CIPP-US Exam Dumps : Certified Information Privacy Professional/United States (CIPP/US)

The scenario describes how the company had no adequate rules about access to customer information and how low-level employees had access to all of the company’s customer data, including financial records. This indicates that the company did not implement proper access controls to limit who can access, use, or disclose customer information based on their roles and responsibilities. Access controls are one of the key elements of information security and privacy, as they help prevent unauthorized or inappropriate access to sensitive data. Without access controls, the company’s customer information was vulnerable to mishandling by employees or outsiders who could exploit the weaksecurity measures. Therefore, the most likely cause of the breach was mishandling of information caused by lack of access controls. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Information Management from a U.S. Perspective, Section 4.2: Information Security, p. 113-114

IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.C: Describe the role of information security in privacy, Subobjective I.C.1: Identify the key elements of information security, p. 8

A consent decree is a legal document that resolves a dispute between a governmental agency and an adverse party without admission of guilt or liability by either side. It is approved by a judge and has the force of a court order. A consent decree may include terms such as compliance, monitoring, reporting, or remediation. A consent decree is often used to settle civil enforcement actions brought by federal agencies such as the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), or the Department of Justice (DOJ). References:

IAPP Glossary, entry for “consent decree”

[IAPP CIPP/US Study Guide], p. 39, section 2.1.3

[IAPP CIPP/US Body of Knowledge], p. 9, section B.1.a

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.