SCENARIO

Please use the following to answer the next question:

Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop.

"Doing your homework?" Matt asked hopefully.

"No," the boy said. "I'm filling out a survey."

Matt looked over his son's shoulder at his computer screen. "What kind of survey?"

"It's asking questions about my opinions."

"Let me see," Matt said, and began reading the list of questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten."

Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and

the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his

name, address, telephone number, and date of birth, and to answer questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and

he decided it was time to report the incident to the proper authorities.

Based on the incident, the FTC's enforcement actions against the marketer would most likely include what violation?

A. Intruding upon the privacy of a family with young children.

B. Collecting information from a child under the age of thirteen.

C. Failing to notify of a breach of children's private information.

D. Disregarding the privacy policy of the children's marketing industry.

Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?

A. Financial institutions must avoid collecting a customer's sensitive personal information

B. Financial institutions must help ensure a customer's understanding of products and services

C. Financial institutions must use a prescribed level of encryption for most types of customer records

D. Financial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing

A company's employee wellness portal offers an app to track exercise activity via users' mobile devices. Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?

A. Offer information about data collection and uses at key data entry points.

B. Publish a privacy policy written in clear, concise, and understandable language.

C. Present a privacy policy to users during the wellness program registration process.

D. Provide a link to the wellness program privacy policy at the bottom of each screen.

SCENARIO

Please use the following to answer the next question:

Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have

virtual appointments with on-site doctors via a phone app.

For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical

support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.

Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists

procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.

Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the

appointments to a portal hosted by MedApps.

What can Riya do to most effectively minimize the privacy risks of using an app for telehealth appointments?

A. Require MedApps to de-identity all patient data.

B. Prohibit MedApps from using subcontractors.

C. Require MedApps to submit a SOC2 report.

D. Engage in active oversight of MedApps.

Nearly every state has a data breach noti cation law with a "compromise standard" for determining when notice is required. Which of the following is the best explanation of what a "compromise" is under this framework?

A. Compromise is de ned by the degree to which the affected individuals suffered actual harm or had substantial risk of actual harm.

B. Compromise is de ned by the case law in the jurisdiction and is typically based on the totality of the circumstances.

C. Compromise means that personally identi able information was wrongfully accessed by third parties.

D. Compromise means that the con dentiality, security, or integrity of the information was violated.