CIPP/US Practice Questions
The criteria for an existing business relationship, as defined by TSR, includes A. A transaction taking place within the last 18 months. B. A transaction taking place within the past two years. C. An offer has been requested within the past year. D. An offer has been requested within the last six months
A. A transaction taking place within the last 18 months.
Which two FCRA rules were added with the Fair and Accurate Credit Transitions Act in 2003? A. Disposal Rule and Red Flags Rule B. Privacy Rule and Safeguards Rule C. Disposal Rule and Safeguards Rule D. Privacy Rule and Red Flags Rule
A. Disposal Rule and Red Flags Rule
Under Section 702 of FISA, which surveillance program allows data requests of Internet Service Providers? A. PRISM B. MAGENTA C. RAINBOW D. Upstream
A. PRISM
Which form of malicious online threat targets an individual user and pretends to be a legitimate party, such as a bank, to steal personal data? A. Spear Phishing B. Ransomware C. Technical Based Attack D. Hacking
A. Spear Phishing
Which legislation provides privacy provisions for the exemption of disclosure of certain biomedical information, securing remote access to view PHI, prohibiting the blocking of information, certificates of confidentiality, and compassionate sharing of mental health or substance abuse information with family or caregivers? A. 21st Century Cures Act of 2016 B. GINA of 2008 C. HITECH of 2013 D. HIPAA Security Rule of 2003
A. 21st Century Cures Act of 2016
Use the following scenario to answer questions 1 through 5 Don lives in California with his wife and two children. Sarah is 12 years old and in the 7th grade at her school. Robert is 15 and a Sophomore at his school. Don is concerned about his children and their online activities as they use social media and talk with their friends. Sarah has an Xbox One that she primarily uses to stream content from Netflix, Hulu, and YouTube, but she does play a few games on the system too. Robert has a PlayStation 4 and is an avid gamer. He loves cooperative multiplayer games with his friends. Sarah and Robert each received their gaming consoles as a gift from their parents last year. Upon first use, both had to setup user profiles and input some basic information 1. According to the Children's Online Privacy Protection Rule, all the following would be considered personal information EXCEPT: A. The children's first and last names B. Gamer Tags or other User IDs C. Identifying favorite shows on streaming services D. Any picture showing the child's face 2. Which statement is TRUE regarding Sarah and Robert under COPPA? A. COPPA applies to both Sarah and Robert B. COPPA applies to Sarah, but not Robert C. COPPA applies to Robert, but not Sarah D. COPPA applies to neither Robert nor Sarah 3. One of Don's concerns is the easy access to pornography on the internet today. He does not want his children viewing pornography either purposely or accidentally. Which statement is TRUE regarding protecting children from pornography? A. COPPA will prevent a child from lying about their age to view adult content. B. COPPA will prevent web sites from displaying pornography to children. C. Don can prevent his children from watching pornography by controlling what apps they install. D. Don can discourage his children from viewing pornography by understanding and using parental controls on all their devices. 4. Don understands that some location-based services simply enhance the user experience. Others, such as daily fantasy sports applications that allow sports betting, require that location-based services be activated to function at all. Given Don's concern over his children's safety, which of the following best practices would you recommend to Don? A. Do not allow the children to use location-based services at all. B. Allow the children to turn on location-based services on their smart phones, but not their gaming consoles. C. Allow the children to turn on location-based services on their gaming consoles, but not their smart phones. D. Allow the children to turn on location-based services on all their devices. 5. Robert has been having some arguments with another boy at school. The other boy has posted a picture semi-nude picture of Robert on social media that he took in the boy's locker room after football practice. Along with the picture the boy identified Robert by first and last name and what school they attend. Regarding privacy law, what course of action would you recommend to Don in this situation? A. Contact the social media website to have the content removed. B. Report the incident to the FTC since they have specific authority for COPPA. C. Have Robert do the same thing to the other boy D. Attempt to contact the boy's parents and make them remove the picture and information.
