Exam 5

1. In accordance with the Fair Credit Reporting Act (" FCRA" ) , willf ul violations of the Act are punishable by a st at utory maximum penalty of how much per violat ion?
A. $500
B. $2,000
C. $2, 500
D. There is no limit

ANSWER: C. The FCRA provides a stat utory penalty of up to $2, 500 per violation for knowingly or willfully violat ing the Act . A consumer may recover his actual dam ages up to the statutory maximum, plus possible punitive damages, as well as reasonable

2. Which of the following may be classified as an unfair trade practice by the Federal Trade Commission ("FTC")?
A. A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website does not, in fact, encry

ANSWER: A. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." Answer A is an example of an unfair trade practice because the website is not being deceptive, but the potential harm caused by the website's f

3. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), a school must provide parents or eligible students with their educational records within how many days of a request for the records?
A. 10 days
B. 30 days
C. 45 days
D. 90 days

ANSWER: C. Under FERPA, a school must provide a parent or eligible student with an opportunity to inspect and review the student's education records within 45 days following receipt of a request by the parent or eligible student.

4. In accordance with the Fair Credit Reporting Act ("FCRA"), a consumer is entitled to a free copy of his credit report if he requests the report within how many days after an adverse action?
A. 30 days
B. 45 days
C. 60 days
D. 120 days

ANSWER: C. Each national consumer reporting agency that maintains a file on a consumer shall provide a free credit report to the consumer if, no
later than 60 days after receipt by such consumer of an adverse action notification, the consumer makes a requ

5. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), which of the following records does� NOT constitute educational records?
A. Campus police records
B. School employment records
C. School discipline records
D. Educational trans

ANSWER: A. In 1992, FERPA was amended to exempt from the definition of educational records those records maintained by a law enforcement unit of the educational agency or institution. Educational
records are defined in FERPA as "those records, files, docu

6. Which agency is primarily responsible for prot ecting employee privacy in the United States?
A. Federal Trade Commission ("FTC")
B. Federal Communications Commission ("FCC")
C. Federal Bureau of Investigation ("FBI")
D. Office of Supervisory Jurisdicti

ANSWER: A. The FTC is the agency primarily responsible for employee privacy in the United Stat es. The FTC regulates unfair and deceptive commercial trade practices, as well as other laws protecting employee privacy, including the Fair Credit Reporting Ac

7. The FederaI Trade Commission (" FTC") was originally founded to enforce which body of law?
A. Employee privacy
B. Antitrust
C. Tax and banking
D. International trade

ANSWER: B. The FTC was created on September 26, 1914, when President Woodrow Wilson signed the Federal Trade Com mission Act into law. The FTC opened its doors on March 16, 1915. The FTC's original mission was to enforce the rules of a competitive marketp

8. The Chi ldren's Online Privacy Protection Act ("COPPA") was enacted to primarily prevent which of the following activities?
A. To prevent children from using a parent 's credit card information without consent
B. To protect the privacy of children unde

ANSWER: C. COPPA prohibits unfair and deceptive acts or practices in connection with the collect ion, use, or disclosure of personal information from children under the age of 13 in an online environment. The Act was passed in response to an alarming tren

9. Which of the following com panies al legedly com mit ted an unfair trade pract ice by retroactively changing their privacy policy to permit the sharin g of personal informat ion without notifying its users?
A. Microsoft
B. Eli Lilly
C. Google
D. Gatewa

ANSWER: D. In 2004, the FfC filed a complaint against Gateway Learning Corp. for, in part,
retroact ively revising it s privacy policy to permit
shar ing of its users' personal information. Gateway Learning subsequ ent ly settled the matter with the FfC a

10. The following fact pattern appl ies to questions
10 - 14.
Katie goes to her neighborhood pharmacy to fill her prescript ion for heart medication. When asked,
Kat ie hands the pharmacist her prescript ion and insurance identifi cat ion card. The pharma

ANSWER: D. Pharmacies are classified as healthcare providers under HIPAA and therefore are covered entities. The insurance ident ifi cation card also constitutes protected health information because it relates to the provision of healthcare to an individu

11. Did the pharmacy commit a violat ion of HIPAA's Priv acy Ru le?
A. No, the insurance identification car d does not constitute protected health infor mat ion
B. No, the insuran ce identification card was disclosed in connect ion with treatment, payment

ANSWER: D. Under the Privacy Rule , covered ent it ies may only disclose PHI to facilitate treatment,
payment , or healt hcar e operations without a patient's express written aut horization . Any other disclosure of PHI requires the covered entity to obta

12. Which of the following is required of the pharmacy by the Health Insurance Portability and Accountability Act ("HIPAA")?
A. The pharmacy must have a notice on its website informing customers about how they may file a complaint with the Office for Civi

ANSWER: A. The pharmacy is a covered entity, and a covered entity must prominently post and make
ava ilab le its notice on any website it maintains that provides information about its customer services or benefits. HIPAA complaints should be lodged with t

13. If a user of a consumer report takes adverse action against a consumer based on information contained in the consumer report, which of the following does NOT need to be disclosed to the consumer?
A. The name, address, and telephone number of the consu

ANSWER: C. If a user takes adverse action against a consumer based on information contained in a consumer report, the user must provide notice to the consumer. The notice must include (1) the name, address, and telephone number of the consumer reporting a

14. If an infor mat ion technology auditor working on behalf of a hospital inadvertently loses the unencrypted medical billing records of 400
individuals, what type of notification is NOT required?
A. The hospital must provide notice to prominent media ou

ANSWER: A. In accordance with the Health Information Technology for Economic and Clinical Health ("HITECH") Act, a covered entity or its business associates must provide individual notification following a breach of unsecured protected health information.

