SCENARIO
You have just been hired by Ancillary.com, a seller of accessories for everything under the sun, including waterproof stickers for pool floats and decorative bands and cases for sunglasses. The company sells cell phone cases, e-cigarette cases, wine spouts, hanging air fresheners for homes and automobiles, book ends, kitchen implements, visors and shields for computer screens, passport holders, gardening tools and lawn ornaments, and catalogs full of health and beauty products. The list seems endless. As the CEO likes to say, Ancillary offers, without doubt, the widest assortment of low-price consumer products from a single company anywhere.
Ancillary's operations are similarly diverse. The company originated with a team of sales consultants selling home and beauty products at small parties in the homes of customers, and this base business is still thriving. However, the company now sells online through retail sites designated for industries and demographics, sites such as ''My Cool Ride" for automobile-related products or ''Zoomer'' for gear aimed toward young adults. The company organization includes a plethora of divisions, units and outrigger operations, as Ancillary has been built along a decentered model rewarding individual initiative and flexibility, while also acquiring key assets. The retail sites seem to all function differently, and you wonder about their compliance with regulations and industry standards. Providing tech support to these sites is also a challenge, partly due to a variety of logins and authentication protocols.
You have been asked to lead three important new projects at Ancillary:
The first is the personal data management and security component of a multi-faceted initiative to unify the company's culture. For this project, you are considering using a series of third- party servers to provide company data and approved applications to employees.
The second project involves providing point of sales technology for the home sales force, allowing them to move beyond paper checks and manual credit card imprinting.
Finally, you are charged with developing privacy protections for a single web store housing all the company's product lines as well as products from affiliates. This new omnibus site will be known, aptly, as ''Under the Sun.'' The Director of Marketing wants the site not only to sell Ancillary's products, but to link to additional products from other retailers through paid advertisements. You need to brief the executive team of security concerns posed by this approach.
Which should be used to allow the home sales force to accept payments using smartphones?
To allow the home sales force to accept payments using smartphones, Near-Field Communication (NFC) should be used.
Near-Field Communication (NFC): NFC is a set of communication protocols that enable two electronic devices, one typically a portable device such as a smartphone, to establish communication by bringing them within close proximity, usually less than 10 cm.
Payment Systems: NFC is widely used in contactless payment systems, allowing users to make secure transactions by simply tapping their device near a payment terminal.
Security and Convenience: NFC payments are secure because they use encryption, tokenization, and other security measures to protect financial data. They also offer convenience for both customers and sales personnel.
Implementation in Sales: For the home sales force, equipping smartphones with NFC technology allows seamless and secure processing of credit card payments, reducing the need for paper checks and manual processing.
IAPP Privacy Management, Information Privacy Technologist Certification Textbooks
ISO/IEC 18092:2013 -- Near Field Communication Interface and Protocol (NFCIP-1)
SCENARIO
Please use the following to answer the next question:
Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client's office to perform an onsite review of the client's operations. He rented a car from Finley Motors upon arrival at the airport as so he could commute to and from the client's office. The car rental agreement was electronically signed by Chuck and included his name, address, driver's license, make/model of the car, billing rate, and additional details describing the rental transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley Motors emailed a copy of the final receipt to the address on file.
Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number, occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a written letter regarding the infraction to collect the fine.
After reviewing the incident through the AMP Payment Resources' web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.
How can Finley Motors reduce the risk associated with transferring Chuck's personal information to AMP Payment Resources?
To reduce the risk associated with transferring Chuck's personal information, Finley Motors should adhere to the principle of data minimization, which involves sharing only the data necessary for the specific purpose. In this case, they should provide AMP Payment Resources with only the essential details required to process the violation notice, such as Chuck's name, contact information, and details of the infraction, while masking any other non-essential information. This approach minimizes the exposure of personal data and aligns with best practices outlined by the IAPP for protecting personal information.
IAPP Certification Textbooks, specifically those sections covering data minimization and secure data handling practices.
'Principles of Data Protection: Data Minimization,' IAPP Privacy Handbook.
Which of the following is one of the fundamental principles of information security?
The fundamental principles of information security are often summarized by the CIA triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes. It is crucial in protecting personal and sensitive data from unauthorized access and breaches. This principle is widely recognized and referenced in various information security standards and frameworks, such as ISO/IEC 27001 and NIST SP 800-53.
ISO/IEC 27001:2013, Information technology --- Security techniques --- Information security management systems --- Requirements.
NIST Special Publication 800-53 (Rev. 5), Security and Privacy Controls for Information Systems and Organizations.
What is the main reason the Do Not Track (DNT) header is not acknowledged by more companies?
The main reason the Do Not Track (DNT) header is not acknowledged by more companies is:
Lack of consensus about what the DNT header should mean (Option C): There has been significant debate and no clear agreement on how companies should interpret and respond to the DNT header. This lack of standardization and enforceable regulations has led to its limited adoption.
Option A is incorrect because most web browsers do support the DNT feature. Option B is incorrect; there are no high financial penalties for violating DNT guidelines. Option D is also incorrect as the technological challenges are not the primary reason for non-acknowledgment.
IAPP Information Privacy Technologist (CIPT) training materials
W3C Tracking Protection Working Group reports
SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.
LBH's privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.
Regarding the app, which action is an example of a decisional interference violation?
