[2025年03月] 更新されたのはCIPP-US問題集PDFオンラインエンジン [Q100-Q119]

[2025年03月] 更新されたのはIAPP CIPP-US問題集PDFオンラインエンジン

CIPP-US.PDFで問題解答PDFサンプル問題は信頼され続ける

IAPP CIPP-US、または認定情報プライバシープロフェッショナル/米国は、米国のデータプライバシー法と規制を担当する専門家にとって非常に尊敬される認定です。この認定は、プライバシーの分野で働く個人に教育とリソースを提供する非営利組織である国際プライバシー専門家協会（IAPP）によって提供されます。

IAPPのCIPP-US認定試験は、アメリカのプライバシーとデータ保護分野で働く専門家にとって重要な認定試験です。この認定は、個人のプライバシー分野における能力を示し、就職市場で優位に立つことができます。試験に合格するには、米国のプライバシー法規制、プライバシープログラムのガバナンス、データ漏えい、職場におけるプライバシー問題についての深い理解が必要です。

IAPP CIPP-US認定は、米国のデータプライバシー法や規制を担当し、この分野でのキャリアを前進させようとしている個人に最適です。厳格な試験、米国のプライバシー法と規制の包括的な補償、業界での広範な認識により、CIPP-US認定は、データプライバシーの成功したキャリアを構築しようとする人にとって優れた投資です。

 

質問 # 100
What is the main purpose of the CAN-SPAM Act?

• A. To diminish the use of electronic messages to send sexually explicit materials
• B. To authorize the states to enforce federal privacy laws for electronic marketing
• C. To empower the FTC to create rules for messages containing sexually explicit content
• D. To ensure that organizations respect individual rights when using electronic advertising

正解：D

解説：
The CAN-SPAM Act is a federal law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations1. The main purpose of the act is to protect consumers from unwanted and deceptive email messages and to give them more control over their online privacy2. The act applies to all commercial messages, which are defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"1. The act does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship1. The act also does not apply to non-commercial messages, such as political or charitable solicitations3. References: 1: CAN-SPAM Act: A Compliance Guide for Business2: What is the CAN-SPAM Act? | Proton3: What is the CAN-SPAM Act? | Cloudflare

質問 # 101
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

• A. The Office of the Comptroller of the Currency
• B. The Consumer Financial Protection Bureau
• C. The Federal Trade Commission
• D. The Department of Health and Human Services

正解：D

解説：
* The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.
* The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.
* The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:
* The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.
* The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.
* The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.
* The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.
* The Board of Governors of the Federal Reserve System (FRB), which has authority over state-chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.
* The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.
* The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.
* The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.
* The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.
References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]

質問 # 102
Under the Fair Credit Reporting Act (FCRA), what must a person who is denied employment based upon his credit history receive?

• A. A list of rights from the Consumer Financial Protection Bureau (CFPB).
• B. Information from several consumer reporting agencies (CRAs).
• C. An opportunity to reapply with the employer.
• D. A prompt notification from the employer.

正解：A

解説：
https://www.consumerfinance.gov/compliance/supervision-examinations/fair-credit-reporting-act-fcra-examination-procedures/ In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which granted rule-making authority under FCRA (except for Section 615(e) (red flag guidelines and regulation) and Section 628 (disposal of records) to the Consumer Financial Protection Bureau (CFPB). The Dodd-Frank Act also amended two provisions of the FCRA to require the disclosure of a credit score and related information when a credit score is used in taking an adverse action or in risk-based pricing.

質問 # 103
What was the original purpose of the Foreign Intelligence Surveillance Act?

• A. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.
• B. To further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect's home, stemming from the Olmstead v. United States decision.
• C. To further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.
• D. To further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.

正解：C

質問 # 104
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-basedretailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete.
What is the data privacy leader's next best source of information to aid the investigation?

• A. Reports on recent purchase histories
• B. Database schemas held by the retailer
• C. Interviews with key marketing personnel
• D. Lists of all customers, sorted by country

正解：C

解説：
The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation. References: [IAPP CIPP/US Study Guide], Chapter 5:
Data Management, p. 97-98; IAPP Privacy Tech Vendor Report, Data Mapping and Inventory, p. 9-10.

質問 # 105
A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

• A. SCA
• B. CALEA
• C. USA Freedom Act
• D. ECPA

正解：B

解説：
Explanation
Explanation/Reference: https://www.nap.edu/read/11896/chapter/11#283

質問 # 106
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice's suggestion about classifying customer data?

• A. It will help the company meet a federal mandate
• B. It will prevent the company from collecting too much personal information (PI)
• C. It will help employees stay better organized
• D. It will increase the security of customers' personal information (PI)

正解：D

解説：
Data classification systematically categorizes information based on sensitivity and importance to determine its level of confidentiality. This process helps apply appropriate security and compliance measures to ensure each category receives proper protection1. This process also helps to identify which personal data is subject to specific GDPR requirements, such as obtaining explicit consent from data subjects, or notifying data subjects in the event of a data breach2. By classifying data, Cheryl can also make more informed decisions about where to store the information on her computer system and the nature of controls that are required based on classification3. This way, she can protect her customers' privacy while maintaining the highest level of service. References:
* Data Classification for GDPR Explained
* A guide to data classification: confidential data vs. sensitive data vs. public information
* Why Is Data Classification Important?

質問 # 107
What practice does the USA FREEDOM Act NOT authorize?

• A. Emergency exceptions that allows the government to target roamers
• B. An increase in the maximum penalty for material support to terrorism
• C. An extension of the expiration for roving wiretaps
• D. The bulk collection of telephone data and internet metadata

正解：D

解説：
The USA FREEDOM Act is a law that was enacted in 2015 to reform the surveillance practices of the U.S.
government. The law was a response to the revelations by Edward Snowden about the mass collection of phone records and internet data by the National Security Agency (NSA) under the authority of Section 215 of the USA PATRIOT Act. The USA FREEDOM Act ended the bulk collection of telephone data and internet metadata by the NSA, and instead required the government to obtain a specific order from the Foreign Intelligence Surveillance Court (FISC) to access such data from the telecommunication providers. The law also authorized the following practices:
* Emergency exceptions that allow the government to target roamers: The law allows the government to temporarily target a non-U.S. person who is using a phone number or identifier of a U.S. person, without a court order, if there is an emergency situation that involves a threat of death or serious bodily harm. The government must obtain a court order within seven days to continue the surveillance.
* An increase in the maximum penalty for material support to terrorism: The law increases the maximum prison term for providing material support or resources to a foreign terrorist organization from 15 years to 20 years.
* An extension of the expiration for roving wiretaps: The law extends the sunset date for the roving wiretap provision of the USA PATRIOT Act, which allows the government to obtain a single order from the FISC to conduct surveillance on a target who switches devices or locations, without specifying the device or location. The law extends the expiration date from June 1, 2015 to December 15,
2019. References:
* USA FREEDOM Act
* USA FREEDOM Act Summary
* USA FREEDOM Act FAQs

質問 # 108
What privacy concept grants a consumer the right to view and correct errors on his or her credit report?

• A. Choice.
• B. Access.
• C. Notice.
• D. Action.

正解：B

解説：
Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13
* IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

質問 # 109
All of the following common law torts are relevant to employee privacy under US law EXCEPT?

• A. Defamation
• B. Infliction of emotional distress.
• C. Conversion.
• D. Intrusion upon seclusion.

正解：D

解説：
Explanation/Reference: https://en.wikipedia.org/wiki/Privacy_law

質問 # 110
The "Consumer Privacy Bill of Rights" presented in a 2012 Obama administration report is generally based on?

