Case Studies

Question 1

What security controls are missing from the Eureka program?

a. Storage of medical data in the cloud is not permissible under the GDPR
b. Data access is not limited to those who “need to know” for their role
c. Collection of data without a defined purpose might violate the fairness principle
d. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data

Answer 1

Data access is not limited to those who “need to know” for their role

Question 2

What step in the system development process did Manasa skip?

a. Obtain express written consent from users of the Handy Helper regarding marketing
b. Work with Sanjay to review any necessary privacy requirements to be built into the product
c. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework
d. Build the AI feature so that users would not have to input sensitive information into the Handy Helper.

Answer 2

Work with Sanjay to review any necessary privacy requirements to be built into the product

Question 3

What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?

a. Document the data flows for the collected data
b. Conduct a Privacy Impact Assessment to evaluate the risks involved
c. Implement a policy restricting data access on a need to know basis
d. Limit data transfers to the US by keeping data collected in Europe within a local data centre

Answer 3

Implement a policy restricting data access on a need to know basis

Question 4

What element of the Privacy by Design framework might the Handy Helper violate?

a. Failure to obtain opt in consent to marketing
b. Failure to observe data localisation requirements
c. Failure to implement the least privilege access standard
d. Failure to integrate privacy throughout the system developed life cycle

Answer 4

Failure to integrate privacy throughout the system developed life cycle

Question 5

What can Sanjay do to minimize the risks of offering the product in Europe?

a. Sanjay should advise the distributor that Omnimedia has certified to the Privacy Shield framework and there should be no issues
b. Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released
c. Sanjay should document the data life cycle of the data collected by the Handy Helper
d. Sanjay should write a privacy policy to include with the Handy Helper user guide

Answer 5

Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released

Question 6

To improve the facility’s system of data security, Anton should consider following through with the plan for which of the following?

a. Customer communication
b. Employee access to electronic storage
c. Employee advisement regarding legal matters
d. Controlled access at the company HQ

Answer 6

Controlled access at the company HQ

Question 7

Which of Anton’s plans for improving the data management of the company is most achievable?

a. His initiative to achieve regulatory compliance
b. His intention to transition to electronic storage
c. His objective for zero loss of personal information
d. His intention to send notice letters to customers and employees

Answer 7

His intention to transition to electronic storage

Question 8

Which important principle of Data Lifecycle Management will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?

a. Practicing data minimalism
b. Ensuring data retrievability
c. Implementing clear policies
d. Ensuring adequacy of infrastructure

Answer 8

Ensuring data retrievability

Question 9

In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding…

a. The timeline for monitoring
b. The method of recordkeeping
c. The use of internal employees
d. The type of required qualifications

Answer 9

The timeline for monitoring

Question 10

What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?

a. To send consistent communication
b. To shift to electronic communication
c. To delay communication until local authorities are informed
d. To consider under what circumstances communication is necessary

Answer 10

To consider under what circumstances communication is necessary

Question 11

Which of the following is the most effective control to enforce MessageSafe’s implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?

a. MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
b. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
c. MessageSafe must apply appropriate security controls on the cloud infrastructure
d. MessageSafe must notify A&M LLP of a data breach

Answer 11

MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.

Question 12

Which of the following is a TRUE statement about the relationship among the organisations?

a. Cloud Inc. must notify A&M LLP of a data breach immediately
b. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP
c. Cloud Inc. should enter into a data processor agreement with A&M LLP
d. A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor

Answer 12

A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor

Question 13

Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?

a. Privacy compliesance
b. Security commitment
c. Certifications to relevant frameworks
d. Data breach notification to A&M LLP

Answer 13

Certifications to relevant frameworks

Question 14

Richard believes that a transition from the use of fax machine to internet facing provides all of the following security benefits EXPECT…

a. Greater accessibility to the faxes at an offsite location
b. The ability to encrypt the transmitted faxes through a secure server
c. Reduction of the risk of data being seen or copied by unauthorised personnel
d. The ability to store faxes electronically, either on the user’s PC or a password protected network server

