<< Prev Question Next Question >>
Question 28/89
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is a TRUE statement about the relationship among the organizations?
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is a TRUE statement about the relationship among the organizations?
Recent Comments (The most recent comments are at the top.)
The most accurate statement is B. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.
Here's why:
In this scenario, MessageSafe is acting as a data processor for A&M LLP. Even though MessageSafe is using Cloud Inc. as a sub-processor, MessageSafe remains responsible for the actions of its sub-processors. A&M LLP has a contract with MessageSafe, not Cloud Inc. Therefore, if Cloud Inc. mishandles A&M LLP's data, MessageSafe is the one that is contractually and legally liable to A&M LLP.
Let's look at why the other options are not necessarily true:
A. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor: While it's good practice and often required by data privacy regulations (like GDPR) to identify sub-processors, it's not strictly a legal requirement in all cases. The primary contract is between A&M LLP and MessageSafe. The details of sub-processing are usually handled in separate agreements or addendums. The key is that MessageSafe is accountable.
C. Cloud Inc. must notify A&M LLP of a data breach immediately: Cloud Inc.'s contractual obligation is to MessageSafe. MessageSafe, as the primary processor, is responsible for notifying A&M LLP (as defined in their agreement and according to data breach notification laws). Cloud Inc. would notify MessageSafe.
D. Cloud Inc. should enter into a data processor agreement with A&M LLP: Cloud Inc. is a sub-processor to MessageSafe. The contractual relationship is between Cloud Inc. and MessageSafe. A&M LLP's data processor agreement is with MessageSafe, who then has its own agreement with Cloud Inc. A separate agreement between A&M LLP and Cloud Inc. is not typical and usually not necessary. The chain of responsibility is A&M LLP -> MessageSafe -> Cloud Inc....