IAPP Updated CIPP-US Exam Questions and Answers by kyrie

 Data breach notification laws in the United States vary by state and territory, and there is no comprehensive federal law that applies to all types of personal information. Some federal laws, such as HIPAA, GLBA, and the FDIC rule, impose data breach notification requirements for specific industries or sectors, but they do not cover all types of personal information or all entities that collect, store, or process such information. Therefore, the only obligations to provide data breach notification for the breach of personal information are under state law, unless a specific federal law applies to the entity or the information involved. The other statements are incorrect because:

• A. You do not have to notify the FTC in addition to affected individuals if over 500 individuals are receiving notice, unless you are a health care entity subject to HIPAA, in which case you have to notify the Department of Health and Human Services (HHS) within 60 days of the breach.
• B. When providing an individual with required notice of a data breach, you do not have to identify what personal information was actually or likely compromised, unless the state law requires you to do so. Some states, such as California, require the notice to include the types of personal information that were or are reasonably believed to have been the subject of the breach, while others, such as Alabama, do not specify the content of the notice.
• C. When you are required to provide an individual with notice of a data breach under any state’s law, you do not have to provide the individual with an offer for free credit monitoring, unless the state law requires you to do so. Some states, such as Connecticut, require the offer of appropriate identity theft prevention and mitigation services for at least 12 months, while others, such as Arizona, do not impose such a requirement. References: Data Breach Notification in the United States and Territories, Data Breach Notification Laws in the United States: What is Required and How is that Determined?, US State Data Breach Notification Law Matrix, Breach Notification in United States, Data Breach Notification Laws: How to Manufacture a Confident Response

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States. The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship. The law also does not apply to non-commercial messages, such as political or charitable solicitations12

The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers’ requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request. The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transferthe e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12

By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content. The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12

References:

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices. References: CCPA (Section 1798.150), IAPP CIPP/US Study Guide (p. 63-64)

• The Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personal information by federal agencies.
• The Privacy Act of 1974 applies to records that are maintained in a system of records, which is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.
• The Privacy Act of 1974 grants individuals the right to access and amend their records, and requires agencies to provide notice of their systems of records, establish safeguards for the protection of the records, and limit the disclosure of the records to certain authorized purposes.
• The Privacy Act of 1974 also establishes civil and criminal penalties for violations of the law, such as unauthorized disclosure, failure to publish a notice, or refusal to grant access or amendment.
• The Privacy Act of 1974 does NOT require agencies to obtain the consent of the individual before collecting their personal information. However, the Privacy Act of 1974 does require agencies to inform the individual of the authority for the collection, the purpose and use of the collection, and the effects of not providing the information.

References: : [Overview of the Privacy Act of 1974]