CIPM Respond Flashcards
1
Q
4 respond principles
A
- information requests
- legal compliance
- incident response planning (IRP)
- incident handling
2
Q
requests: 2 layers response
A
leverage privacy governance structure:
- first level/tier responders for common questions
- privacy team and CPO for second level
3
Q
Negligence elements (when fail to notify DS of breach)
A
- Duty of care of org to DS = duty to have system to detect unauthorised access (but system designed to protect network)
- Failure to meet standard of care of RPP
- Proximate cause (generally multiple causes)
4
Q
IRP responders
A
- IS - forensic investigation, delete embedded malware, correct vulnerabilities
- Legal - help limit liability from breach; advise on response to notification requirements (who, how, when)
- HR - information conduit to employees after breach
- Marketing - positive consistent message during crisis; hi volume e-mail for notification
- Business development - relationship of trust with customers; notify key accounts
- communications and PR - media relations and coordination of internal/external messages
- union leadership - communication/coordination with union members
- Finance - calculate cost of breach responsibility and allocate necessary funds; arrange cyber insurance coverage
- President/CEO - held personally accountable; may publicly comment
- Customer care - may use these employees in breach response
5
Q
Privacy incident (breach) definition
A
any potential, actual compromise of PI in form that facilitates intentional or unintentional access by unauthorised third party
6
Q
escalation
A
internal process of employees alerting supervisors about incident, who report to pre-defined list of experts
7
Q
IRP
A
- pre-notification process: to determine whether incident constitutes reportable breach
- isolate compromised system containing damage, preserve electronic evidence, chain of custody (legal and IT)
- consult legal to determine whether need to notify
- Elements of IRP
- contact stakeholders
- timetable
- progress reporting
- response evaluation and modifications
8
Q
US fed govt (OMB) guidance re breach notification requirement
A
Cautions against notification when breach poses little or no risk of harm. To assess risk of harm, consider:
- nature of data elements breached
- no. of individuals affected
- likelihood that information is accessible and usable
- likelihood that breach may lead to harm
- organization’s ability to mitigate risk