CIPPUS FSG Sept_2017_v1.pdf

Full Transcript

IPP/US CIPP/US CIPP/US CIPP/US CIP
P/US CIPP/US CIPP/US CIPP/US CIPP/

Certified Information Privacy
Professional/United States
(CIPP/US)
Study Guide

Effective September 2017
CIPP/US Study Guide 1

WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide
contains the basic information you need to get started:

•
•
•
•
•
•
•

An explanation of the IAPP certification program structure
Key areas of knowledge for the CIPP/US program
Recommended steps to help you prepare for your exam
A detailed body of knowledge for the CIPP/US program
An exam blueprint
Example questions
General exam information

CIPP/US Study Guide 2

The IAPP Certification Program Structure
The IAPP currently offers three certification programs: The Certified Information Privacy Professional
(CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy
Technologist (CIPT).
The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a
principles-based framework in information privacy in a legal or practical specialization. Within the CIPP,
there are five concentrations:

•
•
•
•
•

Asian privacy (CIPP/A)
Canadian privacy (CIPP/G)
European privacy (CIPP/E)
U.S. government privacy (CIPP/G)
U.S. private-sector privacy (CIPP/US)

The CIPM is the “how” of operations. Earning this designation shows you understand how to manage
privacy in an organization through process and technology.
The CIPT is the “how” of technology. Earning this designation shows you know how to manage and
build privacy requirements and controls into technology.
There are no concentrations within the CIPM or CIPT—they cross all jurisdictions and industries.

Requirements for IAPP Certification
1. You must pay an annual maintenance fee of $125 USD
OR

2. You can become a member of the IAPP—with access to numerous benefits like discounts,

networking opportunities, members-only resources and more—for just $250 USD, which includes
your annual maintenance fee.

More information about IAPP membership, including levels, benefits and rates, is available on the IAPP
website at iapp.org/join.

CIPP/US Study Guide 3

CIPP/US Key Areas of Knowledge
The Certified Information Privacy Professional/United States (CIPP/US) program launched in October
2004 as the first professional certification ever to be offered in information privacy. The CIPP/US
credential demonstrates a strong foundation in U.S. privacy laws and regulations and understanding of
the legal requirements for the responsible transfer of sensitive personal data to/from the U.S., the EU and
other jurisdictions.
Subject matter areas covered include:
•

The U.S. legal system: definitions, sources of law and sectoral model for privacy enforcement

•

U.S. federal laws for protection of personal data: FCRA and FACTA, HIPAA, GLBA, COPPA
and DPPA

•

U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA

•

U.S. state data breach notification and select state laws

•

Regulation of privacy in the U.S. workplace: FCRA, EPP, ADA and ECPA plus best practices
for privacy and background screening, employee testing, workplace monitoring, employee
investigation and termination of employment

CIPP/US Study Guide 4

Preparation
Privacy certification is an important effort that requires advance preparation. Deciding how you will
prepare for your exams is a personal choice that should include an assessment of your professional
background, scope of privacy knowledge and your preferred method of learning.
In general, the IAPP recommends that you plan for a minimum of 30 hours of study time in advance of
your exam date; however, you might need more or fewer hours depending on your personal choices
and professional experience.
The IAPP recommends you prepare in the following manner:
1. Review the Body of Knowledge

The body of knowledge for the CIPP/US program is a comprehensive outline of the subject matter
areas covered by the CIPP/US exam. Review it carefully to help determine which areas merit additional
focus in your preparation. See pages 6–9.
2. Review the Exam Blueprint

The CIPP/US exam blueprint on page 10 specifies the number of items from each area of the body
of knowledge that will appear on the exam. Studying the blueprint can help you further target your
primary study needs.
3. Study the CIPP/US Textbook

U.S. Private-sector Privacy is the authoritative reference for the CIPP/US program. The IAPP strongly
recommends you take the time to carefully read and study the textbook. The print version of the official
CIPP/US, as well as the Foundations of Information Privacy and Data Protection, are included free with the
purchase of the CIPP/US online and live training classes. An electronic version of the textbook is also
available for purchase.
4. Get Certification Training

