information from persons under the age of 13.

4. In accordance with the Fair Credit Reporting Act ("FCRA"), a consumer is entitled to a free copy of his credit report if he requests the report within how many days after an adverse action? A. 30 days B. 45 days C. 60 days D. 120 days

ANSWER: C. Each national consumer reporting agency that maintains a file on a consumer shall provide a free credit report to the consumer if, no later than 60 days after receipt by such consumer of an adverse action notification, the consumer makes a request for a copy of his credit report.

20. Wh ich of the following is NOT a requirement of the Fair Credit Report ing Act (" FCRA")? A. Consumer reporting agencies furnish consumer reports only to persons having a per missible purpose B. Users of consumer reports cert if y to the consumer reporting agency their permissible purpose and also certify that the information contained in the consumer report will not be used for any other purpose C. State consumer reporting agencies must provide consumers with a free copy of their credit report every year D. If a user takes any adverse action based on informat ion contained in a consumer report, the user must provide notice of the adverse action to the consumer

ANSWER: C. Every national consumer reporting agency that maintains a file on a consumer shall provide a free credit report to the consumer if, no later than 60 days after receipt by such consumer of an adverse action notification, the consumer makes a request for a copy of his credit report. The free credit report provision appl ies only to national consumer reporting agenc ies (such as Experian, TransUnion, and Equifax) and not local or state consumer reporting agencies.

99. The Gramm-Leach-Bliley Act (" GLBA" ) prohibits which of the following practices? A. Sharing of personal information B. Transfer of financial accounts to financial institutions located outside the United States C. Pretexting D. Lending of money to individuals residing overseas

ANSWER: C. The GLBA prohibits "pretexting" - the practice of obtaining customer information from financial instit ut ions by false pretenses. Specifically, the Act prohibits any person from obtaining customer information relating to another person by making a false, fictitious, or fraudulent statement or representation to an employee or customer of a fi nanciaI institution.

13. If a user of a consumer report takes adverse action against a consumer based on information contained in the consumer report, which of the following does NOT need to be disclosed to the consumer? A. The name, address, and telephone number of the consumer reporting agency that provided the consumer report B. A statement explaining to the consumer that he has the right to obtain a copy of the consumer report free of charge from the consumer reporting agency C. An explanation of the technical safeguards instituted by the consumer reporting agency that protect the consumer's confidential information D. A statement advising the consumer of his right to disput e the accuracy or completeness of the consumer report with the consumer reporting agency

ANSWER: C. If a user takes adverse action against a consumer based on information contained in a consumer report, the user must provide notice to the consumer. The notice must include (1) the name, address, and telephone number of the consumer reporting agency that provided the consumer report, (2) a statement explaining to the consumer that he has the right to obtain a copy of the consumer report free of char ge from the consumer report ing agency, an d (3) a statement advising the consumer of his right to dispute the accuracy or completeness of the consumer report with the con sumer reporting agency.

41. If ABC plans on taking an ad verse action against a consumer based on information in his credit report, what must it do before taking the adverse action? A. Provide a complete copy of the underwriting file to the consumer B. Provide a complete copy of the credit report to the consumer C. Provide notice of the adverse action to the consumer; disclose the name, address, and telephone number of the consumer reporting agency fur nishin g the credit report; and notify the consumer about his right to obtain a free copy of his consumer report from the consumer reporting agency D. Allow the consumer to opt-out of future marketing mailings from ABC or its affiliates

ANSWER: C. In accordance with the Fair Credit Reporting Act ("FCRA"), users of consumer reports have several responsibilities. If a user takes any adverse action with respect to any consumer that is based in whole or in part on any information contained in a consumer report, the user must (1) provide notice of the adverse action to the consumer, (2) disclose the name, address, and telephone number of the consumer reporting agency furnishing the information to the user, and (3) notify the consumer about his right to obtain a free copy of his consumer report from the consumer reporting agency and how to dispute inaccurate or incomplete information in the report. A copy of the report is required to be provided only when taking an adverse action for employment purposes. Therefore, ABC does not need to provide a copy of the report to the consumer because the adverse action is not related to employment. If an employer uses a consumer report to take an adverse act ion against a potential or current employee, the employer must provide a copy of the report to the employee.

77. An educational institution may disclose which of the following pieces of information about its students as directory information? A. Sexual orientation B. Social security number C. Address D. Income

ANSWER: C. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about the disclosure of directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them (that is, provide them the opportunity to opt-out).

