• Home
  • Articles
  • Go to CIPP-US Questions - Try CIPP-US dumps pdf [Q31-Q55]

Go to CIPP-US Questions - Try CIPP-US dumps pdf [Q31-Q55]

Share

Go to CIPP-US Questions - Try CIPP-US dumps pdf 

Dumps Practice Exam Questions Study Guide for the CIPP-US Exam


What is the duration, language, and format of IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) Exam

  • Language: IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) offered in English (U.S.), French, German
  • Passing score: 85%
  • Length of Examination: 150 minutes
  • Number of Questions: 90
  • Format: Multiple choices, multiple answers

 

NEW QUESTION 31
John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John's personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information.
Which of the following answers most accurately reflects John's ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?

  • A. John can sue the corporation for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.
  • B. John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm.
  • C. John cannot sue the corporation for the data breach because only the state's Attoney General has authority to file suit under the CCPA.
  • D. John has no right to sue the corporation because the CCPA does not address any data breach rights.

Answer: A

 

NEW QUESTION 32
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?

  • A. Honored the promise of its privacy policy to acquire information by using an opt-in method.
  • B. Implemented a comprehensive policy for accessing customer information.
  • C. Communicated requests for changes to users' preferences across the organization and with third parties.
  • D. Looked for any persistent threats to security that could compromise the company's network.

Answer: D

 

NEW QUESTION 33
Most states with data breach notification laws indicate that notice to affected individuals must be sent in the
"most expeditious time possible without unreasonable delay." By contrast, which of the following states currently imposes a definite limit for notification to affected individuals?

  • A. Maine
  • B. New York
  • C. Florida
  • D. California

Answer: C

Explanation:
Explanation/Reference: https://www.itgovernanceusa.com/data-breach-notification-laws

 

NEW QUESTION 34
All of the following common law torts are relevant to employee privacy under US law EXCEPT?

  • A. Intrusion upon seclusion.
  • B. Infliction of emotional distress.
  • C. Conversion.
  • D. Defamation

Answer: A

 

NEW QUESTION 35
Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?

  • A. A city bus system's frequent rider program
  • B. A national bank's no-fee checking promotion
  • C. A local nonprofit charity's fundraiser
  • D. An online merchant's free shipping offer

Answer: D

 

NEW QUESTION 36
What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?

  • A. Make electronic health records (EHRs) part of regular care
  • B. Keep electronic updates about the Health Insurance Portability and Accountability Act
  • C. Send health information and appointment reminders to patients electronically
  • D. Bill the majority of patients electronically for their health care

Answer: A

 

NEW QUESTION 37
Which of the following is NOT a principle found in the APEC Privacy Framework?

  • A. Privacy by Design.
  • B. Access and Correction.
  • C. Integrity of Personal Information.
  • D. Preventing Harm.

Answer: A

 

NEW QUESTION 38
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?

  • A. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth's security measures
  • B. Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred
  • C. Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI
  • D. Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI

Answer: A

 

NEW QUESTION 39
What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?

  • A. Process requests for changes to user preferences within a designated time frame
  • B. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter's own use
  • C. Provide consumers with the opportunity to opt out of receiving telemarketing phone calls
  • D. Conduct annual consumer surveys regarding satisfaction with user preferences

Answer: B

Explanation:
Explanation/Reference: https://www.investopedia.com/terms/g/glba.asp

 

NEW QUESTION 40
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask Question:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Based on Felicia's Bring Your Own Device (BYOD) plan, the business consultant will most likely advise Felicia and Celeste to do what?

  • A. Make employment decisions based on those willing to consent to the plan in writing.
  • B. Reconsider the plan in favor of a policy of dedicated work devices.
  • C. Weigh any productivity benefits of the plan against the risk of privacy issues.
  • D. Adopt the same kind of monitoring policies used for work-issued devices.

Answer: A

 

NEW QUESTION 41
All of the following are tasks in the "Discover" phase of building an information management program EXCEPT?

  • A. Developing a process for review and update of privacy policies
  • B. Deciding how aggressive to be in the use of personal information
  • C. Facilitating participation across departments and levels
  • D. Understanding the laws that regulate a company's collection of information

Answer: D

 

NEW QUESTION 42
Which federal law or regulation preempts state law?

