Certified Information Privacy Technologist (CIPT) — Question 247

A Back-up-as-Service (BaaS) provider backs up corporate data and stores it with an outsider provider under contract with the organization. A researcher notifies the organization that he found unsecured data in the cloud. The organization looked into the issue and realized one of its backups was misconfigured on the outside provider's cloud and the data was fully exposed to the open internet. The service provider quickly secured the backup. Which is the best next step the organization should take?

Answer options

• A. Review the content of the data exposed.
• B. Investigate using alternate BaaS providers or on-premise backup systems.
• C. Disconnect from the service and request a meeting with the outside provider
• D. Notify the relevant regulatory authorities and any customers affected by this incident.

Correct answer: D

Explanation

The best next step for the organization is to notify the relevant regulatory authorities and any customers affected by this incident, as this aligns with compliance and transparency responsibilities. Reviewing the content of the exposed data (A) is important, but it does not address the immediate need for accountability. Investigating alternate providers (B) and disconnecting from the service (C) may be necessary long-term strategies, but they do not resolve the immediate issue of compliance and customer notification.