23. Which of the following cannot be included in the notification letter to affected residents after discovery of a data breach in accordance with Massachusetts law? A. Information about the consumer's right to obtain a police report B. Information on how the affected individual can obtain a credit freeze C. The number of residents affected by the breach D. Contact information for national consumer reporting agencies

ANSWER: C. Mass. Gen. Laws § 93H-3 requires that the notice provided after a data breach must include (1) the consumer's right to obtain a police report and (2) how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies. The notification cannot include the nature of the breach or the number of resident s affected by the breach. Other information, such as contact information for national consumer reporting agencies, may also be optionally provided in the notice.

47. The Do Not Call Registry applies to what type of mar ket ing? A. Em ail marketing B. Unsolicited commercial messages C. Telemarketing D. Online marketing

ANSWER: C. Pursuant to its authority under the Telephone Consumer Protection Act ("TCPA"), the Federal Communication Commission ("FCC") established, together with the Federal Trade Commission ("FTC"), a national Do Not Call Registry in 2003. The registry is nationwide in scope, applies to all telemarketers (with the exception of certain non profit organizations), and covers both interstate and intrastate telemarketing calls. Commercial telemarketers are not allowed to call you if your number is on the registry, subject to certain exceptions .

74. In accordance with the Fair Credit Reporting Act (" FCRA" ), what is an investigative consumer report? A. Factual information on a consumer's credit record obtained directly from a creditor of the consumer or from a consumer reporting agency B. A consumer report containing information about a consumer's past employment C. A consumer report containing information on a consumer's character, general reputation, personal characteristics, or mode of living that is obtained through personal interviews D. A report generated by a third-party investigator relating to a consumer's health

ANSWER: C. The FCRA defines an investigative consumer report as "a consumer report or portion thereof in which information on a consumer's charact er, general reputation, personal charact eristics, or mode of living is obtained through personal interviews with neighbors, fr iends, or associates of the consumer reported on or with others with whom he is acquainted or who may have knowledge concerning any such items of infor mation."

1. In accordance with the Fair Credit Reporting Act (" FCRA" ) , willf ul violations of the Act are punishable by a st at utory maximum penalty of how much per violat ion? A. $500 B. $2,000 C. $2, 500 D. There is no limit

ANSWER: C. The FCRA provides a stat utory penalty of up to $2, 500 per violation for knowingly or willfully violat ing the Act . A consumer may recover his actual dam ages up to the statutory maximum, plus possible punitive damages, as well as reasonable attorney's fees and costs. Therefore, if this question was phrased differently and asked about the maximum penalty for a willful violat ion of the FCRA, the correct answer would be D because a consumer may recover punitive damages as well as actual damages. The stat utory maximum, however, is $2,500.

64. Which of the following organizations promotes cross-border information sharing and enforcement efforts for privacy authorities across the world? A. International Organization for Standardization ("ISO") B. Asia-Pacific Economic Cooperation ("APEC") C. Global Privacy Enforcement Network ("GPEN") D. Union of International Associations ("UIA")

ANSWER: C. The Global Privacy Enforcement Network ("GPEN") is an international network of privacy enforcement authorities tasked with aiding the flow of personal information across borders. In addition, GPEN supports joint enforcement initiatives and awareness campaigns related to privacy issues. The Federal Communications Commission ("FCC") and Federal Trade Commission ("FTC") are members of GPEN for the United States. Although APEC does have a cross border privacy enforcement arrangement, it is limited to APEC economies and is not worldwide in scope.

98. Domestic financial institutions are required to provide the customer with the opportunity to opt out of sharing what type of information with unaffiliated third-parties? A. Personal information B. Publ ic ly available information C. Non -public personal information D. De-identified personal information

ANSWER: C. The Gramm-Leach-Bliley Act ("GLBA") requires domestic financial institutions to provide opt out notice prior to sharing non-public personal information (" NPI" ) with unaffiliated third parties . NPI includes any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. Examples of NPI include a customer's name, address, income, social security number, and other account related informat ion, such as account numbers, payment history, loan or deposit balances, and credit or debit card purchases.