• A. The 1974 Privacy Act
• B. Common law principles
• C. Traditional fair information practices
• D. European Union Directive

正解：D

質問 # 111
What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

• A. Only if all parties have given consent
• B. Where state law permits such interception
• C. Where one of the parties has given consent
• D. If an organization intercepts an employee's purely personal call

正解：C

解説：
The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.
One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.
References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

質問 # 112
What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

• A. Industries may not be strict enough in the creation and enforcement of rules
• B. Human rights may be disregarded for the sake of privacy
• C. A new business owner may not understand the regulations
• D. A large amount of money may have to be sent on improved technology and security

正解：A

解説：
The European approach to privacy is based on the recognition of privacy as a fundamental human right that requires strong legal protection and oversight. The EU has adopted comprehensive and binding privacy laws, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, that apply to all sectors and activities involving personal data. The EU also has independent data protection authorities (DPAs) that monitor and enforce compliance with the privacy laws, and a European Data Protection Board (EDPB)that issues guidance and opinions on privacy matters. The EU also requires adequate levels of privacy protection for personal data transferred to third countries or international organizations.
In contrast, the U.S. approach to privacy is based on a sectoral and self-regulatory model that relies on a combination of federal and state laws, industry codes of conduct, consumer education, and market forces. The
U.S. does not have a single, comprehensive, and enforceable federal privacy law that covers all sectors and activities involving personal data. Instead, the U.S. has a patchwork of federal and state laws that address specific issues or sectors, such as health, financial, children's, and electronic communications privacy. The
U.S. also has various federal and state agencies that share jurisdiction over privacy matters, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS). The U.S. also relies on self-regulation by industries that develop and adhere to voluntary codes of conduct, standards, and best practices for privacy. The U.S. also allows personal data to be transferred to third countries or international organizations without requiring adequate levels of privacy protection, as long as the data subjects have given their consent or the transfer is covered by a mechanism such as the Privacy Shield or the Standard Contractual Clauses.
Some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices because they believe that self-regulation is not effective, consistent, or accountable enough to protect the rights and interests of data subjects. They argue that self-regulation may not provide sufficient incentives or sanctions for industries to comply with privacy rules, or to adopt privacy-enhancing technologies and practices. They also contend that self-regulation may not reflect the views and expectations of data subjects, or address the emerging and complex privacy challenges posed by new technologies and business models. They also question the transparency and legitimacy of self-regulation, and the ability of data subjects to exercise their rights and seek redress for privacy violations. References:
* IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 9-10, 16-17
* IAPP website, CIPP/US Certification
* NICCS website, Certified Information Privacy Professional/United States (CIPP/US) Training

質問 # 113
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

• A. Security Safeguards
• B. Technical Safeguards
• C. Physical Safeguards
• D. Administrative Safeguards

正解：A

質問 # 114
A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?

• A. SCA
• B. CALEA
• C. USA Freedom Act
• D. ECPA

正解：B

解説：
To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.

質問 # 115
A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than
500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

• A. Department of Health and Human Services
• B. Medical providers
• C. The affected individuals
• D. The local media

正解：B

解説：
According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:
* The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
* The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
* The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.
A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a written contract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.
References:
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private- sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
* Practice Exam - International Association of Privacy Professionals

質問 # 116
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Which of the following would be HealthCo's best response to the attorney's discovery request?

• A. Turn over all of the compromised patient records to the plaintiff's attorney
• B. Respond with a redacted document only relative to the plaintiff
• C. Respond with a request for satisfactory assurances such as a qualified protective order
• D. Reject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations

正解：A

質問 # 117
What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in 2005?

• A. It made third-party audits a penalty for policy violations.
• B. It made user consent mandatory after any revisions of policy.
• C. It was the first substantial U.S.-EU Safe Harbor enforcement.
• D. It was based on matters of fairness rather than deception.

正解：D

解説：
Per the FTC Press Release in 2005, "BJ's Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law."

質問 # 118
What information did the Red Flag Program Clarification Act of 2010 add to the original Red Flags rule?

• A. The most common methods of identity theft.
• B. The definition of what constitutes a creditor.
• C. The process for proper disposal of sensitive data.
• D. The components of an identity theft detection program.

正解：B

解説：
The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program. The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of aperson, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12. This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3. References:
* CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p.108-109.
* Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

質問 # 119
......

IAPP CIPP-US問題集PDFのベストを目指すなら問題集を使おう 目指そう高得点：https://www.goshiken.com/IAPP/CIPP-US-mondaishu.html

Certified Information Privacy Professional CIPP-US試験と認定テストエンジン：https://drive.google.com/open?id=1X3jMmXOdysLwBEpzWRDXb-s_5vPBNuPy