New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

IAPP CIPP/US Exam - Topic 9 Question 7 Discussion

Actual exam question for IAPP's CIPP/US exam
Question #: 7
Topic #: 9
[All CIPP/US Questions]

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated dat

a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

What could the company have done differently prior to the breach to reduce their risk?

Show Suggested Answer Hide Answer
Suggested Answer: C

by Rebecka at May 07, 2022, 12:24 AM

Limited Time Offer

25%

Off

Get Premium CIPP/US Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Freeman
4 months ago
Yup, a comprehensive policy could've saved them a lot of trouble!
upvoted 0 times
...
Willow
5 months ago
I think they should've been more proactive about security threats too.
upvoted 0 times
...
Sue
5 months ago
Wait, they still had data from the 80s? That's wild!
upvoted 0 times
...
Emogene
5 months ago
Totally agree! Access on a need-to-know basis is a must.
upvoted 0 times
...
Elvera
5 months ago
They definitely should've had stricter access policies in place.
upvoted 0 times
...
Dominque
5 months ago
I vaguely recall a practice question about communication of user preferences. It seems like that could have helped in managing customer data more effectively before the breach.
upvoted 0 times
...
Amie
5 months ago
I feel like the opt-in method for acquiring information was emphasized in our readings. It might have reduced the amount of unnecessary data collected in the first place.
upvoted 0 times
...
Emily
5 months ago
I’m not entirely sure, but I think addressing persistent threats could have helped. It’s something we discussed in class regarding proactive security measures.
upvoted 0 times
...
Eladia
5 months ago
I remember studying the importance of access controls in data security. Implementing a comprehensive policy for accessing customer information seems like a no-brainer to me.
upvoted 0 times
...
Justine
5 months ago
Hmm, I'm not sure about that. The Business process modeler might be a better fit since it can help model and test the actual business processes that will be affected by the upgrade.
upvoted 0 times
...
Erasmo
5 months ago
Whoa, this is a tough one. There are a lot of moving parts to consider - forecasting, supply, capacity, utilization. I'm a little unsure which one is the "most appropriate" focus. I'll have to re-read the question and options carefully and try to figure out the core issue they're getting at.
upvoted 0 times
...
Melinda
5 months ago
Okay, let me see if I can break this down. The question is asking how the Citrix ADC communicates the IP-to-MAC address changes to the network devices during a failover. I'm leaning towards Proxy ARP, but I'll double-check my notes to be sure.
upvoted 0 times
...
Linette
5 months ago
Hmm, I'm a bit unsure about this one. The wording is a bit tricky, and I want to make sure I understand the difference between these epidemiological measures before selecting an answer.
upvoted 0 times
...
Reynalda
5 months ago
I remember something about needing a proper route pattern to the DefaultZone to make external calls work. Is that related?
upvoted 0 times
...
Buffy
5 months ago
Okay, I think I've got it. If the CPUs are maxed out but the run queue is low, that means the system is likely waiting on something else, like memory or I/O. So the solution would be to add more CPUs to handle the workload, rather than just faster CPUs. I'm going with option B.
upvoted 0 times
...

Save Cancel