Question 37
UnclassifiedWhich statement best reflects U.S. privacy program accountability?
Correct answer: B
Explanation
Accountability in U.S. privacy programs means an organization must be able to show it has governing policies, controls, and oversight for how it handles data. This reflects the principle that it should "justify and govern its data practices" rather than merely claim compliance.
Why each option is right or wrong
A. If a vendor causes the problem, the organization that chose the vendor has no further privacy responsibility
B. Accountability means the organization should be able to justify and govern its data practices through policies, controls, and oversight
U.S. privacy frameworks treat accountability as an organizational governance obligation, not a mere statement of compliance. For example, the FTC Act §5 (15 U.S.C. §45) can reach unfair or deceptive privacy practices when a company lacks the policies, controls, and oversight it says it has, and the NIST Privacy Framework’s governance function likewise requires documented policies, roles, and oversight mechanisms to manage data processing. In exam terms, the best answer is the one tying privacy compliance to demonstrable internal governance and the ability to justify data practices, rather than to a single notice or promise.
C. Accountability applies only after a lawsuit is filed
D. Accountability is satisfied by posting one privacy notice