15. The National Do Not Call Registry is primarily enforced by which two entities?
A. Department of Transportation and the FTC
B. U.S. Department of Justice and the FTC
C. Department of Commerce and the FCC
D. The FTC and FCC

ANSWER: D. Pursuant to its authority under the Telephone Consumer Protection Act ("TCPA"), the Federal Communication Commission ("FCC") established, together with the Federal Trade Commission ("FTC"), a national Do Not Call Registry in 2003. The registry

16. Whi ch of the following occurred as a result of Health Information Technology for Economic and Clin ical Health (" HITECH") Act?
A. Covered entities were required to enter into written contract s with busin ess associat es ensuring privacy and securit

ANSWER: B. HITECH extended the HIPAA Security Rule to business associates of covered entities.
Previously, privacy and security requirements were imposed on business associates through contractual agreements with covered entities. HITECH made business ass

17. In accordance with the Fair Credit Reporting Act (" FCRA" ), willfu l disclosure of financial information in violation of the Act is punishable by a penalty of how much?
A. $500
B. $2,000
C. $2,500
D. There is no lim it

ANSWER: D. For willful violations of the FCRA, a consumer may recover his actual damages up to the statutory maximum of $2,500, plus possible punitive damages, as well as reasonable attorney's fees and costs. Therefore, the correct answer is D because a c

18. Which of the following practices was NOT
im plem ented by the Fair and Accurate Credit Transactions Act ("FACTA")?
A. Cons umers have the right to obtain one free copy of their credit report from each of the
three major national credit bureaus every 1

ANSWER: B. FACTA provides that "no person that accepts credit car ds or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point

19. When an employer obtains an investigative consumer report on an employee suspected of misconduct, which of the following is required?
A. The employer must provide advance notice of the invest igat ion to the employee
B. The employer must provide a sum

ANSWER: B. The Fair Credit Reporting Act ("FCRA") was amended in 2003 to exempt investigative consumer reports related to suspected employee misconduct from many of the requirements of the FCRA, including consent, advanced notice, and certification. The e

20. Wh ich of the following is NOT a requirement of the Fair Credit Report ing Act (" FCRA")?
A. Consumer reporting agencies furnish consumer reports only to persons having a per missible purpose
B. Users of consumer reports cert if y to the consumer repo

ANSWER: C. Every national consumer reporting agency that maintains a file on a consumer shall provide a free credit report to the consumer if, no later than 60 days after receipt by such consumer of an adverse action notification, the consumer makes a req

21. In accordance with the Bank Secrecy Act, under which circum stance must a financial institution file a suspicious activity report?
A. When the bank detects a suspicious transaction of $25,000 even if the bank does not know the identity of the perpetra

ANSWER: A. The Bank Secrecy Act of 1970, also known as the Currency and Foreign Transactions Reporting Act, requires financial institutions in the United States to assist government agencies to detect and prevent money laundering. Specifically, the Act re

22. Whi ch of the following states have a data breach notificat ion law that mandates the notice contain the approximate date of the breach?
A. Massa chusetts
B. Califor nia
C. Oregon
D. New York

ANSW ER: C. Oregon Rev. Stat. � 646A.604 requires that notice of a data breach include (1) a description of the incident in general terms; (2) the approximate date of the breach of security; (3) the type of personal infor mat ion obtained as a result of t

23. Which of the following cannot be included in the notification letter to affected residents after discovery of a data breach in accordance with Massachusetts law?
A. Information about the consumer's right to obtain a police report
B. Information on how

ANSWER: C. Mass. Gen. Laws � 93H-3 requires that the notice provided after a data breach must include
(1) the consumer's right to obtain a police report and
(2) how a consumer requests a security freeze and the necessary information to be provided when re

24. When a website operator states in its privacy notice that it will not share financial information with third parties and then shares financial information with a thir d- part y affiliate, what recourse may occur?
A. The FrC may bring an action against

ANSWER: B. If an organization fails to comply with its privacy notice, it may be held liable by the FrC for a decept ive trade practice under Section 5 of the FrC
Act , which prohibits " unfair or deceptive acts or
practices in or affecting commerce." Whe

25. The Childr en's Online Privacy Protection Act (" COPPA") ap plies to whom?
A. Operators of websites soliciting business in the Unit ed States
B. Oper ators of websites soliciting financial information from customers in the United Stat es
C. Operators

ANSWER: C. COPPA was enacted in 1998 to curtail the collection of personal infor mat ion from childr en. The Act applies to websites and online services operated for commercial purposes that are directed to childr en under the age of 13. In addition, the

26. The Gramm-Leach-Bliley Act ("GLBA") applies to which organizations?
A. All organizations that process financial data
B. Financial organizations with more than 10,000 customers
C. All organizations regulated by the Department of Commerce
D. Domestic fi

ANSWER: D. The GLBA, also known as the " Financial Services Modernization Act," was enacted in 1999. It applies to institutions that are significantly engaged in financial activities in the United St at es (also known as " domestic financial institutions

27. What is the main purpose of the Fair Credit Reporting Act ("FCRA")?
A. Enable data reporters to efficiently report valid debts on a consumer's credit report
B. Allow employers to quickly access financial data of their employees
C. Increase the ability

ANS WER: D. The FCRA was originally enacted in 1970 and more recently was updated by the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") .
The FCRA applies to consumer reporting agencies
(" CRAs"), such as Experian, TransUnion, and Equifax, an

28. What is the basic rule for processing protected healt h inform at ion under the Health Insurance Portability and Accountability Act ("HIPAA")?
A. Patients must opt in before their protected health inform at ion is shared with other organizations unles

ANSWER: A. Under HIPAA's Pr ivacy Rule, covered entities may disclose protected heath information ("PHI ") to facilitate treatment, payment, or health care operations without a patient's express written
authorization. Any other disclosure of PHI requires

29. In accordance with the Health Insurance
Portabil ity and Accountability Act ("HIPAA"), the Department of Health and Human Services
(" HHS") has promulgated which of the following rules to address the handling of protected health information?
A. Transa

ANSWER: B. HIPAA was enacted in 1996 to define policies, procedures, and guidelines that covered entities must follow for maintaining the privacy and security of individually identifiable protected health information (" PHI ") . Covered entities generally

30. Cali fornia's securit y breach notification law requires which entities to disclose a breach of security of unencrypted personal in format ion to California residents?
A. Only companies physically located in California
B. Only state agencies
C. Only c

ANSWER: D. California's security breach notification law (S.B. 1386) requires a state agency , or a person or business that conducts business in California, to disclose in specified ways any breach of the security of dat a to any resident of Calif ornia w

31. Which of the following strategies will prevent a com pany fr om having to notify residents of a data breach involving personal information?
A. Encrypt all personal informat ion, including sensitive personal information
B. Ensure that al l personal inf

ANSWER: A. Virt ually all state security breach notifi cation laws exempt encrypted personal
information. Therefore, if a company encrypts all personal information, it will not have to notify resident s even if there is a security breach. Although
the oth

32. The Disposal Rule contained in the Fair and Accurate Credit Transactions Act ("FACTA") applies to which type of documents?
A. Educational records
B. Financial data
C. Consumer reports and records
D. Em ployee evaluations

ANSWER: C. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against unauthoriz

33. Which of the following statements accur at ely describe Nat ional Security Letters (" NSLs")?
A. The y may only be issued by offi cials in FBI headquart ers
B. They may only request info rmation pertaining to a foreign power or the agent of a foreign

ANSWER : C. A national security letter ("NSL") is an administrat ive subpoena issued by the Federal Bureau of I nvestigat ion (" FBI ") in an aut hor ized national securit y investigat ion " to protect again st int ernational terrorism or clandestine inte

34. Which of the following is NOT a source of American law?
A. Regulatory bodies
B. Legislature
C. Common law
D. Court decisions

ANSWER: C. In the United States, law is derived from vario us sources. The legislature (that is, Congress) creates statutory law. Regulatory bodies and administrative agencies, such as the Federal Trade Commission ("FTC") and Federal Communication Commiss

35 . The Com munications Assistance for Law Enf orcement Act ("CALEA") requires
telecommunication providers to do which of the following ?
A. Design their equipment and services to enable law enforcem ent officials to conduct electronic sur veilla nce
B.

ANSWER: A. In response to concerns that emerging technologies, such as digital .and wireless
communic at ions, were making it increasingly difficult for law enforcement agencies to execute authorized sur vei llance, Congress enacted the Communications Ass

36. When interviewing an applicant for an open position, an organization may ask which of the following questions without violating
antidiscrim inat ion laws?
A. If the applicant is currently using illegal drugs
B. If the applicant was born in the United

ANSWER: A. When conducting employment interviews, organizations should refrain from asking questions that may reveal whether the applicant is a member of a protected class. Therefore, questions that may reveal race, religion, sexual orientation, or nation

37. Which of the following is considered a best pract ice when an organization is considering posting employee photographs on its internal intranet website?
A. Process all employee requests to take down their photograph within 5 business days of receiving

ANSWER: D. When an organization posts an employee's photograph on its internal intranet or public website, it should first obtain consent from the employee. In fact, in Europe, prior consent for the use of photographs (even on security badges) is always r

38. Which of the following accurately describes an employer's ability to conduct video surveillance of its employees?
A. Employers may conduct video surveillance of their employees as long as the employer has a legitimate business interest in the surveill

ANSWER: D. With respect to video surveillance, employers should be cautious of setting up video surveillance in areas of the workplace in which employees have a reasonable expectat ion of privacy. These private areas include bathrooms and locker rooms. Em

39. Whic h of the following is considered a best practice after terminat ing an employee?
A. The employer should allow the employee a minimum of two weeks to collect his belongings and return all corporate assets
B. The employer should restrict or termina

ANSWER: B. After termination of an employee, an employer should take steps to ensure that the organization's infor mat ional and physical assets are protected. Generally, the employee's access to such assets should be restricted or removed, and the organi

4 0. The following fact pattern applies to questions 40 and 41.
ABC Corporation is a financial instit ution that partners with third-party affiliate wine companies to market and sell high-end wine and spirits on a monthly subscription basis. ABC obtains c

ANSWER: B. The Fair and Accurate Credit Transactions Act (" FACTA" ) imposes obligations on con sum er report ing agencies, as well as users and furnishers of consum er reports. The Act prohibits an
affiliate that receives eligibility information from usi

41. If ABC plans on taking an ad verse action against a consumer based on information in his credit report, what must it do before taking the adverse action?
A. Provide a complete copy of the underwriting file to the consumer
B. Provide a complete copy of

ANSWER: C. In accordance with the Fair Credit Reporting Act ("FCRA"), users of consumer reports have several responsibilities. If a user takes any adverse action with respect to any consumer that is based in whole or in part on any information contained i

42. Which of the following companies was directed by the Federal Trade Commission ("FTC") to implement a comprehensive information security program for allegedly carrying out a deceptive trade practice with respect to its Passport web service?
A. Google
B

ANSWER: B. In 2002, Microsoft agreed to settle FTC charges concerning the privacy and security of information collected through its Passport web service.
Microsoft's privacy policy claimed, among other things, that Passport "achieves a high level of Web S

43. Common law is derived from which of the followin g?
A. Statutes created by the legislat ure
B. The United States Const it ution
C. Societal customs and expectations
D. Executive orders

ANSWER: C. Common law is developed by judges through decisions of courts (caIled " case law"), as opposed to statutes adopted through the legislative
process or regulat ions issued by the executive branch. Common law is based on societal customs and expec

44. Which of the following agencies does NOT presently have the power to issue regulations related to consumer privacy?
A. Office of the Comptroller of Currency ("OCC")
B. Federal Trade Commission ("FTC")
C. Consumer Financial Protection Board (" CFPB")
D

ANSWER: A. The OCC charters, regulates, and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks. The OCC is an independent bureau
of the U.S. Department of the Treasury. On July 21, 201

45. The Red Flags Rule is designed to combat what type of activity?
A. Acquisition of personal information from minors
B. Identify theft
C. Inappropriate disclosure of financial information
D. Transfer of personal information out of the United States

ANSWER: B. The Fair and Accurate Credit Transactions Act ("FACTA") provides a Red Flags Rule designed to combat identify theft. Identity theft refers to a fraud committed or attempted using the identifying information of another person without authority.

46. In accordance with the Electronic
Communicat ions Privacy Act (" ECPA" ), when may a person lawfully monitor another's telephone call?
A. Only when both parties to the call have given their consent
B. Monitoring telephones call is illegal under all ci

ANSWER: D. The Electronic Communications Privacy Act (" ECPA") was enacted in 1986 to update the Federal Wiretap Act. The ECPA protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are

47. The Do Not Call Registry applies to what type of mar ket ing?
A. Em ail marketing
B. Unsolicited commercial messages
C. Telemarketing
D. Online marketing

ANSWER: C. Pursuant to its authority under the Telephone Consumer Protection Act ("TCPA"), the Federal Communication Commission ("FCC") established, together with the Federal Trade Commission ("FTC"), a national Do Not Call Registry in 2003. The registry

48. What is the original purpose of bank secrecy laws?
A. To enable banks to better share information
B. To protect customer's personal and financial information
C. To permit access of financial data by government authorities for national security purpose

ANSWER: B. Bank secrecy is a legal principle in some jurisdictions under which banks are not allowed to provide to authorities personal and account
information about their cust omers unless certain condit ions apply (for example, a criminal complaint has

49. Which of the following correctly describes the Gram m - Leach-Bliley Act ("GLBA")?
A. The Act is based on the permissible purpose approach to privacy
B. The Act covers all financial informat ion, including publicly available information
C. The Act req

ANSWER: D. GLBA is based on the fair information practices approach to privacy and not the permissible purpose approach. GLBA also does not cover publicly available information, and the sharing of financial data with unaffiliated third parties is permitte

50. Which of the following is NOT exempt from disclosure under the Freedom of Information Act ("FOIA")?
A. Records containing trade secrets
B. Records containing the location of oil wells
C. Records describing the data handling practices of financiaI inst

ANSWER: D. FOIA has the following nine exemptions:
(1) those documents properly classified as secret in the interest of national defense or foreign policy; (2) documents related solely to internal personnel rules and practices; (3) documents specifically

51. The Children's Online Privacy Protection Act (" COPPA") prevents website operators from performing which of the following activities?
A. Creating a website with content designed for children under 13 years of age
B. Collecting personal information fro

ANSWER: B. Generally, COPPA appl ies to the online collection of personal information from children under 13 years of age. COPPA details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or gua

52. Which of the following is one of the main purposes of the Fair Credit Reporting Act (" FCRA")?
A. Give employers the right to correct credit reports for their employees
B. Encourage the dissemination of consumer data to foreign companies with a need t

ANSWER: C. Under the FCRA, a credit report (a type of consumer report) may only be acquired for a "permissible purpose." Section 604 of the FCRA sets forth the circumstances that are considered permissible, including (1) for employment, credit, license, o

53. Which of the following is an example of personal information from a public record?
A. Heath plan number from an insurance card
B. Name and address of an owner of a piece of real estate from a real estate deed
C. Driver's license number from a governme

ANSWER: B. Public records are informat ion collected and maintained by the government and that are available to the public. Public records include real estate deeds, birth and marriage certificates, tax liens, and other data recorded by the government and

54. Which of the following may be considered personal information?
A. Financial data of an organization
B. I ntellectual property of an organization
C. Operational data of an organization
D. Human resources data of an organization

ANSWER: D. Financial data, intellectual property, and operational data are all important types of information related to an organization. However, personal
informat ion is only that information describing an identified or identifiable individual (in contr

55. Which of the following would be classified as a deceptive trade practice by the FTC?
A. A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website does not, in fact, encrypt the data
B. An organ

ANSWER: B. If an organization fails to comply with its privacy notice, it may be held liable by the FTC for a deceptive trade practice under Section 5 of the FTC Act , which prohibits "unfair or deceptive acts or
practices in or affecting commerce." When

56. The FTC rece ntly classified which of the following activities as a deceptive trade practice?
A. A patent assertion entity sending letters with misrepresentations to thousands of small businesses stating that they were infringing patents related to di

ANSWER: A. The FTC recently filed a complaint against a patent assertion entity that bought patents relating to digital copiers and then sent letters with misrepresentations to thousands of small businesses stating that they were infringing the patent and

57. Which branch of the U.S. government is responsible for enforcing laws?
A. Legislative
B. Executive
C. Judicial
D. Adm inistrat ive

ANSWER: B. The U.S. Constitution is the supreme law of the United States. It separates the United States government into three main powers, or branches. The legislative branch makes the laws, the executive branch enforces th laws, and the judicial branch

58. Which of the following is a type of agreement issued by an administrative agency in which the defendant agrees to stop the alleged illegal activity without admitting fault?
A. Subpoena
B. Judgment
C. Consent decree
D. National security letter

ANSWER: C. A consent decree is a formal document stating specific steps an entity needs to perform to rect ify an alleged violation. When entering into a consent decree, the charged entity typically does not admit fault or liability. This is an important

59. Which of the following in a statute enables an individual to directly bring a lawsuit against a person who violates the statute?
A. Private right of action
B. Confi den t iality provision
C. Preemption clause
D. Indemnity provision

ANSWER: A. A privat e right of action is a clause in a statute that expressly permits a private party or individual to bring a lawsuit against a person who violates the statute and causes harm to the privat e party.

60. Which of the following is the primar y mechanism that the FTC uses to enforce privacy laws?
A. Civil litigation
B. Criminal litigation
C. Administrative enforcement action
D. Declaratory judgments

ANSWER: C. When the FTC believes that a person or company has committed an unfair or deceptive trade practice, it starts an investigat ion of the practice.
Following the invest igat ion, the FTC may initiate an enforcement action against the person or org

61. Which of the following is arguably the most important law protecting privacy in the United States because of its broad scope?
A. Section 5 of the FTC Act
B. Childr en's Online Privacy Protection Act ("COPPA")
C. Foreign Intelligence Surveillance Act (

ANSWER: A. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." It is a law that applies to a broad range of cir cumstances and affords the FTC broad discretion to enforce privacy rights. The other laws list

62. Which of the following is not a right set forth in the Consumer Privacy Bill of Rights introduced by the Obama adm inist rat ion?
A. Access and accuracy
B. Transparency
C. Security
D. Simplicity

ANSWER: D. In 2012, the Obama adm inistrat ion released a report titled "Consumer Data Privacy in a Net worked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Economy." The report contains a Consumer Privacy Bill of Rights

63. Which of the following is an example of a self- regulatory organization?
A. PCI Security Standards Coun cil
B. Office of the Comptroller of the Currency
C. Office of Thrilt Supervision
D. The Nationa l Credit Union Adm inistrat ion

ANSWER: A. The PCI Security Standards Council is the organization responsible for the development, management, education, and awareness of the PCI Secur ity Standards, including the Data Security Standard (" PCI DSS"). The Council therefore acts as a self

64. Which of the following organizations promotes cross-border information sharing and enforcement efforts for privacy authorities across the world?
A. International Organization for Standardization ("ISO")
B. Asia-Pacific Economic Cooperation ("APEC")
C.