1. According to the Children's Online Privacy Protection Rule, all the following would be considered personal information EXCEPT: C. Identifying favorite shows on streaming services 2. Which statement is TRUE regarding Sarah and Robert under COPPA? B. COPPA applies to Sarah, but not Robert 3. One of Don's concerns is the easy access to pornography on the internet today. He does not want his children viewing pornography either purposely or accidentally. Which statement is TRUE regarding protecting children from pornography? D. Don can discourage his children from viewing pornography by understanding and using parental controls on all their devices. 4. Don understands that some location-based services simply enhance the user experience. Others, such as daily fantasy sports applications that allow sports betting, require that location-based services be activated to function at all. Given Don's concern over his children's safety, which of the following best practices would you recommend to Don? C. Allow the children to turn on location-based services on their gaming consoles, but not their smart phones. 5. Robert has been having some arguments with another boy at school. The other boy has posted a picture semi-nude picture of Robert on social media that he took in the boy's locker room after football practice. Along with the picture the boy identified Robert by first and last name and what school they attend. Regarding privacy law, what course of action would you recommend to Don in this situation? A. Contact the social media website to have the content removed.
Use the following scenario to answer questions 1 through 5 Lawrence works in the billing office of TH Medical Clinic. Lawrence is 30 years old with a bachelor's degree in finance. Lawrence received training during his orientation that included what PHI is collected, when it is collected, how it is stored, when it is destroyed, when it is updated, and an overview of HIPAA requirements as they related to his position. Since he is in billing, Lawrence has the highest security classification in at the medical clinic since he sees PHI for the patient, payment information for the patient, insurance information, and billing codes related to each patient's diagnosis and treatment at the clinic. Lawrence has been asked to be a trainer in the future for new employees who will need to understand HIPAA and various processes in the company related to the data. Therefore, Lawrence is reviewing his own materials to refresh his memory. 1. What was the primary reason for the creation of HIPAA? A. To introduce protected health information security measures. B. To increase the efficiency of electronic healthcare payments. C. To create a common database within healthcare systems for patient diagnosis and prescription management. D. To extend privacy laws to business associates within health care. 2. Lawrence works for a healthcare provider, which of the following healthcare entities covered by HIPAA (prior to HITECH) includes third-party organizations that host, handle, or process medical information? A. Business Associates B. Healthcare Clearinghouses C. Healthcare Plans D. Healthcare Controllers 3. Which of the following scenarios would NOT be covered under HIPAA? A. Doctor visit for annual physical B. Chemotherapy related to cancer treatment in a medical facility C. Billing codes, patient name, and insurance identification sent to an insurance company for payment D. Medical books purchased through Amazon 4. What is the primary purpose of the HIPAA Security Rule? A. Establish minimum security requirement for medical facilities following the 2001 terrorist attacks. B. Establish minimum security requirements for PHI collected in any form. C. Establish minimum security requirements for PHI collected in electronic form. D. Establish a secure manner of payment processing for insurance claims. 5. All the following are security requirements set forth by the HIPPA Security Rule, except: A. Designate a responsible person for the security program. B. Ensure compliance by the workforce and implement a security and awareness training program. C. Conduct initial and ongoing risk assessments. D. Establish an annual compliance audit process with the Office of Civil Rights.
1. What was the primary reason for the creation of HIPAA? B. To increase the efficiency of electronic healthcare payments. 2. Lawrence works for a healthcare provider, which of the following healthcare entities covered by HIPAA (prior to HITECH) includes third-party organizations that host, handle, or process medical information? B. Healthcare Clearinghouses 3. Which of the following scenarios would NOT be covered under HIPAA? D. Medical books purchased through Amazon 4. What is the primary purpose of the HIPAA Security Rule? C. Establish minimum security requirements for PHI collected in electronic form. 5. All the following are security requirements set forth by the HIPPA Security Rule, except: D. Establish an annual compliance audit process with the Office of Civil Rights.
Based on current US employment privacy laws, which of the following should NOT be expected to happen while employed with a company? A. Taking a polygraph test due to a theft at work. B. Video monitoring only for workplace safety compliance. C. GPS tracking while making deliveries for work. D. A manager accessing your computer to get an needed file while you are on vacation.