  • A. Health Insurance Portability and Accountability Act
  • B. Controlling the Assault of Non-Solicited Pornography and Marketing Act
  • C. Electronic Communications Privacy Act of 1986
  • D. Telemarketing Sales Rule

Answer: A

 

NEW QUESTION 43
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

  • A. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
  • B. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.
  • C. The encryption of all personal information of Massachusetts residents when stored on portable devices.
  • D. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.

Answer: C

 

NEW QUESTION 44
In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

  • A. It does not apply because the owner is not a creditor
  • B. It requires the owner to implement an identity theft warning system
  • C. It mandates the use of updated technology for securing credit records
  • D. It is not usually enforced in the case of a small financial institution

Answer: C

 

NEW QUESTION 45
Who has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA)?

  • A. The Consumer Financial Protection Bureau
  • B. The Department of Commerce
  • C. State Attorneys General
  • D. The Federal Trade Commission

Answer: A

 

NEW QUESTION 46
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?

  • A. Training on the difference between confidential and non-public information
  • B. Training on CloudHealth's HR policy regarding the role of employees involved data breaches
  • C. Training on the terms of the contractual agreement with HealthCo
  • D. Training on techniques for identifying phishing attempts

Answer: D

 

NEW QUESTION 47
Which act violates the Family Educational Rights and Privacy Act of 1974 (FERPA)?

  • A. A newspaper prints the names, grade levels, and hometowns of students who made the quarterly honor roll
  • B. A university posts a public student directory that includes names, hometowns, e-mail addresses, and majors
  • C. University police provide an arrest report to a student's hometown police, who suspect him of a similar crime
  • D. A K-12 assessment vendor obtains a student's signed essay about her hometown from her school to use as an exemplar for public release

Answer: D

 

NEW QUESTION 48
What practice do courts commonly require in order to protect certain personal information on documents, whether paper or electronic, that is involved in litigation?

  • A. Deletion
  • B. Encryption
  • C. Hashing
  • D. Redaction

Answer: D

 

NEW QUESTION 49
When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

  • A. When the entity manages user preferences through multiple platforms
  • B. When the goods and services sold by its divisions are very similar
  • C. When a call is not the result of an error or other unforeseen cause
  • D. When the operational structures of its divisions are not transparent

Answer: C

 

NEW QUESTION 50
What is the most likely reason that states have adopted their own data breach notification laws?

  • A. Many lawmakers believe that federal enforcement of current laws has not been effective
  • B. Many states have unique types of businesses that require specific legislation
  • C. Many large businesses have intentionally breached the personal information of their customers
  • D. Many types of organizations are not currently subject to federal laws regarding breaches

Answer: A

 

NEW QUESTION 51
SCENARIO
Please use the following to answer the next QUESTION
Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.
One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still be sitting in the office, unsecured.
Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.
Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills - all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.
In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.
After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Consumers today are most likely protected from situations like the one Noah had buying stock because of which federal action or legislation?

  • A. Federal Trade Commission investigations into "unfair and deceptive" acts or practices.
  • B. The rules under the Fair Debt Collection Practices Act.
  • C. Investigations of "abusive" acts and practices under the Dodd-Frank Wall Street Reform and Consumer Protection Act.
  • D. The creation of the Consumer Financial Protection Bureau.

Answer: C

 

NEW QUESTION 52
How did the Fair and Accurate Credit Transactions Act (FACTA) amend the Fair Credit Reporting Act (FCRA)?

  • A. It increased the obligation of organizations to dispose of consumer data in ways that prevent unauthorized access
  • B. It expanded the definition of "consumer reports" to include communications relating to employee investigations
  • C. It stipulated the purpose of obtaining a consumer report can only be for a review of the employee's credit worthiness
  • D. It required employers to get an employee's consent in advance of requesting a consumer report for internal investigation purposes Section: (none) Explanation

Answer: A

 

NEW QUESTION 53
If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

  • A. Temporary employees will be able to find the data necessary to fulfill their responsibilities.
  • B. The impact of an organizational data breach will be more severe than if the data had been segregated.
  • C. The organization will be able to address legal discovery requests efficiently without producing more information than necessary.
  • D. The organization will still be in compliance with most sector-specific privacy and security laws.