80. Which of the following types of calls are NOT regulat ed by the National Do Not Call Registry? A. Calls to consumers living in Puerto Rico and the District of Columbia B. Automated telephone calls C. Calls from political organizations, charities, telephone surveyors, or companies with which a consumer has an existing business relat io nship D. Calls made manually without the assistance of an automated dialer

ANSWER: C. The Nat ional Do Not Call Registry does not cover calls from political organizations, charities, telephone surveyors, or companies with which a consumer has an existing business relationship. The area codes in the National Do Not Call Registry cover the 50 states, the District of Colu mbia, Puerto Rico, U.S. Virgin Islands, Guam, North Mariana Islands, American Samoa, and toll-free numbers. It makes no difference whether a company makes or receives calls using low-tech equipment or the newest technology - such as voice response units and other automated systems. Similarly, it makes no difference whether the calls are made from outside the United States; so long as they are made to consumers in the United States, those making the calls, unless otherwise exempt, must comply with the Rule's provisions.

91. The Privacy Protection Act (" PPA") protects which of the following? A. A promotional flyer created by a religious institution B. An article writ ten by a student at an educational instit ution for internal dissemination C. Documentary material held by a journalist D. A book published by the government

ANSWER: C. The Pr ivacy Protection Act (" PPA" ) was enacted in 1980 to protect journalists and newsrooms from searches by government officials. Speci fically, the Act prohibits "a government offi cer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." The Act protects both work product and documentary materials. To search or seize protected material, the government is generally first required to obtain a subpoena from a court on the basis that there is probable cause to believe that the person possessing the materials has committed or is committing a crim inal offense to which the materials relate. Search or seizure wit hout a court order is permitted only if immediate seizure of the materials is necessary to prevent death or serious bodily injury.

52. Which of the following is one of the main purposes of the Fair Credit Reporting Act (" FCRA")? A. Give employers the right to correct credit reports for their employees B. Encourage the dissemination of consumer data to foreign companies with a need to know the data C. Limit the use of consumer reports to permissible purposes D. Allow data reporters to place a debt on a consumer's credit report if they have a reasonable suspicion of the debt

ANSWER: C. Under the FCRA, a credit report (a type of consumer report) may only be acquired for a "permissible purpose." Section 604 of the FCRA sets forth the circumstances that are considered permissible, including (1) for employment, credit, license, or insurance purposes; and (2) with the written instructions of the consumer to whom the credit report relates.

60. Which of the following is the primar y mechanism that the FTC uses to enforce privacy laws? A. Civil litigation B. Criminal litigation C. Administrative enforcement action D. Declaratory judgments

ANSWER: C. When the FTC believes that a person or company has committed an unfair or deceptive trade practice, it starts an investigat ion of the practice. Following the invest igat ion, the FTC may initiate an enforcement action against the person or organization if it has " reason to believe" that the law is being, or has been, violated. An adm inist rat ive enforcement action begins with the FTC issuing a complaint setting forth its charges. Enforcement actions are the primary mechanism by which the FTC enforces privacy laws.

75. Which of the following is NOT a permissible purpose for a consumer repor ting agency to furnish a consumer report? A. In accordan ce with the written instructions of the cons umer to whom it relat es B. To a person who intends to use the informat ion in connection with a credit transact ion involving the consumer C. In response to an order of a court D. For verification of eligibility for Social Security

ANSWER: D. A consumer reporting agency may only furnish a consumer report if a permissible purpose exists. The following are examples of permissible purposes: (1) in response to the order of a court having jurisdiction to issue such an order, or a subpoena issued in connection with proceedings before a federal grand jury; (2) in accordance with the written instructions of the consumer to whom it relates; and (3) to a person who intends to use the information either in connection with a credit transaction, employment purposes, the underwriting of insurance, or eligibility for a license.

30. Cali fornia's securit y breach notification law requires which entities to disclose a breach of security of unencrypted personal in format ion to California residents? A. Only companies physically located in California B. Only state agencies C. Only companies that conduct business in California D. Al l state agencies and companies that conduct business in Cali for nia

ANSWER: D. California's security breach notification law (S.B. 1386) requires a state agency , or a person or business that conducts business in California, to disclose in specified ways any breach of the security of dat a to any resident of Calif ornia whose unencrypted person al information was, or is reasonably believed to have been, acquired by an unaut hor ized person.