Answer 14

Greater accessibility to the faxes at an offsite location

Question 15

As Richard begins to research more about Data Lifecycle Management, he discovers that the law office can lower the risk of a data breach by doing what?

a. Prioritising the data by order of importance
b. Minimising the time it takes to retrieve the sensitive data
c. Reducing the volume and the type of data that is stored in its system
d. Increasing the number of experienced staff to code and categorize the incoming data

Answer 15

Reducing the volume and the type of data that is stored in its system

Question 16

What Data Lifecycle Management principle should the company follow if they end up allowing departments to interpret the privacy policy differently?

a. Prove the authenticity of the company’s records
b. Arrange for official credentials for staff members
c. Adequately document reasons for inconsistencies
d. Create categories to reflect degrees of data importance

Answer 16

Adequately document reasons for inconsistencies

Question 17

What is the most likely reason the CIO believes that generating a list of needed IT equipment is NOT adequate?

a. The company needs to have policies and procedures in place to guide the purchasing decisions
b. The privacy notice for customers and the Business Continuity Plan still needs to be reviewed
c. Staff members across departments need time to review technical information concerning any new database
d. Senior staff members need to first commit to adopting a minimum number of Privacy Enhancing Technologies

Answer 17

The company needs to have policies and procedures in place to guide the purchasing decisions

Question 18

If Amira and Sadie’s ideas about adherence to the company’s privacy policy go unchecked, the Federal Communications Commission could potentially take action against NatGen for what?

a. Deceptive practices
b. Failing to institute the hotline
c. Failure to notify of processing
d. Negligence in consistent training

Answer 18

Failing to institute the hotline

Question 19

What additional change will increase the effectiveness of the privacy compliance hotline?

a. Outsourcing the hotline
b. A system for staff education
c. Strict communication channels
d. An ethics complaint department

Answer 19

Outsourcing the hotline

Question 20

Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?

a. Data Lifecycle Management Standards
b. United Nations Privacy Agency Standards
c. International Organisation for Standardisation 9000 Series
d. International Organisation for Standardisation 27000 Series

Answer 20

International Organisation for Standardisation 27000 Series

Question 21

How can Consolidated’s privacy training program best be further developed?

a. Through targeted curricula designed for specific departments
b. By adopting e-learning to reduce the need for instructors
c. By using industry standard off the shelf programs
d. Through a review of recent data breaches

Answer 21

Through targeted curricula designed for specific departments

Question 22

What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?

a. Privacy by Design
b. Privacy Step Assessment
c. Information Security Planning
d. Innovation Privacy Standards

Answer 22

Privacy by Design

Question 23

What stage of the privacy operational lifecycle best describes Consolidated’s current privacy program?

a. Assess
b. Protect
c. Respond
d. Sustain

Answer 23

Protect

Question 24

Which is the best way to ensure that data on personal equipment is protected?

a. User risk training
b. Biometric security
c. Encryption of the data
d. Frequent data backups

Answer 24

Encryption of the data

Question 25

From a business standpoint, what is the most productive way to view employee use of personal equipment for work-related tasks?

a. The use of personal equipment is a cost-effective measure that leads to no greater security risks than are always present in a modern organisation
b. Any computer or other equipment is company property whenever it is used for company business
c. While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
d. The use of personal equipment must be reduced as it leads to inevitable security risks

Answer 25

While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.

Question 26

In order to determine the best course of action, how should this incident most productively be viewed?

a. As the accidental loss of personal property containing data that must be restored
b. As a potential compromise of personal information through unauthorised access
c. As an incident that requires the abrupt initiation of a notification campaign
d. As the premediated theft of company data, until shown otherwise

Answer 26

As a potential compromise of personal information through unauthorised access

Question 27

What should you do first to ascertain additional information about the loss of data?

a. Interview the person reporting the incident following a standard protocol
b. Call the police to investigate even if you are unsure a crime occurred
c. Investigate the background of the person reporting the incident
d. Check company records of the latest backups to see what data may be recoverable

Answer 27

Interview the person reporting the incident following a standard protocol

Question 28

What is the most realistic step the organisation can take to help diminish liability in the event of another incident?

a. Requiring the vendor to perform periodic internal audits
b. Specific mandatory data protection practices in vendor contracts
c. Keeping the majority of processing activities within the organisation
d. Obtaining customer consent for any 3rd party processing of personal data

Answer 28

Specific mandatory data protection practices in vendor contracts

Question 29

Nationwide Grill needs to create better employee awareness of the company’s privacy program by doing what?

a. Varying the modes of communication
b. Communicating to the staff more often
c. Improving inter-departmental cooperation
d. Requiring acknowledgement of company memos

Answer 29

Varying the modes of communication

Question 30

How could the objection to Spencer’s training suggestion be addressed?

a. By requiring training only on an as-needed basis
b. By offering alternative delivery methods for training
c. By introducing a system of periodic refreshing trainings
d. By customising training based on length of employee tenure

Answer 30

By offering alternative delivery methods for training

Question 31

The senior advisor, Spencer, has a misconception regarding?

a. The amount of responsibility that a data controller retains
b. The appropriate role of an organisation’s security department
c. The degree to which training can lessen the number of security incidents
d. The role of HR employees in an organisation’s privacy program

Answer 31

The amount of responsibility that a data controller retains

Question 32

What does this example best illustrate about training requirements for privacy protection?

a. Training needs must be weighed against financial costs
b. Training on local laws must be implemented for all personnel
c. Training must be repeated frequently to respond to new legislation
d. Training must include assessments to verify that the material is mastered

Answer 32

Training on local laws must be implemented for all personnel

Question 33

Knowing that the regulator is now investigating, what would be the best step to take?

a. Consult an attorney experienced in privacy law and litigation
b. Use your background and knowledge to set a course of action
c. If you know the organisation is guilty, advise it to accept the punishment
d. Negotiate the terms of a settlement before formal legal action takes place

Answer 33

If you know the organisation is guilty, advise it to accept the punishment

Question 34

What should you advise this company regarding the status of security cameras at their offices in the US?

a. Add security cameras at facilities that are now without them
b. Set policies about the purpose and use of the security cameras
c. Reduce the number of security cameras located inside the building
d. Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time

Answer 34

Set policies about the purpose and use of the security cameras

Question 35

Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?

a. Implement a more comprehensive suite of information security controls than the one used by the vendor
b. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified
c. Develop security protocols for the vendor and mandate that they be deployed
d. Insist on an audit of the vendor’s privacy procedures and safeguards

Answer 35

Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified

Question 36

Which is the best first step in understanding the data security practices of a potential vendor?

a. Requiring the vendor to complete a questionnaire assessing International Organisation for Standardisation 27001 compliance
b. Conducting a physical audit of the vendor’s facilities
c. Conducting a penetrating test of the vendor’s data security structure
d. Examining investigation records of any breaches the vendor has experienced

Answer 36

Requiring the vendor to complete a questionnaire assessing International Organisation for Standardisation 27001 compliance

Question 37

What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?

a. Include appropriate language about privacy protection in vendor contracts
b. Perform a privacy audit on any vendor under consideration
c. Require that a person trained in privacy protection be part of all vendor selection teams
d. Do business only with vendors who are members of privacy trade associations

Answer 37

Include appropriate language about privacy protection in vendor contracts

Question 38

You want to point out that normal protocols have NOT been followed in this matter. Which process in particular has been neglected?

a. Forensic inquiry
b. Data mapping
c. Privacy breach prevention
d. Vendor due diligence vetting

Answer 38

Vendor due diligence vetting

Question 39

You see evidence that company employees routinely circumvent the privacy officer in developing new initiatives. How can you best draw attention to the scope of this problem?

a. Insist upon one-on-one consultation with each person who works around the privacy officer
b. Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation
c. Hold discussions with the department head of anyone who fails to consult with the privacy officer
d. Take your concerns straight to the CEO

Answer 39

Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation

Question 40

What would be the best kind of audit to recommend for Gadgo?

a. A supplier audit
b. An internal audit
c. A 3rd party audit
d. A self-certification

Answer 40

A 3rd party audit

Question 41

What phase in the Privacy Maturity Model does Gadgo’s privacy program best exhibit?

a. Ad hoc
b. Defined
c. Repeatable
d. Managed

Answer 41

Ad hoc

Question 42

Incipia Corporation just trained the last of its 300 employees on their new privacy policies and procedures. If Incipia wanted to analyse the effectiveness of the training over the next 6 months, which form of trend analysis should they use?

a. Cyclical
b. Irregular
c. Statistical
d. Standard variance

Answer 42

Cyclical

Question 43

To determine the steps to follow, what would be the most appropriate internal guide for Ben to review?

a. Incident Response Plan
b. Code of Business Conduct
c. IT Systems and Operations Handbook
d. Business Continuity and Disaster Recovery Plan

Answer 43

Incident Response Plan

Question 44

If this were a data breach, how is it likely to be categorized?

a. Availability Breach
b. Authenticity Breach
c. Confidentiality Breach
d. Integrity Breach

Answer 44

Confidentiality Breach

Question 45

Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?

a. Tabletop exercises
b. Update its data inventory
c. IT security awareness training
d. Share communications relating to scheduled maintenance

Answer 45

Tabletop exercises

Question 46

In consideration of the company’s new initiatives, which of the following laws and regulations would be most appropriate for Albert to mention at the interview as a priority concern for the privacy team?

a. Gramm-Leach-Bliley Act (GLBA)
b. GDPR
c. The Telephone Consumer Protection Act (TCPA)
d. Health Insurance Portability and Accountability Act (HIPAA)

Answer 46

Health Insurance Portability and Accountability Act (HIPAA)

Question 47

On which of the following topics does Albert most likely need additional knowledge?

a. The role of privacy in retail companies
b. The necessary maturity level of privacy programs
c. The possibility of delegating responsibilities related to privacy
d. The requirements for a managerial position with privacy protection duties

Answer 47

The requirements for a managerial position with privacy protection duties

Question 48

Based on Albert’s observations, executive leadership should most likely pay closer attention to what?

a. Awareness campaigns with confusing information
b. Obsolete data processing systems
c. Outdated security frameworks
d. Potential in-house threats

Answer 48

Potential in-house threats

Question 49

Based on Albert’s observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box?

a. Appointing an internal ombudsman to address employee complaints regarding hours and pay
b. Using a 3rd party auditor to address privacy protection issues not recognised by the prior internal audits
c. Working with the HR department to make screening procedures for potential employees more rigorous
d. Evaluating the company’s ability to handle personal health information if the plan to acquire the medical supply company goes forward

Answer 49

Working with the HR department to make screening procedures for potential employees more rigorous

Question 50

What is one important factor that Albert fails to consider regarding Treasure Box’s response to their recent security incident?

a. Who has access to the data
b. What the nature of the data is
c. How data at the company is collected
d. How long data at the company is kept

Answer 50

What the nature of the data is

Question 51

The company may start to earn back the trust of its customer base by following Albert’s suggestion regarding which handling procedure?

a. Access
b. Correction
c. Escalation
d. Data integrity

Answer 51

Access

Question 52

To establish the current baseline of Ace Space’s privacy maturity, Penny should consider all of the following factors EXCEPT?

a. Ace Space’s documented procedures
b. Ace Space’s employee training program
c. Ace Space’s vendor engagement protocols
d. Ace Space’s content sharing practices on social media

Answer 52

Ace Space’s content sharing practices on social media

Question 53

What is the best way for Penny to understand the location, classification and processing purpose of the personal data Ace Space has?

