Exam CIPM All QuestionsBrowse all questions from this exam
Go to Exam
Question 80

SCENARIO -

Please use the following to answer the next question:

For 15 years, Albert has worked at Treasure Box – a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the 48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change.

He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company’s privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company’s outdated policies and procedures.

For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Box’s ability to protect personal data. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available.

Albert does want to show a positive outlook during his interview. He intends to praise the company’s commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures.

In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover. He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the company’s insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail.

In addition to his suggestions for improvement, Albert believes that his knowledge of the company’s recent business maneuvers will also impress the interviewers. For example, Albert is aware of the company’s intention to acquire a medical supply company in the coming weeks.

With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job.

Based on Albert’s observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box?

    Correct Answer: B

    Based on Albert’s observations regarding recent security incidents, it is crucial to address any gaps in privacy protection that may not have been identified by the prior internal audits. Employing a third-party auditor can provide an unbiased perspective and help uncover any overlooked issues, thereby improving the company's security measures and restoring trust amongst customers and employees. This would also ensure that the company meets or exceeds privacy standards, which is directly related to mitigating the impacts of recent security breaches.

Discussion
SsouravOption: D

it would be imperative for Treasure Box to ensure its capability to handle personal health information securely and in compliance with relevant regulations. The acquisition of a medical supply company introduces new potential risks and challenges, especially around the handling of sensitive health data. Therefore, evaluating the company’s capacity to handle this data securely (Option D) would be a proactive approach in ensuring they don't further erode trust or face potential regulatory backlash.

MaritzTeeOption: B

This recommendation directly addresses the security incidents by bringing in an external perspective to identify and rectify any privacy protection issues that may have been overlooked during internal audits. This can help restore trust and improve the company's security measures, ultimately safeguarding customer and employee personal data more effectively.

thecheaterzOption: B

The question is talking about recent security incidents. Not the potential healthcare acquisition

humhainOption: D

Evaluating the company’s ability to handle personal health information if the plan to acquire the medical supply company goes forward

DPRamoneOption: B

A third party audit could include the capability of handling PHI, thus constituting a more cpmprehensive solution than just going for D.

katizetiOption: B

In my opinion B

carlosbuiOption: D

should be D

[Removed]Option: D

Should be D

AdyyogiOption: B

B- because the subject is : Albert’s observations regarding recent security incidents.."