ANSWER: C. The Global Privacy Enforcement Network ("GPEN") is an international network of privacy enforcement authorities tasked with aiding the flow of personal information across borders. In addition, GPEN supports joint enforcement initiatives and awar

65. Which of the followi ng are types of risk
associated wit h the improper use of personal informat ion?
A. Stat ut ory risk and environm ent al risk
B. Legal risk an d implicit risk
C. Legal ris k and reputational risk
D. I nvestm ent risk and inherent

ANSWER : C. There are many benefits and risks associat ed with using personal information at an organ izat ion. An obvious benefit is the ability to
creat e a more personalized experience for your users. For example, an online dating website may use perso

66. Which of the following is NOT a major step when developing an effective information
management program?
A. Discover
B. Build
C. Communicate
D. Compensate

ANSWER: D. The basic steps to developing an information management program are ( 1) discover,
(2) build, (3) communicate, and (4) evolve. First , the organ izat ion must discover the environment in which the organization operates. For example, an
organ iz

67. The Health Insurance Portability and Accountability Act ("HIPAA") applies to whom?
A. Domestic health institutions
B. Covered entities and their business associates
C. Book publishers of medical information
D. Domestic financial instit utions

ANSWER: B. HIPAA was enacted in 1996 to define policies, procedures and guidelines that "covered ent it ies" must adhere to for maintaining the privacy and security of individually identifiable protected
health informat ion (" PHI " ) . Covered entities g

68. Wha t was the original purpose of the Health I nsurance Portability and Accountability Act (" HI PAA")?
A. To improve the efficiency and effectiveness of the health care system
B. To mandate affordable healthcare for all citizens of the United States

ANSWER: A. HIPAA was originally enacted to improve the efficiency and effectiveness of the health care
system. Speci fically, HIPAA included Administrative Sim plificat ion provisions that required the U.S. Department of Health and Human Services ("HHS")

69. Which of the following is NOT mandated by the Privacy Rule of the Health Insurance Portability and Accountability Act ("HIPAA")?
A. Covered entities with a direct treatment relat ionship with a patient must provide the patient with a privacy notice be

ANSWER: B. In accordance with the Privacy Rule, a covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) to the individuaI; ( 2)

70. Which of the following is NOT a type of
safeguar d mandated by the Security Rule of the Health Insurance Portability and Accountability Act ('' HI PAA" ) ?
A. Technical
B. Adm inist rat iv e
C. Physical
D. Procedural

ANSWER: D. The Securit y Rule establishes national standards to protect individuals' electronic personal health informat ion that is created, received, used, or maintained by a covered entit y. The Security Rule requires appr opriat e administrative, phys

71. Which of the following types of information is NOT protected by the Genetic Information Nondiscrimination Act ("GINA")?
A. The results of an individual's genetic tests
B. The manifestation of a disease or disorder in family members
C. A request for, o

ANSWER: D. GINA prohibits discrimination in health coverage and employment based on genetic information. The statute defines "genetic information" as infor mat ion encompassing: ( 1) an individual's genetic tests (including genetic tests done as part of a

72. Which of the following agencies is NOT
responsible for enforcing a violation of the Genetic Information Nondiscrimination Act ("GINA")?
A. Departm ent of Labor
B. Department of Health and Human Services ("HSS")
C. Equal Employment Opportunity Commissi

ANSWER: D. GINA is enforced by various federal agenc ies. The Department of Labor, the Department of the Treasury, and the Department of Health and Human Services are responsible for Title I of GINA, and the Equal Employment Opportunity Commission is resp

73. The Genetic Information Nondiscrimination Act (" GI NA" ) prohibits discrimination based on genetic information for which type of insurance?
A. Life insurance
B. Disability insurance
C. Long-term care insurance
D. Health insurance

ANSWER: D. GINA prohibits discrim inat io n in health coverage and employment based on the genetic
informat ion. GINA's health coverage non discrim inat ion protections do not extend to life
insurance, disability insurance and long-term care insurance.

74. In accordance with the Fair Credit Reporting Act (" FCRA" ), what is an investigative consumer report?
A. Factual information on a consumer's credit record obtained directly from a creditor of the consumer or from a consumer reporting agency
B. A cons

ANSWER: C. The FCRA defines an investigative consumer report as "a consumer report or portion thereof in which information on a consumer's
charact er, general reputation, personal charact eristics, or mode of living is obtained through personal interviews

75. Which of the following is NOT a permissible purpose for a consumer repor ting agency to furnish a consumer report?
A. In accordan ce with the written instructions of the cons umer to whom it relat es
B. To a person who intends to use the informat ion

ANSWER: D. A consumer reporting agency may only furnish a consumer report if a permissible purpose exists. The following are examples of permissible purposes: (1) in response to the order of a court having jurisdiction to issue such an order, or a subpoen

76. When enforcing the Gramm-Leach-Bliley Act
(" GLBA" ) , how does the FTC interpret the term " financial instit ution" ?
A. A business that is significantly engaged in financial activities
B. A lender regulated by federal banking laws
C. A bank operatin

ANSWER: A. In the GLBA, "financial institution" is defined as "any institution the business of which is engaging in financial activities." The FTC, however, interprets the term to only cover businesses "significantly engaged" in financial activities.
Exam

77. An educational institution may disclose which of the following pieces of information about its students as directory information?
A. Sexual orientation
B. Social security number
C. Address
D. Income

