ExamGecko
Home Home / IAPP / CIPM
Question list
Search
Search

List of questions

Search

Related questions











Question 21 - CIPM discussion

Report
Export

SCENARIO

Please use the following to answer the next QUESTION:

Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging

Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.

Spencer -- a former CEO and currently a senior advisor -- said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. 'Breaches can happen, despite organizations' best efforts,' she remarked. 'Reasonable preparedness is key.' She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company -- not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.

Spencer said, 'The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month.'

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.

What is the most realistic step the organization can take to help diminish liability in the event of another incident?

A.

Requiring the vendor to perform periodic internal audits.

Answers
A.

Requiring the vendor to perform periodic internal audits.

B.

Specifying mandatory data protection practices in vendor contracts.

Answers
B.

Specifying mandatory data protection practices in vendor contracts.

C.

Keeping the majority of processing activities within the organization.

Answers
C.

Keeping the majority of processing activities within the organization.

D.

Obtaining customer consent for any third-party processing of personal data.

Answers
D.

Obtaining customer consent for any third-party processing of personal data.

Suggested answer: B

Explanation:

This answer is the most realistic step the organization can take to help diminish liability in the event of another incident, as it can ensure that the vendor complies with the same standards and obligations as the organization regarding data protection. Vendor contracts should include clauses that specify the scope, purpose, duration and type of data processing, as well as the rights and responsibilities of both parties. The contracts should also require the vendor to implement appropriate technical and organizational measures to protect the data from unauthorized or unlawful access, use, disclosure, alteration or destruction, and to notify the organization of any security incidents or breaches. The contracts should also allow the organization to monitor, audit or inspect the vendor's performance and compliance with the contract terms and applicable laws and regulations.Reference: IAPP CIPM Study Guide, page 82; ISO/IEC 27002:2013, section 15.1.2

asked 22/11/2024
Arvind Prasad S
41 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first