Finances for Graduates is a start-up financial services company focused on helping recent college graduates with financial needs by providing banking services, mortgage products, and investment planning. As a start-up, Finances for Graduates encourages its customer service representatives to use generative artificial intelligence (genAI) tools available online. According to the internal policies of Finances for Graduates, customers’ personal information is not to be used in interactions with these genAI tools. Finances for Graduates, however, does not train employees on these policies. Over a six-month timeframe, numerous customer service representatives inadvertently input client financial information into these genAI tools, which the genAI tools then store in an unsecured manner. As a result of this data breach, attackers have been able to access sensitive client information. Wanting to comply with legal requirements related to this breach, the management of Finances for Graduates immediately instructs its compliance team to adhere to the requirements of the various state data breach notification laws. What additional concerns are raised by the compliance team regarding the GLBA and the state comprehensive privacy laws?

Iron Dreams, a company whose mission is to ensure that all of its customers get at least 150 minutes of exercise per week, starts a marketing campaign to promote its new app which has a $19.99 monthly subscription. The campaign involves employees of Iron Dreams calling prospective customers around the country. Iron Dreams’s Advertising Manager asks you, as the Privacy Officer, to review the campaign to double check that you believe Iron Dreams would be complying with the requirements of U.S. law. Which of the following parts of the campaign would you approve?

Red & Black, a national cable company, provides both cable Internet service and cable TV service to its customers. Red & Black receives a court order related to a criminal investigation asking for any accounts opened and any Internet provider addresses used by Owen Owens, a customer of the company. The order instructs Red & Black not to notify Owen about the existence of the order. Kelly O’Malley, the CEO of the company, wants to comply with the pertinent legal requirements. After Kelly consults with her lawyer, is it likely that Kelly decides to comply with the order?

Luke Lucky, an experienced poker player, signs up to play in a national poker tournament at Big Dog Casino in Las Vegas, Nevada. After arriving at the casino, Luke decides to participate in 3 smaller tournaments in addition to the national poker tournament.  To cover the entry fees, Luke pays the casino $20,000 in cash. Does this cash payment trigger a reporting requirement?

Angelica Angeles is a 2024 graduate of Georgia Tech who recently started a job at Safe-N-Sound Security in Utah City, Utah. Angelica received an employee manual on the first day of work at the cybersecurity support center, which is unionized. Being a detail-oriented Georgia Tech graduate, Angelica reads the entire manual. The manual is explicit that the company will monitor all emails in a person’s official work account. Angelica learns from the manual that the company promises not to read any emails accessed at work that originate in an account other than the official work account. Based on these statements in the manual, Angelica regularly checks her personal email accounts at work. After a month with Safe-N-Sound Security, Angelica realizes that the company is failing to pay its workers overtime as required by federal law. After this discovery, the topics of Angelica’s personal emails change from general updates to complaints about working conditions at Safe-N-Sound Security. After two months of working for Safe-N-Sound Security, Angelica is fired. Angelica believes that her personal emails led to her termination. If Angelica is correct, does Angelica have a strong case that she should not have been fired?

Five years after Linh Lee retired from working for a major tobacco producer, Linh was diagnosed with lung cancer. Linh hires an attorney to determine if she has a viable legal claim against her former employer. Linh’s attorney sends a number of requests to the company for records maintained about Linh as well as for practices in place at the time that Linh was an employee of the company. What are the reasons that the company likely maintained these records?

World2U.com, a world-wide social media company, is based in San Francisco, California. World2U.com had worldwide revenues of $100 billion in 2024. After numerous meetings of top officials, World2U.com decides that the company should focus on the individual privacy rights of its users. Despite this decision, the CEO determines that data portability is not feasible for the company. What maximum fines could World2U.com face under the GDPR?

FootballFans.com is a site where fans can buy merchandise from a variety of professional football teams. FootballFans.com has customers across the United States. In 2025, FootballFans.com learns that hackers injected a credit card stealer into the website’s checkout page. This breach exposed the name, address, telephone number, and credit card information of 1 million customers. When notifying customers about the breach, can the company include a general description of the nature of the breach?

Is Honorlock correctly setup on your computer?

You are hired as the Chief Privacy Officer of Bear Cubs Delivery, a company based in Chicago, Illinois, which has ten warehouses located throughout the state. After the company’s CEO learns that the U.S. Congress is considering a bill known as the “Bosses Spy No More Act,” which would prohibit employers from utilizing certain surveillance tools that use artificial intelligence, the CEO asks you to review the company’s current employee monitoring practices for any potential violations of existing federal or state laws. After investigating the current practices of the company, you become aware that Bear Cubs Delivery is using an employee-monitoring tool that records the video and audio of employees while on-site at the company’s warehouses. The tool utilizes artificial intelligence to identify the faces of individual employees and then to calculate for each identified employee the daily percentage of conversations that are not work related. Your investigation also reveals that employees who work in the warehouses are not informed of this employee-monitoring tool and only top-level executives receive the reports generated by the tool. Based on your investigation, your response to the CEO is: