Exam CIPP-US All QuestionsBrowse all questions from this exam
Question 181

SCENARIO -

Please use the following to answer the next question:

You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular fitness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.

One Friday, the company's security team contacts you about the discovery of malware on their media server. The team assures you that there was no user data on this server and that, in any case, they found the malware before any damage could be done.

However, on Monday morning the security team contacts you again, this time with the information that they have discovered the same malware on the company's payments server. They suspect it likely that users' credit card information was taken by the attacker. By Monday evening, the situation has gotten dramatically worse, as the security team has also discovered this malware on the company's database server, an infiltration that gives the attacker access to users' profile, health and location information.

After coordinating with the security team, you are asked to meet with senior management and advise them on the company's obligations in connection with the incident. The Chief Financial Officer asks, "If we decide to notify all our users of this incident, are we obligated to provide any of them with a free credit monitoring offer?" The General Counsel wants to know if providing this notice and offer will help the company avoid liability.

What answer should be given to the Chief Financial Officer's question?

    Correct Answer: B

    In this scenario, the obligation to provide free credit monitoring is not automatically triggered because the data breach involved credit card information. Under U.S. state laws, the requirement to offer free credit monitoring is typically associated with breaches involving social security numbers and not simply credit card information. Therefore, since the impacted information did not include social security numbers, the company is not mandated to provide free credit monitoring.

Discussion
smp175Option: C

This is a terrible question, as it presents the options as black or white. The need to offer credit monitoring will vary by state law. Nonetheless, the FTC recommends offering credit monitoring if the breach includes financial information (and therefore it could *help* decrease liability/exposure). So I suppose C is best. But it may not strictly be necessary...

Ambulocetus

Regarding PCI DSS, there is no specific requirement for providing free credit monitoring in the event of a breach. The primary focus of PCI DSS is on securing payment card data and preventing breaches from occurring in the first place. While PCI DSS outlines security requirements to protect cardholder data, it doesn't mandate the provision of specific remedies like free credit monitoring.

BhimeshOption: C

C. "Yes