ANSWER: C. In accordance with the Family Educational Rights and Privacy Act ("FERPA"), schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and date

78. The Telemar keting Sales Ru le defines
" telemar keting" as which of the followin g?
A. An automated telephone call to a consumer for the purposes of effectuating a sale
B. A plan, program , or cam paig n to induce the purchase of goods or ser vices o

ANSWER: B. The Telemarketing Sales Rule (as amended) regulates " telemar keting" - defined in the Rule as "a plan, pr ogram , or campaign ... to induce the purchase of goods or services or a charitable contribution" involving more than one interstate tele

79. What was the primary purpose for creating the National Do Not Call Registry?
A. To mandate affirmative consumer consent before any entity may conduct a telemarketing call
B. To prohibit telemarketing calls placed late at night or during dinner time
C.

ANSWER: D. The National Do Not Call Registry is a list of phone numbers from consumers who have indicated their preference to limit the telemar keting calls they receive. The registry is managed by the Federal Trade Commission ("FTC"), the nation's primar

80. Which of the following types of calls are NOT regulat ed by the National Do Not Call Registry?
A. Calls to consumers living in Puerto Rico and the District of Columbia
B. Automated telephone calls
C. Calls from political organizations, charities, tele

ANSWER: C. The Nat ional Do Not Call Registry does not cover calls from political organizations, charities, telephone surveyors, or companies with which a consumer has an existing business relationship. The area codes in the National Do Not Call Registry

81. If a third-party telemarketer acting on behalf of a charity calls a consumer, how may the consumer prevent the third-part y telemarketer from calling him again in the future?
A. Register his phone number with the Nat ional Do Not Call Registry
B. Call

ANSWER: D. Charities that are calling on their own behalf to solicit charitable contributions are not covered by the requirements of the national registry. However, if a third-party telemarketer is calling on behalf of a charity, a consumer may ask not to

82. A company with an existing business
relationship with a consumer may call the consumer for up to how long after the consumer's last purchase?
A. 12 months
B. 18 months
C. 24 months
D. There is no limit so long as there is an existing business relation

ANSWER: B. In accordance with the Telemarketing Sales Rule, a company with which a consumer has an established business relationship may call for up to 18 months after the consumer's last purchase or last delivery, or last payment, unless the consumer ask

83. When requesting a consumer's consent to make unsolicited pre-recorded telemarketing calls ("robocalls") to the consumer, what standard is used to evaluate the propriety of the notice?
A. Reasonable
B. Clear and convincing
C. Clear and conspicuous
D. B

ANSWER: C. A consumer's written consent to receive telemarketing robocalls (unsolicited pre-recorded telemarketing calls) must be signed and be sufficient to show that the consumer: (1) received "clear and conspicuous disclosure" of the consequences of pr

84. The CAN-SPAM Act applies to what type of electronic messages?
A. Where the secondary purpose of the message is transactional
B. Where the secondary purpose of the message is commercial
C. Where the primary purpose of the message is transactionaI
D. Wh

ANSWER : D. Despite its name, the CAN-SPAM Act doesn't apply just to bulk email. It covers all commercial messages, which the law defines as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commer

85. How promptly must businesses that send unsolicited commercial emails process opt-out requests received from consumers?
A. 7 days
B. 10 days
C. 30 days
D. 45 days

ANSWER: B. In accordance with the CAN-SPAM Act, businesses must honor a recipient's opt-out request within 10 business days. Businesses are not allowed to charge a fee, require the recipient give any personally id entifying information beyond an email add

86. An operator of which of the following is regulated by the Children's Online Privacy Protection Act (" COPPA") ?
A. A general audience website that provides online games
B. A mobile application for paying utility bills
C. A social networking service di

ANSWER: D. Congress enacted COPPA in 1998. COPPA required the Federal Trade Commission ("FTC") to issue and enforce regulations concerning children's online privacy. The primary goal of COPPA is to place parents in control over what information is collect

87. Which of the following is NOT regulated by the Children's Online Privacy Protection Act ("COPPA")?
A. Online contact information
B. A screen name that functions as online contact information
C. A photograph of a child
D. Pornography

ANSWER: D. The Federal Trade Commission ("FTC") has defined personal information in its Rule implementing COPPA to include: (1) first and last name; (2) a home or other physical address including street name and name of a city or town; (3) online contact

88. May an operator of a general audience website rely on age information submitted by its users to determine if it must comply with the Children's Online Pr ivacy Protection Act (" COPPA") ?
A. No, COPPA applies to all general audience websites with user

ANSWER: C. COPPA covers operators of general audience websites or online services only when such
operat ors have actual knowledge that a child under the age of 13 is the person providing personal information. The Rule does not require operators to ask the

89. Violations of the Children's Online Privacy Protection Act ("COPPA") may result in a civil fine of how much per violation?
A. $1,000
B. $10,000
C. $16,000
D. $100,000

ANSWER: C. A court can hold operators who violate COPPA liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court
ass esses depends on a number of factors, including the egregiousness of the violat ion s, whether the

90. The California Online Privacy Protection Act
(" CalOPPA " ) was amended in 2013 to address what issue?
A. Online tracking
B. Social networking
C. Unsolicited commercial email
D. Credit card fraud