a. Analyse the data inventory to map data flows
b. Audit all vendors’ privacy practices and safeguards
c. Conduct a Privacy Impact Assessment for the company
d. Review all cloud contracts to identify the location of data servers used

Answer 53

Analyse the data inventory to map data flows

Question 54

What information will be LEAST crucial from a privacy perspective in Penny’s review of vendor contracts?

a. Audit rights
b. Liability for a data breach
c. Pricing for data security protections
d. The data a vendor will have access to

Answer 54

Pricing for data security protections

Question 55

To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns?

a. Roll out an encryption policy
b. Undertake a tabletop exercise
c. Ensure inventory of IT assets is maintained
d. Host a town hall discussion for all IT employees

Answer 55

Undertake a tabletop exercise

Question 56

Collection, Access and Destruction are aspects of what privacy management process?

a. The data governance strategy
b. The breach response plan
c. The metric lifecycle
d. The business case

Answer 56

The data governance strategy

Question 57

After conducting research, you discover a primary data protection issue with cloud computer. Which of the following should be your biggest concern?

a. An open programming model that results in easy access
b. An unwillingness of cloud providers to provide security information
c. A lack of vendors in the cloud computing market
d. A reduced resilience of data structures that may lead to data loss

Answer 57

An open programming model that results in easy access

Question 58

What is the best way to prevent the Finnish vendor from transferring data to another party?

a. Restrict the vendor to using company security controls
b. Offer company resources to assist with the processing
c. Include transfer prohibitions in the vendor contract
d. Lock the data down in its current location

Answer 58

Include transfer prohibitions in the vendor contract

Question 59

What process can best answer your questions about vendor’s data security safeguards?

a. A 2nd part of supplier audit
b. A reference check with other clients
c. A table top demonstration of a potential threat
d. A public records search for earlier legal violations

Answer 59

A 2nd part of supplier audit

Question 60

What is the best way for your vendor to be clear about the Society’s breach notification expectations?

a. Include notification provisions in the vendor contract
b. Arrange regular telephone check-ins reviewing expectations
c. Send a memorandum of understanding on breach notification
d. Email the regulations that require breach notifications

Answer 60

Include notification provisions in the vendor contract

Question 61

Which of the following elements of the incident did you adequately determine?

a. The nature of the data elements impacted
b. The likelihood the incident may lead to harm
c. The likelihood that the information is accessible and useable
d. The number of individuals whose information was affected

Answer 61

The number of individuals whose information was affected

Question 62

Regarding the notification, which of the following would be the greatest concern?

a. Informing the affected individuals that data from other individuals may have also been affected
b. Collecting more personally identifiable information than necessary to provide updates to the effected individuals (Correct, it doesn’t call this out in the case study but this is the biggest concern I think – Joe)
c. Using a postcard with the logo of the vendor who made the mistake instead of your company’s logo
d. Trusting a vendor to send out a notice when they already failed once by not encrypting the database

Answer 62

Collecting more personally identifiable information than necessary to provide updates to the effected individuals

Question 63

What is the most concerning limitation of the incident response council?

a. You convened it to diffuse blame
b. The council has an overabundance of attorneys
c. It takes 8 hours of emails to come to a decision
d. The leader just joined the company as a consultant

Answer 63

It takes 8 hours of emails to come to a decision

Question 64

Regarding the credit monitoring, which of the following would be the greatest concern?

a. The vendor’s representative does not have enough experience
b. Signing a contract with CRUDLOK which lasts longer than 1 year
c. The company did not collect enough identifiers to monitor one’s creditT
d. You are going to notify affected individuals via a letter followed by an email

Answer 64

The company did not collect enough identifiers to monitor one’s credit

Question 65

Which of the following was done CORRECTLY during the above incident?

a. The process by which affected individuals sign up for email notifications
b. Your assessment of which credit monitoring company you should hire
c. The speed at which you sat down to reflect and document the incident
d. Finding a vendor who will offer the affected individuals additional services