The IAPP offers both in-person certification prep classes and online training to help you prepare for
your exams.You can find a list of scheduled classes and/or purchase downloadable online training in the
IAPP store.
5. Take the CIPP/US Sample Questions

Sample questions are a great way to gain familiarity with the format and content of the actual
designation exams. They are available for purchase in a downloadable PDF file containing the questions,
an answer key and an explanation of each correct answer. Sample questions are included free with the
purchase of CIPP/US online and live training classes.
6. Review other IAPP Preparation Resources

Additional resources are available on the IAPP website, including a searchable glossary of terms.

CIPP/US Study Guide 5

CIPP/US Common Body of Knowledge Outline
I. Introduction to the U.S. Privacy Environment

A. Structure of U.S. Law
a. Branches of government
b. Sources of law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
i. Jurisdiction
ii. Person
iii. Preemption
iv. Private right of action
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
1. Federal Reserve Board
2. Comptroller of the Currency
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)

CIPP/US Study Guide 6

C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
iii. Standard Contractual Clauses
iv. Other approved transfer mechanisms
h. Other key considerations for U.S.-based global multinational companies
i. GDPR requirements
i. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data

A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
c. The 21st Century Cures Act of 2016
d. Confidentiality of Alcohol and Drug Abuse Patient Records
i. 42 CFR Part 2
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 (“Gramm-Leach-Billey” or GLBA)
i. GLBA privacy rule
ii. GLBA security rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974

CIPP/US Study Guide 7

E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003
(CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
i. Video Privacy Protection Act Amendments Act of 2012 (H.R. 6671)
III. Government and Court Access to Private-sector Information

A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. Emails
2. Stored records
3. Pen registers
c. The Communication Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. Emails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001 (USA-Patriot Act)
c. The USA Freedom Act of 2015
d. The Cybersecurity Information Sharing Act of 2015 (CISA)
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy

A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)

CIPP/US Study Guide 8

c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. Email
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws

A. Federal vs. state authority
B. Marketing laws
C. Financial data
a. Credit history
b. California SB-1
D. Data security laws
a. SSN
b. Data destruction
c. Security procedures
E. Data breach notification laws
a. Elements of state data breach notification laws
b. Key differences among states today
c. Recent developments
i. Tennessee SB 2005
ii. Illinois HB 1260
iii. California AB 2828
iv. New Mexico HB 15
v. Other significant state amendments
CIPP/US Study Guide 9

CIPP/US Exam Format
The CIPP/US is a 2.5 hour exam comprised of 90 multiple choice items. Some of the multiple choice
items are associated with scenarios. There are no essay questions. Each correct answer is worth one point.

Exam Blueprint
The exam blueprint indicates the minimum and maximum number of items included on the CIPP/US
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics
listed under each area.You can use this blueprint to guide your studying.

I.

Min

Max

Introduction to the U.S. Privacy Environment

25

35

A. Structure of U.S. Law
Branches of government, sources of law, legal definitions, regulatory
authorities, understanding laws
B. Enforcement of U.S. Privacy and Security Laws
Criminal vs. civil liability, general theories of legal liability

6

9

6

9

C. Information Management from a U.S. Perspective
11
Data classification, privacy program development, incident response
programs, training, accountability, data retention and disposal
(FACTA), vendor management, international data transfers, other key
considerations for U.S.-based multinational companies (including GDPR
requirements), resolving multinational compliance conflicts
II. Limits on Private-sector Collection and Use of Data

17

22

28

A. Cross-sector FTC Privacy Protection
The FTC Act, FTC privacy enforcement actions, FTC security
enforcement actions, COPPA

5

6

B. Healthcare
HIPAA, HITECH, GINA, The 21st Century Cures Act of 2016,
Confidentiality of Alcohol and Drug Abuse Patient Records

5

6

C. Financial
Measure, align, audit, communicate, monitor

8

10

D. Education
FERPA

2

3

E. Telecommunications and Marketing

2

3

CIPP/US Study Guide 10

III.