81. If a third-party telemarketer acting on behalf of a charity calls a consumer, how may the consumer prevent the third-part y telemarketer from calling him again in the future? A. Register his phone number with the Nat ional Do Not Call Registry B. Call the local police department and file a formal complaint C. File a formal complaint with the Federal Bureau of Investigation D. Specifically ask the third-party telemarketer not to call again and to place his number on the telemarketer's entity-specific do not call list

ANSWER: D. Charities that are calling on their own behalf to solicit charitable contributions are not covered by the requirements of the national registry. However, if a third-party telemarketer is calling on behalf of a charity, a consumer may ask not to receive any more calls from or on behalf of that specific charity and be placed on the telemarketer's entity specific suppression list. If a third-party telemarketer calls again on behalf of that charity, the telemarketer may be subject to a fine of up to $16,000.

86. An operator of which of the following is regulated by the Children's Online Privacy Protection Act (" COPPA") ? A. A general audience website that provides online games B. A mobile application for paying utility bills C. A social networking service directed to children over 13 D. A general audience website that provides online games when the operator has knowledge that the games are being played by children under the age of 13

ANSWER: D. Congress enacted COPPA in 1998. COPPA required the Federal Trade Commission ("FTC") to issue and enforce regulations concerning children's online privacy. The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA applies to (1) operators of commercial websites and online services (including mobile apps) directed to children under the age of 13 that collect, use, or disclose personal information from children, and (2) operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under the age of 13.

50. Which of the following is NOT exempt from disclosure under the Freedom of Information Act ("FOIA")? A. Records containing trade secrets B. Records containing the location of oil wells C. Records describing the data handling practices of financiaI institutions D. Records pertaining to federal regulatory agencies, federal employees, and federal agents

ANSWER: D. FOIA has the following nine exemptions: (1) those documents properly classified as secret in the interest of national defense or foreign policy; (2) documents related solely to internal personnel rules and practices; (3) documents specifically exempted by other statutes; (4) a trade secret or privileged or confidential commercial or financial information obtained from a person; (5) a privileged inter-agency or intra-agency memorandum or letter; (6) a personnel, medical, or similar file the release of which would constitute a clearly unwarranted invasion of personal privacy; (7) documents com piled for law enforcement purposes; (8) records contained in or related to examination, operat ing, or condition reports about financial institutions; and (9) those documents containing exempt information (for example, the location ) about gas or oil wells. Answers A, B, and C fall in exemptions (4), (9), and (8), respectively . An swer D is not a recognized exemption and, therefor e, is the correct answer.

54. Which of the following may be considered personal information? A. Financial data of an organization B. I ntellectual property of an organization C. Operational data of an organization D. Human resources data of an organization

ANSWER: D. Financial data, intellectual property, and operational data are all important types of information related to an organization. However, personal informat ion is only that information describing an identified or identifiable individual (in contrast to an organization). Human resources data describes the employees of an organization and therefore may constitute personal information because employees are individuals. All the other types of information listed describe the organization itself and are not types of personal information.

17. In accordance with the Fair Credit Reporting Act (" FCRA" ), willfu l disclosure of financial information in violation of the Act is punishable by a penalty of how much? A. $500 B. $2,000 C. $2,500 D. There is no lim it

ANSWER: D. For willful violations of the FCRA, a consumer may recover his actual damages up to the statutory maximum of $2,500, plus possible punitive damages, as well as reasonable attorney's fees and costs. Therefore, the correct answer is D because a consumer may recover his actual damages and punitive damages. The FCRA provides a statutory maximum penalty for actual damages of up to $2,500 per violation for knowingly or willfully violating the Act. However, this question was not limited to actual damages.

72. Which of the following agencies is NOT responsible for enforcing a violation of the Genetic Information Nondiscrimination Act ("GINA")? A. Departm ent of Labor B. Department of Health and Human Services ("HSS") C. Equal Employment Opportunity Commission ("EEOC") D. Federal Trade Commission ("FTC")

ANSWER: D. GINA is enforced by various federal agenc ies. The Department of Labor, the Department of the Treasury, and the Department of Health and Human Services are responsible for Title I of GINA, and the Equal Employment Opportunity Commission is responsible for Title II of GINA. Remedies for violations include corrective action and monetary penalties. Under Title II of GINA, individuals also have the right to pursue private litigation. The FTC does not enforce GINA.

