The Security Catalyst

This section addressed the privacy aspects of personal data uses and covered the range of data movement. It dealt with how data is transferred and transported in and out of an organization and among its subsidiaries, vendors and partners.

I felt that this lesson was more targeted as a reminder of the basic building blocks of what is included in a privacy policy. The speaker went through a company’s inventory of personal data assets and the steps necessary to go about establishing the organization framework for a comprehensive privacy information structure.

I could not easily relate to the first half of this lesson because it dealt more with the tactical strategies of creating a privacy plan within a corporation. The speaker spent the first half of the lecture on the importance of policy buildings blocks and how the process of company inventory needs to be engineered from a privacy perspective. I felt that this section was more applicable to seasoned privacy professionals that are more in tune with how their industry and companies guard PII.

The part that really resonated with me was the lesson related to vendor and contract management. In most of my law classes, a reoccurring topic is how attorneys can best limit or prevent liability for our clients. I was reminded of all the case reading that show how an ambiguous contract can leave clients exposed to being sued. The need for companies to have strong information security controls vis-à-vis their vendors when dealing with PII is a crucial part of a contract. The list of questions that need to be answered are too numerous for one article but include issues with audits, training and awareness, further use of shared information , use of sub-contractors, and the ability to exit a contract.

In my software and licensing drafting courses, we are constantly going over how the contract language can shift responsibility and liability on a party. This section of the lecture reminded me of issues related to respondeant superior, which holds an employer responsible for the actions of employers performed within the course of their employment. Unless you specifically have an indemnity clause in your contract, a breach of PII by a vendor could have serious financial consequences for a company. It is crucial to have a proper vetting process of vendors and have a clear contract of liabilities in case of such contingencies.

Finally, did anyone else notice that the last three practice questions were misnumbered? It took me a while to realize this after going back and forth between the Practice Exam Key. Fortunately, I got the right answers after doubting myself for a while. I hope the IAPP fixes this on their next edition of the Training Course Book.

If you enjoyed this post, make sure you subscribe to my RSS feed!