Certified Information Privacy Professional – United States (CIPP/US) — Question 67

Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

Answer options

• A. If the data involved was encrypted.
• B. If the data involved was accessed but not exported.
• C. If the entity was subject to the GLBA Safeguards Rule.
• D. If the entity followed internal notification procedures compatible with state law.

Correct answer: C

Explanation

The GLBA Safeguards Rule does not exempt an entity from breach notification obligations under state law, making option C the correct answer. In contrast, options A, B, and D present conditions that may provide sufficient justification for not notifying affected parties in the event of a data breach.