Examice

Exam CIPP-US All QuestionsBrowse all questions from this exam

Question 128

Privacy Is Hiring Inc., a CA-based company, is an online specialty recruiting firm focusing on placing privacy professionals in roles at major companies. Job candidates create online profiles outlining their experience and credentials, and can pay $19.99/month via credit card to have their profiles promoted to potential employers. Privacy Is Hiring Inc. keeps all customer data at rest encrypted on its servers.

Under what circumstances would Privacy Is Hiring Inc., need to notify affected individuals in the event of a data breach?

If law enforcement has completed its investigation and has authorized Privacy Is Hiring Inc. to provide the notification to clients and applicable regulators.

If the job candidates’ credit card information and the encryption keys were among the information taken.

If Privacy Is Hiring Inc., reasonably believes that job candidates will be harmed by the data breach.

If the personal information stolen included the individuals’ names and credit card pin numbers.

Correct Answer: B

Privacy Is Hiring Inc. would need to notify affected individuals if the job candidates' credit card information and encryption keys were among the information taken. This is because the encryption keys being compromised would mean that the encrypted data could potentially be decrypted, which would expose sensitive personal information, including credit card information. Hence, notification is required under these circumstances to allow the affected individuals to take necessary protective actions.

Discussion

smp175Option: B

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].) https://oag.ca.gov/privacy/databreach/reporting

47258d2Option: B

California AB2828: organizations are required to trigger breach notification for disclosures of encrypted data is they have reason to believe encryption keys may have been compromised along w the data.

BhimeshOption: B

The CCPA provides consumers with special remedies for data breaches, including statutory damages of between $100 and $750 per incident, actual damages, or other remedies the court deems appropriate. To be entitled to these remedies, the breach must consist of (1) “an unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information resulting from (2) the business’s failure to “implement and maintain reasonable security procedures and practices.” “CREDIT CARD INFORMATION and the ENCRYPTION KEYS were among the information taken”. – its breach. although the at rest is encrypted… These remedies “do not apply” to personal information that has been “ ENCRYPTED OR REDACTED.” These remedies also only apply to a certain subset of the most sensitive personal information under the CCPA (such as Social Security number) and are not available for all categories of personal information.