Answer 65

The speed at which you sat down to reflect and document the incident

Question 66

You are charged with making sure that privacy safeguards are in place for new product and initiatives. What is the best way to do this?

a. Hold a meeting with stakeholders to create an interdepartmental protocol for new initiatives
b. Institute Privacy by Design principles and practices across the organisation
c. Develop a plan for introducing privacy protections into the product development stage
d. Conduct a gap analysis after deployment of new products, then mend any gaps that are revealed

Answer 66

Institute Privacy by Design principles and practices across the organisation

Question 67

The CEO likes what he’s seen of the company’s improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal?

a. An external audit conducted by a panel of industry experts
b. An internal audit team accountable to upper management
c. Creation of a self-certification framework based on company policies
d. Revision of the strategic plan to provide a system of technical controls

Answer 67

An internal audit team accountable to upper management

Question 68

The company has achieved a level of privacy protection that established new best practices for the industry. What is a logical next step to help ensure a high level of protection?

a. Brainstorm methods for developing an enhanced privacy framework
b. Develop a strong marketing strategy to communicate the company’s privacy practices
c. Focus on improving the incident response plan in preparation for any breaks in protection
d. Shift attention to privacy for emerging technologies as the company begins to use them

Answer 68

Shift attention to privacy for emerging technologies as the company begins to use them

Question 69

What metric can Goddard use to assess whether costs associated with implementing new privacy protections are justified?

a. Compliance ratio
b. Cost-effective mean
c. Return on investment
d. Implementation measure

Answer 69

Return on investment

Question 70

You give a presentation to your CEO about privacy program maturity. What does it mean to have a “managed” privacy program, according to the AICPA/CICA Privacy Maturity Model?

a. Procedures or processes exist however they are not fully documented and do not cover all relevant aspects
b. Procedures and processes are fully documented and implemented, and cover all relevant aspects.
c. Reviews are conducted to assess the effectiveness of the controls in place
d. Regular review and feedback are used to ensure continuous improvement toward optimisation of the given process.

Answer 70

Reviews are conducted to assess the effectiveness of the controls in place

Question 71

Which of the following best demonstrates the effectiveness of a firm’s privacy incident response process?

a. The decrease of security breaches
b. The decrease of notifiable breaches
c. The increase of privacy incidents reported by users
d. The decrease of mean time to resolve privacy incidents

Answer 71

The decrease of mean time to resolve privacy incidents

Question 72

If the IT engineers had originally set the default for customer credit card information to, “do not save”, this action would have been in line with what concept?

a. Use limitation
b. Privacy by Design
c. Harm minimisation
d. Reactive risk management

Answer 72

Privacy by Design

Question 73

What key mistake set the company up to be vulnerable to a security breach?

a. Collecting too much information and keeping it for too long
b. Overlooking the need to organise and categorize data
c. Failing to outsource training and data management to professionals
d. Neglecting to make a backup copy of archived electronic files

Answer 73

Collecting too much information and keeping it for too long

Question 74

How would a strong data lifecycle management policy have helped prevent the breach?

a. Information would have been ranked according to importance and stored in separate locations
b. The most sensitive information would have been immediately erased and destroyed
c. The most important information would have been regularly assessed and tested for security
d. Information would have been categorised and assigned a deadline for destruction

Answer 74

Information would have been categorised and assigned a deadline for destruction

Question 75

How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?

a. As the parent company, it should have transferred personnel to oversee the secure handling of PHT’s data
b. As a parent company, it should have performed an assessment of PHT’s infrastructure and confirmed complete separation of the two networks.
c. As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system
d. As the parent company, it should have replaced PHT’s electronic files with hard-copy documents stored securely on site

Answer 75

As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system

Question 76

What must Pacific Suite’s primary focus be as it manages this security breach?

a. Minimising the amount of harm to the effected individuals
b. Investigating the cause and assigning responsibility
c. Determining whether the affected individuals should be notified
d. Maintaining operations and preventing publicity

Answer 76

Minimising the amount of harm to the effected individuals