ANSWER: A. CalOPPA was the first law in the nation to require operat ors of commercial web sites and online services to post a privacy policy. CalOPPA applies to operat ors of commercial web sites and online services that collect personally identifiable i

91. The Privacy Protection Act (" PPA") protects which of the following?
A. A promotional flyer created by a religious institution
B. An article writ ten by a student at an educational instit ution for internal dissemination
C. Documentary material held b

ANSWER: C. The Pr ivacy Protection Act (" PPA" ) was enacted in 1980 to protect journalists and newsrooms from searches by government officials. Speci fically,
the Act prohibits "a government offi cer or employee, in connection with the investigation or p

92. When may the government right full y seize work product materials from a journalist?
A. When there is reason to believe that the seizure of the materials may prevent harm
B. When there is probable cause to believe that the journalist has committed a c

ANSWER : B. The Privacy Protection Act ("PPA") was enacted in 1980 to protect journalists and newsrooms from searches by government officials. The PPA provides two general exceptions to its protections: (1) when there is probable cause to believe that the

93. What standard must be satisfied before the government may install a pen register on a telephone line for surveillance purposes?
A. The information likely to be obtained is relevant to an ongoing crim inal investigation
B. Probable cause exists that th

ANSWER: A. A pen register is a device which records or decodes electronic or other impulses which identify the numbers called or otherwise transmitted on the telephone line to which such device is installed. While a pen register records only outgoing phon

94. Which of the following is NOT a primary impact of the USA PATRIOT Act?
A. Enhancing the federal government's capacity to share intelligence
B. Strengthening the criminal laws against terrorism
C. Removing obstacles to investigating terrorism
D. Preven

ANSWER: D. The Department of Justice's 2004 field report on the USA PATRIOT Act sets forth the following four primary impacts of the Act: (1) enhancing the federal government's capacity to share intelligence; (2) strengthening the criminal laws
aga inst t

95. In civil litigat ion, what is the appropriate mechanism for a party to contest the scope of a discovery request seeking confidential information that would cause serious injury to the party if disclosed?
A. Motion to compel
B. Subpoena
C. Protective o

ANSWER: C. A court may, for good cause, issue a protective order to protect a party or person from annoyance, embarrassment, oppression or undue burden or expense. In evaluating requests for protective orders, courts have considered variou s
factors, incl

96. Which of the following should be redacted from a document before it is filed with a federal court?
A. All but the last four digits of a Social Security or taxpayer-identification number
B. All financial accounts numbers
C. A minor's initials
D. The da

ANSWER: A. Rule 5.2 of the Federal Rules of Civil Procedure states that both electronic and paper filings made with the court should only include ( 1) the last four digits of the Social Security number and taxpayer-identification number; (2) the year of t

97. Domestic financial institutions are required to provide an annual privacy notice to which of the following?
A. Consumers
B. Customers
C. Employees
D. Contractors

ANSWER: B. The Gramm-Leach-Bliley Act ("GLBA"), also known as the "Financial Services Modernization Act," was enacted in 1999. It applies to institutions that are significantly engaged in financial activities in the United States (also known as "domestic

98. Domestic financial institutions are required to provide the customer with the opportunity to opt out of sharing what type of information with unaffiliated third-parties?
A. Personal information
B. Publ ic ly available information
C. Non -public person

ANSWER: C. The Gramm-Leach-Bliley Act ("GLBA") requires domestic financial institutions to provide opt out notice prior to sharing non-public personal information (" NPI" ) with unaffiliated third parties . NPI includes any personally identifiable financi

99. The Gramm-Leach-Bliley Act (" GLBA" ) prohibits which of the following practices?
A. Sharing of personal information
B. Transfer of financial accounts to financial institutions located outside the United States
C. Pretexting
D. Lending of money to ind

ANSWER: C. The GLBA prohibits "pretexting" - the practice of obtaining customer information from financial instit ut ions by false pretenses. Specifically, the Act prohibits any person from obtaining customer information relating to another person by maki

100. What are the primary mechanisms for financial institutions to comply with the Bank Secrecy Act?
A. Currency Transaction Reports and Suspicious Activity Reports
B. Currency Transaction Reports and Com pliance Audits
C. Compliance Audits Suspic ious Ac

ANSWER : A. The Bank Secrecy Act of 1970, also known as the Currency and Foreign Transactions Reporting Act , requires financial institutions in the
Uni ted States to assist government agencies to detect and prevent money laundering. Specifically, the act

The FTC announced five priority ares for attention?

1. Do Not Track. The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes.
2.Mobile. The FTC encourages greater self-regulation in the swiftly evolving area

FTC report emphasized 3 areas:

1. Privacy by Design - privacy becomes an ubiquitous principle across the organization.
2. Simplified consumer choice - clarified if and when companies need to obtain expressed choice.
3. Transparency - privacy notice should be clear, succinct and standar

White House proposed consumer privacy bill of rights

1. Individual control
2. Transparency
3. Respect for context
4. Security
5. Access and accuracy
6. Focused Collection
7. Accountability