IAPP CIPM - Certified Information Privacy Manager (CIPM)

Page: 8 / 9
Total 274 questions

SCENARIO

Please use the following to answer the next QUESTION:

Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.

Spencer â€“ a former CEO and currently a senior advisor â€“ said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company â€“ not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.

Based on the scenario, Nationwide Grill needs to create better employee awareness of the company's privacy program by doing what?

Varying the modes of communication.

Communicating to the staff more often.

Improving inter-departmental cooperation.

Requiring acknowledgment of company memos.

Question # 72

(The following are examples of privacy by design EXCEPT?)

Incorporating privacy consultations into technology procurement requests.

Assessing privacy risks in the architecture of a proposed customer-facing tool.

Integrating pre-defined privacy controls into standard product launch procedures.

Conducting a root cause analysis on privacy incidents to recommend response improvements.

Question # 73

Which of the following is a physical control that can limit privacy risk?

Keypad or biometric access.

user access reviews.

Encryption.

Tokenization.

Question # 74

Rationalizing requirements in order to comply with the various privacy requirements required by applicable law and regulation does NOT include which of the following?

Harmonizing shared obligations and privacy rights across varying legislation and/or regulators.

Implementing a solution that significantly addresses shared obligations and privacy rights.

Applying the strictest standard for obligations and privacy rights that doesn't violate privacy laws elsewhere.

Addressing requirements that fall outside the common obligations and rights (outliers) on a case-by-case basis.

Question # 75

SCENARIO

Please use the following to answer the next QUESTION:

As they companyâ€™s new chief executive officer, Thomas Goddard wants to be known as a leader in data

protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the companyâ€™s claims that â€œappropriateâ€ data protection safeguards were in place. The scandal affected the companyâ€™s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddardâ€™s mentor, was forced to step down.

Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the companyâ€™s board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. â€œWe want Medialite to have absolutely the highest standards,â€ he says. â€œIn fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the companyâ€™s finances. So, while I want the best solutions across the board, they also need to be cost effective.â€

You are told to report back in a weekâ€™s time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.

What metric can Goddard use to assess whether costs associated with implementing new privacy protections are justified?

Compliance ratio

Cost-effective mean

Return on investment

Implementation measure

Question # 76

A new business crafting its privacy policy is struggling with how it will define the term "personal data."

Which of the following should inform this decision?

The types of special categories of data being processed.

The business's requirements for storing collected data.

The amount of data the business expects to collect.

The privacy laws to which the business is subject.

Question # 77

SCENARIO

Please use the following to answer the next QUESTION:

Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Spaceâ€™s practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.

Pennyâ€™s colleague in Marketing is excited by the new sales and the companyâ€™s plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her â€œI heard someone in the breakroom talking about some new privacy laws but I really donâ€™t think it affects us. Weâ€™re just a small company. I mean we just sell accessories online, so whatâ€™s the real risk?â€ He has also told her that he works with a number of small companies that help him get projects completed in a hurry. â€œWeâ€™ve got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just donâ€™t have.â€

In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Pennyâ€™s colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team â€œdidnâ€™t know what to do or who should do what. We hadnâ€™t been trained on it but weâ€™re a small team though, so it worked out OK in the end.â€ Penny is concerned that these issues will compromise Ace Spaceâ€™s privacy and data protection.

Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data â€œshake upâ€. Her mission is to cultivate a strong privacy culture within the company.

Penny has a meeting with Ace Spaceâ€™s CEO today and has been asked to give her first impressions and an overview of her next steps.

What information will be LEAST crucial from a privacy perspective in Pennyâ€™s review of vendor contracts?

Audit rights

Liability for a data breach

Pricing for data security protections

The data a vendor will have access to

Explanation:

The information that will be least crucial from a privacy perspective in Pennyâ€™s review of vendor contracts is the pricing for data security protections Â©. This is because the pricing for data security protections is a business decision that does not directly affect the privacy rights and obligations of Ace Space and its customers. The pricing for data security protections may be relevant for budgeting and negotiating purposes, but it does not determine the level or adequacy of data security measures that the vendor must provide to protect personal data.

The other options are more crucial from a privacy perspective in Pennyâ€™s review of vendor contracts. Audit rights (A) are important to ensure that Ace Space can monitor and verify the vendorâ€™s compliance with the contract terms and the applicable privacy laws and regulations. Audit rights allow Ace Space to access the vendorâ€™s records, systems, policies and procedures related to personal data processing and to conduct inspections or assessments as needed. Liability for a data breach (B) is important to allocate the responsibility and consequences of a data breach involving personal data that the vendor processes on behalf of Ace Space. Liability for a data breach may include indemnification, compensation, notification, remediation and termination clauses that protect Ace Spaceâ€™s interests and obligations in the event of a data breach. The data a vendor will have access to (D) is important to define the scope, purpose, duration and conditions of the personal data processing that the vendor will perform for Ace Space. The data a vendor will have access to may include the categories, types, sources, recipients and retention periods of personal data that the vendor will collect, store, use or share on behalf of Ace Space.

[References:, CIPM Body of Knowledge Domain II: Privacy Program Operational Life Cycle - Task 3: Implement privacy program components - Subtask 3: Establish third-party processor management program, CIPM Study Guide - Chapter 4: Privacy Program Operational Life Cycle - Section 4.3: Third-Party Processor Management, , ]

Question # 78

Last year Ecosoft 8150 was hacked and a number of servers and programs were affected. Since the incident, the company started collecting metrics on data privacy and system outages to try to stop it from happening in the future.

What analysis would be most helpful based on the data they have collected?

Return on Investment (ROI).

Compliance analysis.

Business Resiliency.

Trend analysis.

Question # 79

(All of the following are components of a data collection notice EXCEPT?)

The categories of information shared with third parties.

The length of time the personal information will be stored.

The meta-data which could be generated from collection of the information.

The lawful interests pursued by the responsible party collecting the information.

Question # 80

What is the main purpose in notifying data subjects of a data breach?

To avoid financial penalties and legal liability.

To enable regulators to understand trends and developments that may shape the law.

To ensure organizations have accountability for the sufficiency of their security measures.

To allow individuals to take any actions required to protect themselves from possible consequences.

Spring Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

IAPP CIPM - Certified Information Privacy Manager (CIPM)

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation: