NEW QUESTION 1
For an organization that has just experienced a data breach, what might be the least relevant metric for a company's privacy and governance team?

• A. The number of security patches applied to company devices.
• B. The number of privacy rights requests that have been exercised.
• C. The number of Privacy Impact Assessments that have been completed.
• D. The number of employees who have completed data awareness training.

Answer: A

NEW QUESTION 2
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm – A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor – MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off-premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is the most effective control to enforce MessageSafe's implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?

• A. MessageSafe must apply due diligence before trusting Cloud In
• B. with the personal data received from A&M LLP.
• C. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
• D. MessageSafe must apply appropriate security controls on the cloud infrastructure.
• E. MessageSafe must notify A&M LLP of a data breach.

Answer: D

NEW QUESTION 3
What United States federal law requires financial institutions to declare their personal data collection practices?

• A. The Kennedy-Hatch Disclosure Act of 1997.
• B. The Gramm-Leach-Bliley Act of 1999.
• C. SUPCLA, or the federal Superprivacy Act of 2001.
• D. The Financial Portability and Accountability Act of 2006.

Answer: B

NEW QUESTION 4
What should a privacy professional keep in mind when selecting which metrics to collect?

• A. Metrics should be reported to the public.
• B. The number of metrics should be limited at first.
• C. Metrics should reveal strategies for increasing company earnings.
• D. A variety of metrics should be collected before determining their specific functions.

Answer: A

NEW QUESTION 5
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data Protection Impact Assessment (DPIA)?

• A. A health clinic processing its patients’ genetic and health data
• B. The use of a camera system to monitor driving behavior on highways
• C. A Human Resources department using a tool to monitor its employees’ internet activity
• D. An online magazine using a mailing list to send a generic daily digest to marketing emails

Answer: D

NEW QUESTION 6
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
What Data Lifecycle Management (DLM) principle should the company follow if they end up allowing departments to interpret the privacy policy differently?

• A. Prove the authenticity of the company's records.
• B. Arrange for official credentials for staff members.
• C. Adequately document reasons for inconsistencies.
• D. Create categories to reflect degrees of data importance.

Answer: C

NEW QUESTION 7
Rationalizing requirements in order to comply with the various privacy requirements required by applicable law and regulation does NOT include which of the following?

• A. Harmonizing shared obligations and privacy rights across varying legislation and/or regulators.
• B. Implementing a solution that significantly addresses shared obligations and privacy rights.
• C. Applying the strictest standard for obligations and privacy rights that doesn't violate privacy laws elsewhere.
• D. Addressing requirements that fall outside the common obligations and rights (outliers) on a case-by-case basis.

Answer: C

NEW QUESTION 8
Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC), established?

• A. To promote consumer confidence in the Internet industry.
• B. To improve the user experience during online shopping.
• C. To protect civil liberties and raise consumer awareness.
• D. To promote security on the Internet through strong encryption.

Answer: C

NEW QUESTION 9
SCENARIO
Please use the following to answer the next QUESTION:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the
higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society’s store had been hacked. The thefts could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the “misunderstanding” has not occurred again.
As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society’s operating budget is slim, and all sources of revenue are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. “The good news,” he says, “is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won’t be exorbitant, especially considering the advantages of a cloud.”
Lately, you have been hearing about cloud computing and you know it’s fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason’s Finnish provider is signing on.
What process can best answer your Questions about the vendor’s data security safeguards?

• A. A second-party of supplier audit
• B. A reference check with other clients
• C. A table top demonstration of a potential threat
• D. A public records search for earlier legal violations

Answer: B

NEW QUESTION 10
An organization's privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor.
Which of the following actions should the privacy officer take first?

• A. Perform a risk of harm analysis.
• B. Report the incident to law enforcement.
• C. Contact the recipient to delete the email.
• D. Send firm-wide email notification to employees.

Answer: A

NEW QUESTION 11
Which of the following privacy frameworks are legally binding?

• A. Binding Corporate Rules (BCRs).
• B. Generally Accepted Privacy Principles (GAPP).
• C. Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
• D. Organization for Economic Co-Operation and Development (OECD) Guidelines.

Answer: A

NEW QUESTION 12
An executive for a multinational online retail company in the United States is looking for guidance in developing her company's privacy program beyond what is specifically required by law.
What would be the most effective resource for the executive to consult?

• A. Internal auditors.
• B. Industry frameworks.
• C. Oversight organizations.
• D. Breach notifications from competitors.

Answer: B

NEW QUESTION 13
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them."
Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!"
Which is the best first step in understanding the data security practices of a potential vendor?

• A. Requiring the vendor to complete a questionnaire assessing International Organization for Standardization (ISO) 27001 compliance.
• B. Conducting a physical audit of the vendor's facilities.
• C. Conducting a penetration test of the vendor's data security structure.
• D. Examining investigation records of any breaches the vendor has experienced.

Answer: D

NEW QUESTION 14
What is the main reason to begin with 3-5 key metrics during the program development process?

• A. To avoid undue financial costs.
• B. To keep the focus on the main organizational objectives.
• C. To minimize selective data use.
• D. To keep the process limited to as few people as possible.

Answer: C

NEW QUESTION 15
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
As Richard begins to research more about Data Lifecycle Management (DLM), he discovers that the law office can lower the risk of a data breach by doing what?

• A. Prioritizing the data by order of importance.
• B. Minimizing the time it takes to retrieve the sensitive data.
• C. Reducing the volume and the type of data that is stored in its system.
• D. Increasing the number of experienced staff to code and categorize the incoming data.

Answer: C

NEW QUESTION 16
......