A. Taking a polygraph test due to a theft at work.
Which of the following definitions best defines privacy as cited in the text and related to privacy law? A. The desire of people to freely choose the circumstances and the degree which individuals will expose their attitudes and behavior to others. B. The ability of an individual to not be observed or disturbed by other people. C. The desire of people to be free from surveillance by the government or undue public attention while residing on their personal property. D. The right of an individual or group to seclude themselves from other individuals or organizations.
A. The desire of people to freely choose the circumstances and the degree which individuals will expose their attitudes and behavior to others.**
In which of the following laws is disclosure forbidden unless a person has expressly opted in? A. Bank Secrecy Act B. COPPA C. GLBA D. US Patriot Act
B. COPPA
Which step in developing an Information Management Program involves distributing privacy policies and privacy notices? A. Build B. Communicate C. Discover D. Regulate
B. Communicate
Regarding data information management, which of the following tasks can help with compliance audits, quickly comply with legal discovery requests, and ensure data is stored efficiently? A. Data Mapping B. Data Classification C. Data Flow Documentation D. Data Protection Laws
B. Data Classification
Which of the following entities is the PRIMARY enforcer of the HIPAA Privacy Rule and can assess civil monetary penalties? A. Federal Trade Commission B. Office of Civil Rights C. State Attorney General D. US Department of Justice
B. Office of Civil Rights
Who is responsible for notifying consumers when adverse action is taken based on information in a consumer credit report? A. The Credit Bureau B. The User C. The Credit Reporting Agency D. The Consumer Financial Protection Bureau
B. The User
In most cases, the FTC settles disputes through consent decrees and consent orders. What is the maximum length of a consent decree? A. 5 years B. 10 years C. 20 years D. Indefinitely
C. 20 years
"Third party doctrine" as it relates to the fourth amendment of the US constitution concerns: A. Three authorities are required for creating and administering a warrant. B. Someone referring to themselves in the third person is hiding something. C. Data or information a suspect shares with a third party is not privacy protected. D. A third party can wiretap a suspect without a warrant and then give the data to the police.
C. Data or information a suspect shares with a third party is not privacy protected.**
General health records data for private schools who accept no federal funding are subject to A. FERPA B. PPRA C. HIPAA D. No Child Left Behind
C. HIPAA
Which legislation provides protection to the media from government searches unless they have committed a crime or threaten to commit a crime? A. US Communications Assistance to Law Enforcement B. Stored Communications Act C. Privacy Protection Act D. Cybersecurity Information Sharing Act
C. Privacy Protection Act
Which of the following would NOT fall under the jurisdiction of the GDPR? A. A German company with assets in France and employees in both companies. B. An Italian company selling products and services worldwide. C. A Spanish company that processes data of US citizens. D. A US company who sells products and services in South America.
D. A US company who sells products and services in South America.
Who has the right to private action regarding violations of the CAN SPAM Act? A. Businesses who receive unsolicited advertisements to business email addresses. B. Governmental agencies who receive unsolicited advertisements to .gov addresses. C. Individuals who receive unsolicited advertisements to personal email addresses. D. Internet Service Providers attempting to protect their customers from unsolicited email advertisements.
D. Internet Service Providers attempting to protect their customers from unsolicited email advertisements.
Which of the following requires financial institutions to maintain security controls to protect personal consumer information for both electronic and paper records, and requires institutions to implement an information security program? A. California Financial Information Privacy Act B. Privacy Rule C. Red Flags Rule D. Safeguard Rule
D. Safeguard Rule
Which of the following is not a legal requirement when a potential employer is using information in a consumer report to determine employment eligibility? A. permissible purpose must exist for the report information. B. The candidate must receive written notice that a report will be requested. C. The candidate must give written consent before the report is obtained. D. The candidate must receive notice whether adverse action was taken or not.**
D. The candidate must receive notice whether adverse action was taken or not.