73. The Genetic Information Nondiscrimination Act (" GI NA" ) prohibits discrimination based on genetic information for which type of insurance? A. Life insurance B. Disability insurance C. Long-term care insurance D. Health insurance

ANSWER: D. GINA prohibits discrim inat io n in health coverage and employment based on the genetic informat ion. GINA's health coverage non discrim inat ion protections do not extend to life insurance, disability insurance and long-term care insurance.

71. Which of the following types of information is NOT protected by the Genetic Information Nondiscrimination Act ("GINA")? A. The results of an individual's genetic tests B. The manifestation of a disease or disorder in family members C. A request for, or receipt of, genetic services D. Sex or age of an individual

ANSWER: D. GINA prohibits discrimination in health coverage and employment based on genetic information. The statute defines "genetic information" as infor mat ion encompassing: ( 1) an individual's genetic tests (including genetic tests done as part of a research study); (2) genetic tests of the individual's family members (defined as dependents and up to and including fourth degree relatives); (3) genetic tests of any fetus of an individual or family member who is a pregnant woman, and genetic tests of any embryo legally held by an individual or family member utilizing assisted reproductive technology; (4) the manifestation of a disease or disorder in family members (family history); and (5) any request for, or receipt of, genetic services or participation in clinical research that includes genetic services (genetic testin g, counselling, or education) by an individual or family member. Under GINA, genetic information does not include information about the sex or age of an individual.

49. Which of the following correctly describes the Gram m - Leach-Bliley Act ("GLBA")? A. The Act is based on the permissible purpose approach to privacy B. The Act covers all financial informat ion, including publicly available information C. The Act requires opt-in consent when sharing financial information with unaffiliated third parties D. The Act establishes a complicated set of privacy and security requirements for domestic financial institutions

ANSWER: D. GLBA is based on the fair information practices approach to privacy and not the permissible purpose approach. GLBA also does not cover publicly available information, and the sharing of financial data with unaffiliated third parties is permitted with opt-out consent. The GLBA sets forth two important rules that domestic financial institutions must adhere to: ( 1) the Privacy Rule and (2) the Safeguards Rule. Therefore, D is the best answer.

9. Which of the following com panies al legedly com mit ted an unfair trade pract ice by retroactively changing their privacy policy to permit the sharin g of personal informat ion without notifying its users? A. Microsoft B. Eli Lilly C. Google D. Gateway Learning

ANSWER: D. In 2004, the FfC filed a complaint against Gateway Learning Corp. for, in part, retroact ively revising it s privacy policy to permit shar ing of its users' personal information. Gateway Learning subsequ ent ly settled the matter with the FfC and in a consent decree agreed not to sell, rent, or loan to third parties its users' personal information.

62. Which of the following is not a right set forth in the Consumer Privacy Bill of Rights introduced by the Obama adm inist rat ion? A. Access and accuracy B. Transparency C. Security D. Simplicity

ANSWER: D. In 2012, the Obama adm inistrat ion released a report titled "Consumer Data Privacy in a Net worked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Economy." The report contains a Consumer Privacy Bill of Rights, which include (1) I ndividual Control; (2) Transparen cy; (3) Respect for Context; (4) Security; (5) Access and Accuracy; (6) Focused Collec tion; and (7) Accountability. Simplicity is not one of the rights m entioned.

10. The following fact pattern appl ies to questions 10 - 14. Katie goes to her neighborhood pharmacy to fill her prescript ion for heart medication. When asked, Kat ie hands the pharmacist her prescript ion and insurance identifi cat ion card. The pharmacist provides Katie with the proper dose and type of medicat ion as indicated on the prescript ion but inadvert ently forget s to give Katie back her insurance identification card. One week later, Nata lie, another patron of the pharmacy, finds Kat ie's insur ance identificat ion card in her medicat ion bag, calls the pharmacy using the contact num ber posted on the pharmacy's website, and returns the insurance identification card to the pharmacy. The pharmacy promptly returns the card to Katie the next business day. Has a violation of the Health Insurance Portabilit y and Accountability Act ("HIPAA") occurred? A. No, the insurance identification card was safely returned to its owner within a reasonable amount of time B. No, the insurance identification card does not constitute protected health information C. No, the pharmacy is not a covered entity D. Yes, the insurance identification card constitutes protected health information and the loss of the card created a significant risk of harm to the patient

ANSWER: D. Pharmacies are classified as healthcare providers under HIPAA and therefore are covered entities. The insurance ident ifi cation card also constitutes protected health information because it relates to the provision of healthcare to an individual. In accordance with HIPAA, a data breach is, generally speaking, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. The Privacy Rule pertains to all forms of PHI, including both paper and electronic records. Therefore , the incident constitutes a data breach under HI PAA .

