If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information

through detailed questionnaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories C age, income, ethnicity C that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the questionnaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?
A . The resulting obligation to notify data subjects would involve disproportionate effort.
B . The incident resulted from the actions of a third-party that were beyond their control.
C . The destruction of the stolen data makes any risk to the affected data subjects unlikely.
D . The sensitivity of the categories of data involved in the incident was not substantial enough.

Answer: B

Latest CIPP-E Dumps Valid Version with 157 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Subscribe
Notify of
guest
2 Comments
Inline Feedbacks
View all comments
Julie
Julie
3 years ago

Agree with Amy the answer is C.

The only reasons not to report to individuals are: a) prior implementation of appropriate technical and organizational measures rendered the personal data unintelligible or encrypted b) post breach actions greatly reduce the risks to the rights and freedoms of the data subjects c) individual notice requires disproportionate effort (public notification required) but these are to the individual not the DPA.

They should still report but B the post actions taken is the most applicable at this point. There’s no mention of it being an external party. If they become aware of it and it poses a risk to the individuals they need to report it.

Amy
Amy
3 years ago

B isn’t a valid reason to not report the breach to the SA. It’s C or B, more likely C . The destruction of the stolen data makes any risk to the affected data subjects unlikely.