CIPP-C Online Practice Questions and Answers

Which case, brought before the Federal Court, helped determine that the Office of the Privacy Commissioner of Canada (OPC) had jurisdiction to investigate complaints about United States companies collecting, using and disclosing the personal information of individuals within Canada?

A. TJX Winners - Homesense.

B. Facebook: 2019.

C. Blood Tribe.

D. Abika.com.

A federally regulated company based in Ontario has customers in Ontario, Quebec, New Brunswick, Alberta and British Columbia. Unfortunately, a third-party vendor that provides marketing support to the company experiences a privacy

breach which impacts the personal information of all its customers across the provinces where it operates.

The Privacy Officer determines that the breach causes a real risk of significant harm to their customers and is tasked with reporting the breach to the relevant regulators.

With which provincial privacy regulators does the company have to file a report?

A. It is unnecessary to file a report with any provinces because the company is federally regulated

B. All of the provinces where its customers are located

C. New Brunswick and British Columbia only

D. Québec and Alberta only

In which circumstance do private sector privacy laws permit collection of information without consent?

A. When timely consent cannot be obtained by the organization and the collection is clearly in the individual's interests.

B. When the collection is necessary for the organization to complete a profile of the individual.

C. When the collection is reasonable for purposes related to the organization's mandate.

D. When the individual expressly waives their right to give consent.

What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

A. A large amount of money may have to be sent on improved technology and security

B. Industries may not be strict enough in the creation and enforcement of rules

C. A new business owner may not understand the regulations

D. Human rights may be disregarded for the sake of privacy

The "Consumer Privacy Bill of Rights" presented in a 2012 Obama administration report is generally based on?

A. The 1974 Privacy Act

B. Common law principles

C. European Union Directive

D. Traditional fair information practices

What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.

B. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.

C. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.

D. The encryption of all personal information of Massachusetts residents when stored on portable devices.

What is the main purpose of the CAN-SPAM Act?

A. To diminish the use of electronic messages to send sexually explicit materials

B. To authorize the states to enforce federal privacy laws for electronic marketing

C. To empower the FTC to create rules for messages containing sexually explicit content

D. To ensure that organizations respect individual rights when using electronic advertising

What do the Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act all have in common?

A. They require employers not to discriminate against certain classes when employees use personal information

B. They require that employers provide reasonable accommodations to certain classes of employees

C. They afford certain classes of employees' privacy protection by limiting inquiries concerning their personal information

D. They permit employers to use or disclose personal information specifically about employees who are members of certain classes

SCENARIO

Please use the following to answer the next QUESTION:

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider,

CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with

CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering

the contract, and has not conducted audits of CloudHealth's security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been

published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals ?ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law

enforcement has requested that HealthCo provide its investigative report of the breach

and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted

a discovery request for the ePHI exposed in the breach.

What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?

A. Training on techniques for identifying phishing attempts

B. Training on the terms of the contractual agreement with HealthCo

C. Training on the difference between confidential and non-public information

D. Training on CloudHealth's HR policy regarding the role of employees involved data breaches

Under state breach notification laws, which is NOT typically included in the definition of personal information?

A. State identification number

B. First and last name

C. Social Security number

D. Medical Information