15. The National Do Not Call Registry is primarily enforced by which two entities? A. Department of Transportation and the FTC B. U.S. Department of Justice and the FTC C. Department of Commerce and the FCC D. The FTC and FCC

ANSWER: D. Pursuant to its authority under the Telephone Consumer Protection Act ("TCPA"), the Federal Communication Commission ("FCC") established, together with the Federal Trade Commission ("FTC"), a national Do Not Call Registry in 2003. The registry is nationwide in scope, applies to all telemarketers (with the exception of certain non profit organizations), and covers both interstate and intrastate telemarketing calls. Commercial telemarketers are not allowed to call you if your number is on the registry, subject to certain exceptions. The FTC and FCC are the primary enforcers of the National Do Not Call Registry.

94. Which of the following is NOT a primary impact of the USA PATRIOT Act? A. Enhancing the federal government's capacity to share intelligence B. Strengthening the criminal laws against terrorism C. Removing obstacles to investigating terrorism D. Preventing foreign nationals from traveling to the United States

ANSWER: D. The Department of Justice's 2004 field report on the USA PATRIOT Act sets forth the following four primary impacts of the Act: (1) enhancing the federal government's capacity to share intelligence; (2) strengthening the criminal laws aga inst terrorism; (3) removing obstacles to investigating terrorism; and (4) updating the law to reflect new technology.

46. In accordance with the Electronic Communicat ions Privacy Act (" ECPA" ), when may a person lawfully monitor another's telephone call? A. Only when both parties to the call have given their consent B. Monitoring telephones call is illegal under all circumstances C. Ten days after providing notice of the monitoring to both parties of the call D. When one of the parties to the call has given his consent

ANSWER: D. The Electronic Communications Privacy Act (" ECPA") was enacted in 1986 to update the Federal Wiretap Act. The ECPA protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. Therefore, ECPA applies to email, telephone conversations, and data stored electronically. Two notable exceptions to ECPA's broad prohibition against interception of communicat ions exist. First, under federal law, if one party to the communication consents to the interception, it is permitted. Under most state laws, however, consent of both parties is required. Second, operat ors are authorized to intercept and monitor communications placed over their facilities in order to combat fraud and theft of service. Because this question specifically deals with the federal law (ECPA) and not state law, the correct answer is that only one party to the call needs to consent to the interception.

87. Which of the following is NOT regulated by the Children's Online Privacy Protection Act ("COPPA")? A. Online contact information B. A screen name that functions as online contact information C. A photograph of a child D. Pornography

ANSWER: D. The Federal Trade Commission ("FTC") has defined personal information in its Rule implementing COPPA to include: (1) first and last name; (2) a home or other physical address including street name and name of a city or town; (3) online contact information; (4) a screen or user name that functions as online cont act information; ( 5) a telephone number; (6) a social security number; (7) a persistent identifier that can be used to recognize a user over time and across different websites or online serv ices; ( 8) a photograph , video, or audio file, wher e such file contains a child 's image or voice; (9) geolocation informat ion sufficient to identify street nam e and name of a city or town; or ( 10) information concerning the child or the parents of that child that the operat or collects online from the child and combines with an identifier descr ibed above. COPPA was not designed to protect children from viewing particular types of cont ent, such as pornography. If parents are concerned about their childr en accessing online pornography or other inappropriate materials, they should consider a filtering program or an internet service provider that offers tools to help screen out or restrict access to such material.

26. The Gramm-Leach-Bliley Act ("GLBA") applies to which organizations? A. All organizations that process financial data B. Financial organizations with more than 10,000 customers C. All organizations regulated by the Department of Commerce D. Domestic financial institutions

ANSWER: D. The GLBA, also known as the " Financial Services Modernization Act," was enacted in 1999. It applies to institutions that are significantly engaged in financial activities in the United St at es (also known as " domestic financial institutions"). The GLBA requires domestic financial institutions to, among other things, provide an initial privacy notice when the customer relat ionship is established (and annually thereafter) and also prov ide opt-out notice prior to sharing non public personal information with non-affi liat ed third parties.

