CIPM Exam Dumps - Certified Information Privacy Manager (CIPM)

Searching for workable clues to ace the IAPP CIPM Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s CIPM PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 17

SCENARIO

Please use the following to answer the next question:

Recently, a boutique fashion company headquartered in California, US needed to fill a very large online order from one of their best customers located in France. The boutique did not have all the items needed to complete the order, so they asked one of their partners located in Canada to help fulfill the order. To save time, the boutique had the items shipped directly from the Canadian partnerâ€™s store to the customerâ€™s home address. The partner sent SMS messages to provide the customer with direct shipping updates.

The merchandise arrived to the customer and they were happy with the experience. However, soon after, the customer contacted the boutique to complain that they had been receiving telemarketing calls and emails from other fashion boutiques and stores.

What should the boutique have done to properly handle and govern the customerâ€™s personal information?

Performed a sub-processor due diligence review of the partner store.

Ensured that standard contractual clauses were in place between the boutique and the partner store.

Ensured that Canada has received an adequacy decision by European Commission before moving forward with the transaction.

Notified the customer that part of their order would be fulfilled by the partner and obtain the customerâ€™s opt-in consent before sharing any data.

Full Access

Question # 18

What is one reason the European Union has enacted more comprehensive privacy laws than the United States?

To ensure adequate enforcement of existing laws.

To ensure there is adequate funding for enforcement.

To allow separate industries to set privacy standards.

To allow the free movement of data between member countries.

Full Access

Question # 19

PbD is the framework that?

Dictates the design of the system development life cycle.

Establishes risk-based expectations for privacy management.

Embeds privacy into the design of technology, systems and practices.

Guides organizations in designing, implementing and managing privacy programs in line with privacy laws and best practices.

Full Access

Question # 20

A start-up tech company is developing its privacy policies and processes.

Which policy is most important to ensure the organization is successful at processing consumer health information?

The employee notice.

The consumer health data policy.

The privacy impact assessment (PIA).

The Health Insurance Portability and Accountability Act (HIPAA) privacy notice.

Full Access

Question # 21

SCENARIO

Please use the following to answer the next QUESTION:

Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's

direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a Privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert."

Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks. espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. "This is a technology company," Carlton says. "We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts."

The meeting lasts until early evening. Upon leaving, you walk through the office it looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A "cleaning crew" of one teenager is emptying the trash bins. A few computers have been left on for the night, others are missing. Carlton takes note of your attention to this: "Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!"

What phase in the Privacy Maturity Model (PMM) does Gadgo's privacy program best exhibit?

Ad hoc.

Defined.

Repeatable.

Managed.

Full Access

Question # 22

SCENARIO

Please use the following to answer the next QUESTION:

Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.

Spencer â€“ a former CEO and currently a senior advisor â€“ said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling

customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company â€“ not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.

How could the objection to Spencer's training suggestion be addressed?

By requiring training only on an as-needed basis.

By offering alternative delivery methods for trainings.

By introducing a system of periodic refresher trainings.

By customizing training based on length of employee tenure.

Full Access

Question # 23

What United States federal law requires financial institutions to declare their personal data collection practices?

The Kennedy-Hatch Disclosure Act of 1997.

The Gramm-Leach-Bliley Act of 1999.

SUPCLA, or the federal Superprivacy Act of 2001.

The Financial Portability and Accountability Act of 2006.

Full Access

Answer:

Explanation:

The United States federal law that requires financial institutions to declare their personal data collection practices is the Gramm-Leach-Bliley Act (GLBA) of 1999.Â The GLBA is also known as the Financial Services Modernization Act or the Financial Modernization Act10Â The GLBA regulates how financial institutions collect, use, disclose, and protect the nonpublic personal information of their customers11Â The GLBA requires financial institutions to provide a privacy notice to their customers that explains what kinds of information they collect, how they use and share that information, and how they safeguard that information12Â The GLBA also gives customers the right to opt out of certain information sharing practices with third parties13

The other options are not US federal laws that require financial institutions to declare their personal data collection practices.Â The Kennedy-Hatch Disclosure Act of 1997 is a proposed but not enacted legislation that would have required health insurers to disclose their policies and practices regarding the use and disclosure of genetic information14Â SUPCLA, or the federal Superprivacy Act of 2001, is a fictional law that does not exist in reality.Â The Financial Portability and Accountability Act of 2006 is also a fictional law that does not exist in reality, although it may be confused with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which regulates the privacy and security of health information15Â References:Â 10: Gramm-Leach-Bliley Act | Federal Trade Commission;Â 11: Financial Privacy | Federal Trade Commission;Â 12: Financial Privacy | Federal Trade Commission;Â 13: Financial Privacy | Federal Trade Commission;Â 14: S.Â 422 (105th): Genetic Information Nondiscrimination in Health Insurance Act of 1997;Â 15: Health Information Privacy | HHS.gov

Question # 24

SCENARIO

Please use the following to answer the next QUESTION:

It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.

What should you do first to ascertain additional information about the loss of data?

Interview the person reporting the incident following a standard protocol.

Call the police to investigate even if you are unsure a crime occurred.

Investigate the background of the person reporting the incident.

Check company records of the latest backups to see what data may be recoverable.

Full Access