Certified Information Privacy Professional – United States (CIPP/US) — Question 49

Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:

Answer options

• A. You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.
• B. When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.
• C. When you are required to provide an individual with notice of a data breach under any state’s law, you must provide the individual with an offer for free credit monitoring.
• D. The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

Correct answer: B

Explanation

Option B is correct because it accurately reflects the requirement to inform individuals about the specific personal information that may have been compromised during a data breach. Option A is incorrect as notifying the FTC is not universally required for breaches affecting over 500 individuals. Option C is misleading; while offering credit monitoring may be a best practice, it is not universally mandated by all state laws. Option D is false because there are indeed federal laws, such as the HIPAA and GLBA, that impose data breach notification obligations.