Min

Max

Government and Court Access to Private-sector Information

0

3

A. Law Enforcement and Privacy
Access to financial data, access to communications, CALEA
B. National Security and Privacy
FISA, USA-Patriot Act, USA Freedom Act, Cybersecurity Information
Sharing Act (CISA)

0

1

0

1

C. Civil Litigation and Privacy
Compelled disclosure of media information, electronic discovery

0

1

8

12

A. Overview of Workplace Privacy
Workplace privacy concepts, U.S. agencies regulating workplace privacy
issues, U.S. anti-discrimination laws

3

5

B. Privacy Before, During and After Employment
Employee background screening, employee monitoring, investigation of
employee misconduct, termination of employment relationship, working
with third parties

5

7

7

11

A. Federal vs. State authority

2

3

B. Marketing Laws

2

3

C. Financial Data

0

1

D. Data Security Laws

0

1

E. Data Breach Notification Laws

3

3

IV. Workplace Privacy

V. State Privacy Laws

CIPP/US Study Guide 11

Example Questions
1. All of the following are considered acceptable for U.S.-based multinational transportation companies
to achieve compliance with the EU Data Protection Directive except
A. Global consent
B. Safe Harbor
C. Binding corporate rules
D. Model contracts
2. Under the Children’s Online Privacy Protection Act, which is an accepted means for an organization
to validate parental consent when it intends to disclose a child’s information to a third party?
A. Email a consent form and the parent can provide consent by responding to the email.
B. Email a consent form and the parent can provide consent by signing and mailing back the form.
C. Email a consent form and request that the parent provide a mailing address or phone number for
additional contact.
D. Email a consent form to the parent allowing 30 days to object to the data disclosure.
3.

All of the following are considered acceptable lines of questioning by U.S. employers to applicants in
the pre-employment process except
A. Questions about the applicant’s duration of stay on the job or any anticipated absences.
B. Questions regarding any medical conditions or disabilities that would inhibit the performance of
the job function.
C. Questions on whether an applicant has applied for or received worker’s compensation.
D. Questions about the applicant’s height or weight as this relates to a specific job function.

CIPP/US Study Guide 12

General Exam Information
The IAPP offers testing via computer-based delivery at test centers worldwide. There are approximately
800 Kryterion High-stakes Online Secured Testing (HOST) locations around the world where IAPP
certification exams are administered.
The IAPP also offers testing at our major annual conferences. Event-based testing is paper-pencil format.
You can find detailed information about how to register for exams, as well as exam-day instructions in
the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify.

Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your
questions and comments regarding our certification program.
Please don’t hesitate to contact us at [email protected] or +1 603.427.9200.

CIPP/US Study Guide 13

Example Questions: Answers
1. All of the following are considered acceptable for U.S.-based multinational transportation companies to
achieve compliance with the EU Data Protection Directive except
A. Global consent
B. Safe Harbor
C. Binding corporate rules
D. Model contracts
2. Under the Children’s Online Privacy Protection Act, which is an accepted means for an organization to
validate parental consent when it intends to disclose a child’s information to a third party?
A. Email a consent form and the parent can provide consent by responding to the email.
B. Email a consent form and the parent can provide consent by signing and mailing back
the form.
C. Email a consent form and request that the parent provide a mailing address or phone number for
additional contact.
D. Email a consent form to the parent allowing 30 days to object to the data disclosure.
3.

All of the following are considered acceptable lines of questioning by U.S. employers to applicants in the
pre-employment process except
A. Questions about the applicant’s duration of stay on the job or any anticipated absences.
B. Questions regarding any medical conditions or disabilities that would inhibit the performance of
the job function.
C. Questions on whether an applicant has applied for or received worker’s compensation.
D. Questions about the applicant’s height or weight as this relates to a specific job function.

CIPP/US Study Guide 14