79. What was the primary purpose for creating the National Do Not Call Registry? A. To mandate affirmative consumer consent before any entity may conduct a telemarketing call B. To prohibit telemarketing calls placed late at night or during dinner time C. To prohibit all telemarketing calls D. To offer consumers a choice regarding telemarketing calls

ANSWER: D. The National Do Not Call Registry is a list of phone numbers from consumers who have indicated their preference to limit the telemar keting calls they receive. The registry is managed by the Federal Trade Commission ("FTC"), the nation's primary consumer protection agency. It is enforced by the FTC, the Federal Communications Commission ("FCC"), and various state officials. The national registry was created in 2003 to offer consumers a choice regarding telemarketing calls.

70. Which of the following is NOT a type of safeguar d mandated by the Security Rule of the Health Insurance Portability and Accountability Act ('' HI PAA" ) ? A. Technical B. Adm inist rat iv e C. Physical D. Procedural

ANSWER: D. The Securit y Rule establishes national standards to protect individuals' electronic personal health informat ion that is created, received, used, or maintained by a covered entit y. The Security Rule requires appr opriat e administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

66. Which of the following is NOT a major step when developing an effective information management program? A. Discover B. Build C. Communicate D. Compensate

ANSWER: D. The basic steps to developing an information management program are ( 1) discover, (2) build, (3) communicate, and (4) evolve. First , the organ izat ion must discover the environment in which the organization operates. For example, an organ izat ion should understand which laws regulate the organization and impose obligations on the organization related to privacy. An organization must also discover and develop its goals for the information management program . Next, the organization should build and design the information management program with the ident ified goals in mind. Typically, an information management program consists of policies and procedures related to how information will be managed at the organization. The third step is to communicate the policies and procedures to the employees of the organization. In some instances, a formal training may be required. Finally, the organization should ensure that the program evolves as the business needs and legal environment changes. By adhering to these four basic steps, an organization wil l develop an effective informat ion management program.

11. Did the pharmacy commit a violat ion of HIPAA's Priv acy Ru le? A. No, the insurance identification car d does not constitute protected health infor mat ion B. No, the insuran ce identification card was disclosed in connect ion with treatment, payment, or health care operat ions C. No, the pharm acy has implicit aut horizat ion to use the insurance identification card D. Yes, the insurance ident ifi cat ion card constitutes protected health inf ormat ion, and the card was disclosed to a third party wit hou t Kat ie's authorization

ANSWER: D. Under the Privacy Rule , covered ent it ies may only disclose PHI to facilitate treatment, payment , or healt hcar e operations without a patient's express written aut horization . Any other disclosure of PHI requires the covered entity to obtain written aut horization from the data subject for the disclosure. The Pri vacy Rule pertains to all forms of PHI, including both paper and electronic records. Therefor e, a violation has occurred.

37. Which of the following is considered a best pract ice when an organization is considering posting employee photographs on its internal intranet website? A. Process all employee requests to take down their photograph within 5 business days of receiving the request B. Require written consent from employees after posting their photographs C. Request a photograph from each employee before the employee is hired and obtain consent for posting the photograph in the employment agreement D. Obtain the employee's consent before posting the photograph

ANSWER: D. When an organization posts an employee's photograph on its internal intranet or public website, it should first obtain consent from the employee. In fact, in Europe, prior consent for the use of photographs (even on security badges) is always requir ed. Organizations should not request an applicant to submit a photograph before being hired because the photograph may reveal membership in a protected class, thereby potentially result ing in an antidiscrimination claim by the ap plicant .

38. Which of the following accurately describes an employer's ability to conduct video surveillance of its employees? A. Employers may conduct video surveillance of their employees as long as the employer has a legitimate business interest in the surveillance B. Employers may never conduct video surveillance of their employees because it constitutes an invasion of privacy C. Employers may conduct video surveillance of their employees after obtaining consent from the manager of the employees D. Em ployers may generally conduct video surveillance of their employees as long as the surveillance is not in a private place where employees have an expectation of privacy

ANSWER: D. With respect to video surveillance, employers should be cautious of setting up video surveillance in areas of the workplace in which employees have a reasonable expectat ion of privacy. These private areas include bathrooms and locker rooms. Employers should also consider informing employees of the possibility of video surveillance and document the need for such surveillance.