A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?

A. The vendor's reputation

B. The vendor's financial health

C. The vendor's employee retention rates

D. The vendor's employee training program

What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.

B. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.

C. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.

D. The encryption of all personal information of Massachusetts residents when stored on portable devices.

Chanel Hair Studio is a busy high-end hair salon. In an effort to maximize efficiency of its operations and reduce wait times for appointments, Chanel decides to implement artificial intelligence software that will use client profiles and history to predict which clients will likely be late for their appointments. Information used to create the client profile included appointment history, distance from the salon, and any references to being tardy pulled from the client's social media accounts. If a client is predicted to be late, their appointment will be cancelled within 5 minutes.

Based on the details, what is the biggest potential privacy concern related to Chanel's use of this new software?

A. Scanning a client's social media accounts to use in a client profile without notice to the client.

B. Calculating client profile address distance from the salon to determine location from salon to help predict if the client will be late.

C. Using client profile information for any purpose other than setting up an appointment.

D. Assessing client tardiness history with the salon for predictive purposes.

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the

letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her

withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the

complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our

company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer. Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?

A. As a data supervisor

B. As a data processor

C. As a data controller

D. As a data manager

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

A. Department of Health and Human Services

B. The affected individuals

C. The local media

D. Medical providers

What information did the Red Flag Program Clarification Act of 2010 add to the original Red Flags rule?

A. The most common methods of identity theft.

B. The definition of what constitutes a creditor.

C. The process for proper disposal of sensitive data.

D. The components of an identity theft detection program.

SCENARIO

Please use the following to answer the next QUESTION:

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.

A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals ?ones that exposed the PHI of public figures including celebrities and politicians.

During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.

A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.

Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

A. Administrative Safeguards

B.

C. Technical Safeguards

D. Physical Safeguards

E. Security Safeguards

Why was the Privacy Protection Act of 1980 drafted?

A. To respond to police searches of newspaper facilities

B. To assist prosecutors in civil litigation against newspaper companies

C. To assist in the prosecution of white-collar crimes

D. To protect individuals from personal privacy invasion by the police

In which situation would a policy of "no consumer choice" or "no option" be expected?

A. When a job applicant's credit report is provided to an employer

B. When a customer's financial information is requested by the government

C. When a patient's health record is made available to a pharmaceutical company

D. When a customer's street address is shared with a shipping company

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense ?like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?

A.

B. The Americans with Disabilities Act (ADA).

C. The Occupational Safety and Health Act (OSHA).

D. The Genetic Information Nondiscrimination Act of 2008.

E. The Health Insurance Portability and Accountability Act (HIPAA).