Richard needs to closely monitor the vendor in charge of creating the firm’s database mainly because of what?

SCENARIO

Please use the following to answer the next QUESTION:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather’s law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office’s strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients’ personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year’s end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.

Richard needs to closely monitor the vendor in charge of creating the firm’s database mainly because of what?
A . The vendor will be required to report any privacy violations to the appropriate authorities.
B . The vendor may not be aware of the privacy implications involved in the project.
C . The vendor may not be forthcoming about the vulnerabilities of the database.
D . The vendor will be in direct contact with all of the law firm’s personal data.

View Answer

Answer: D

Explanation:

The main reason why Richard needs to closely monitor the vendor in charge of creating the firm’s database is that the vendor will be in direct contact with all of the law firm’s personal data. This means that the vendor will have access to sensitive and confidential information about the law firm’s clients, such as their financial and medical data, which could expose them to identity theft, fraud, or other harms if mishandled or breached.

Therefore, Richard needs to ensure that the vendor follows the best practices of data protection and security, such as:

Signing a data processing agreement that specifies the scope, purpose, duration, and terms of the data processing activities, as well as the rights and obligations of both parties.

Implementing appropriate technical and organizational measures to protect the data from unauthorized or unlawful access, use, disclosure, alteration, or destruction, such as encryption, access control, backup and recovery, logging and monitoring, etc.

Complying with the relevant laws and regulations that govern the collection, use, transfer, and retention of personal data, such as the GDPR or other local privacy laws.

Reporting any data breaches or incidents to the law firm and the relevant authorities as soon as possible and taking corrective actions to mitigate the impact and prevent recurrence.

Deleting or returning the data to the law firm after the completion of the project or upon request.