CIPP Exam Review Questions and
Answers
Consent Decree - Answer-A judgment entered by consent of the parties whereby the
defendant agrees to stop alleged illegal activity.
Does not admit guilt or wrongdoing.
COPPA has allowed for several consent decrees, which require violators to pay money
to the government and agree not to violate the relevant law in the future.
Torts - Answer-Torts are civil wrongs recognized by law as the grounds for lawsuits.
These wrongs are those that result in an injury or harm that constitutes the basis for a
claim by the injured party.
What are the three tort categories? - Answer-Intentional torts, negligent torts, and strict
liability torts.
Strict Liability Torts - Answer-These are wrongs that don't depend on the degree of
carelessness by the defendant, but are established when a particular action causes
damage.
i.e., defective product. Don't need to show negligence.
What are some current privacy torts? - Answer-a. intrusion on seclusion;
b. public revelation of private facts;
c. interfering with a person's right to publicity;
d. casting a person in a false light.
Example of privacy tort - Answer-Allegations that a company was negligent for failing to
provide adequate safeguards for PI, thus causing harm due to disclosure of the data.
Lack of adequate safeguards therefore may expose a company to damages under tort
law.
Define "private right of action" - Answer-Ability of an individual harmed by a violation of
a law to file a lawsuit against the violator.
Who can legally enforce the promises made in a company's privacy notice? - Answer-
Federal Trade Commission and states.
What authority does the FTC have re: privacy in the private sector? - Answer-General
authority to enforce against "unfair and deceptive trade practices."
, In which areas does the FTC have specific regulatory authority? - Answer-1. marketing
communications;
2. children's privacy
Give an example of a regulatory setting where government-created rules expect
companies to sign up for self-regulatory oversight. - Answer-The Safe Harbor for
companies that transfer personal information from the EU to the US.
In which state was the first security breach notification law enacted? - Answer-California
Even if you do business in this CA, what is required for this law to apply to you? -
Answer-You must have computerized data.
True/False: If your database contains only encrypted information, you are not subject to
the CA law. - Answer-True
What does the CA Data Breach Notification law require or prohibit? - Answer-It requires
you to disclose any breach of system security to any resident of CA whose unencrypted
personal information was or is reasonably believed to have been acquired by an
unauthorized person.
True/false: the CA law provides for a private cause of action. - Answer-True
The CA attorney general or any citizen can file a civil lawsuit against you, seeking
damages and forcing you to comply.
What are administrative enforcement actions? - Answer-These are carried out pursuant
to the statutes that create and empower an agency, such as the FTC.
Which agencies are responsible for medical privacy? - Answer-Office for Civil Rights in
the Department of Health and Human Services (HHS), for the Health Insurance
Portability and Accountability Act (HIPAA)
Which agencies oversee financial privacy? - Answer-Consumer Financial Protection
Bureau for financial consumer protection issues generally; federal financial regulators
such as the Federal Reserve and the Office of Comptroller of the Currency, for
institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA)
Which agencies are responsible for educational privacy? - Answer-Department of
Education for the Family Educational Rights and Privacy Act.
Which agencies oversee telemarketing and marketing privacy? - Answer-Federal
Communications Commission (along with the FTC) under the Telephone Consumer
Protection Act and other statutes.
Answers
Consent Decree - Answer-A judgment entered by consent of the parties whereby the
defendant agrees to stop alleged illegal activity.
Does not admit guilt or wrongdoing.
COPPA has allowed for several consent decrees, which require violators to pay money
to the government and agree not to violate the relevant law in the future.
Torts - Answer-Torts are civil wrongs recognized by law as the grounds for lawsuits.
These wrongs are those that result in an injury or harm that constitutes the basis for a
claim by the injured party.
What are the three tort categories? - Answer-Intentional torts, negligent torts, and strict
liability torts.
Strict Liability Torts - Answer-These are wrongs that don't depend on the degree of
carelessness by the defendant, but are established when a particular action causes
damage.
i.e., defective product. Don't need to show negligence.
What are some current privacy torts? - Answer-a. intrusion on seclusion;
b. public revelation of private facts;
c. interfering with a person's right to publicity;
d. casting a person in a false light.
Example of privacy tort - Answer-Allegations that a company was negligent for failing to
provide adequate safeguards for PI, thus causing harm due to disclosure of the data.
Lack of adequate safeguards therefore may expose a company to damages under tort
law.
Define "private right of action" - Answer-Ability of an individual harmed by a violation of
a law to file a lawsuit against the violator.
Who can legally enforce the promises made in a company's privacy notice? - Answer-
Federal Trade Commission and states.
What authority does the FTC have re: privacy in the private sector? - Answer-General
authority to enforce against "unfair and deceptive trade practices."
, In which areas does the FTC have specific regulatory authority? - Answer-1. marketing
communications;
2. children's privacy
Give an example of a regulatory setting where government-created rules expect
companies to sign up for self-regulatory oversight. - Answer-The Safe Harbor for
companies that transfer personal information from the EU to the US.
In which state was the first security breach notification law enacted? - Answer-California
Even if you do business in this CA, what is required for this law to apply to you? -
Answer-You must have computerized data.
True/False: If your database contains only encrypted information, you are not subject to
the CA law. - Answer-True
What does the CA Data Breach Notification law require or prohibit? - Answer-It requires
you to disclose any breach of system security to any resident of CA whose unencrypted
personal information was or is reasonably believed to have been acquired by an
unauthorized person.
True/false: the CA law provides for a private cause of action. - Answer-True
The CA attorney general or any citizen can file a civil lawsuit against you, seeking
damages and forcing you to comply.
What are administrative enforcement actions? - Answer-These are carried out pursuant
to the statutes that create and empower an agency, such as the FTC.
Which agencies are responsible for medical privacy? - Answer-Office for Civil Rights in
the Department of Health and Human Services (HHS), for the Health Insurance
Portability and Accountability Act (HIPAA)
Which agencies oversee financial privacy? - Answer-Consumer Financial Protection
Bureau for financial consumer protection issues generally; federal financial regulators
such as the Federal Reserve and the Office of Comptroller of the Currency, for
institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA)
Which agencies are responsible for educational privacy? - Answer-Department of
Education for the Family Educational Rights and Privacy Act.
Which agencies oversee telemarketing and marketing privacy? - Answer-Federal
Communications Commission (along with the FTC) under the Telephone Consumer
Protection Act and other statutes.
