CIPP-US Question #208: Real Exam Question with Answer & Explanation

Question

Options

• AMany states have unique types of businesses that require specific legislation
• BMany lawmakers believe that federal enforcement of current laws has not been effective
• CMany types of organizations are not currently subject to federal laws regarding breaches
• DMany large businesses have intentionally breached the personal information of their customers

Explanation

The most likely reason that states have adopted their own data breach notification laws is that many types of organizations are not currently subject to federal laws regarding breaches. As explained in the Data Breach Response: A Guide for Business from the Federal Trade Commission (FTC), certain federal laws govern obligations to report data breaches in particular industries, such as health care, financial services, or telecommunications. However, these laws do not cover all types of businesses or all types of personal information that may be compromised in a data breach. Therefore, states have enacted their own data breach notification laws to fill the gaps and protect the privacy and security of their residents. According to the National Conference of State Legislatures, as of January 2022, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These state laws vary in terms of the definitions of personal information, the triggers for notification, the methods and timing of notification, the exemptions and exceptions, and the penalties and enforcement mechanisms.

No community discussion yet for this question.