Answer: C

 

NEW QUESTION 54
According to FERPA, when can a school disclose records without a student's consent?

  • A. If the disclosure would not reveal a student's student identification number
  • B. If the disclosure is not to be conducted through email to the third party
  • C. If the disclosure is to provide transcripts to a school where a student intends to enroll
  • D. If the disclosure is to practitioners who are involved in a student's health care

Answer: C

 

NEW QUESTION 55
......


Topics of IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) Exam

Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our IAPP CIPP/US dumps will include the following topics:

1. Introduction to Data Protection

Origins and Historical Context of Data Protection Law

  • Rationale for data protection, human rights laws, early laws and regulations, the need for a harmonised European approach, the Treaty of Lisbon; a modernized framework

Legislative Framework

  • The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (the CoE Convention), the EU Data Protection Directive (95/46/EC), the EU Directive on Privacy and Electronic Communications (2000/31/EC), European data retention regimes, The General Data Protection Regulation (GDPR) and related legislation.

2. European Data Protection Law and Regulation

Data Protection Concepts

  • Personal data, sensitive personal data, pseudonymous and anonymous data,processing, controller,processor, data subject

Territorial and Material Scope of the GDPR

  • Establishment in the EU, non-establishment in the EU

Data Processing Principles

  • Fairness and lawfulness, purpose limitation, proportionality, accuracy, storage limitation (retention), integrity and confidentiality

Lawful Processing Criteria

  • Consent, contractual necessity, legal obligation, vital interests and public interest,legitimate interests, special categories of processing

Information Provision Obligations

  • Transparency principle, privacy notices, layered notices

Data Subjects’ Rights

  • Access, rectification, erasure and the right to be forgotten, restriction and objection,consent (and withdrawal of), automated decision making, including profiling, data portability, restrictions

Security of Personal Data

  • Appropriate technical and organisational measures, breach notification, vendor management, data sharing

Accountability Requirements

  • Responsibility of controllers and processors, data protection by design and by default, documentation and cooperation with regulators, data protection impact assessments, mandatory data protection officers

International Data Transfers

  • Rationale for prohibition, safe jurisdictions, Safe Harbor and Privacy Shield, model contracts,Binding Corporate Rules (BCRs), codes of conduct and certifications, derogations

Supervision and Enforcement

  • Supervisory authorities and their powers, the European Data Protection Board, role of the European Data Protection Supervisor (EDPS)

Consequences for GDPR Violations

  • Process and procedures, infringement and fines, data subject compensation

3. Compliance with European Data Protection Law and Regulation

Employment Relationships

  • Surveillance by public authorities, interception of communications, closed-circuit television (CCTV), geolocation

  • Legal basis for processing of employee data, storage of personnel records,workplace monitoring and data loss prevention, EU Works councils, whistleblowing systems, ‘Bring your own device’ (BYOD) programs Surveillance Activities

Direct Marketing

  • Telemarketing, direct marketing, online behavioural targeting

Internet Technologies and Communications

  • Cloud computing,web cookies, search engine marketing (SEM), social networking services

How much IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) Exam cost

IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) exam cost is $550 USD and retake fees is $375 USD, for more information please visit the official website.

 

Free Certified Information Privacy Professional CIPP-US Exam Question: https://www.troytecdumps.com/CIPP-US-troytec-exam-dumps.html

CIPP-US Dumps with Practice Exam Questions Answers: https://drive.google.com/open?id=1C66weEiJY1sGc1ScLJdQjkaLUTKvLDOH

Related Articles

more
IAPP CIPP-US Certification Practice Exam

Copyright © 2026 TroytecDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
TroytecDumps doesn't offer Real CompTIA Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
TroytecDumps material do not contain actual actual Oracle Exam Questions or material.
TroytecDumps doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
TroytecDumps Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
TroytecDumps.com does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. TroytecDumps does not own or claim any ownership on any of the brands.