SCENARIO
Please use the following to answer the next QUESTION:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the
same vendor to
operate all aspects of an online store for several years. As a small nonprofit, the Society
cannot afford the higher-priced options, but you have been relatively satisfied with this
budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice,
people who purchased items from the store have had their credit card information used
fraudulently subsequent to transactions on your site, but in neither case did the
investigation reveal with certainty that the Society’s store had been hacked. The thefts
could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold
information it had collected from customers to third parties. However, as Jason Roland,
your SCS account representative, points out, it took only a phone call from you to clarify
expectations and the “misunderstanding” has not occurred again.
As an information-technology program manager with the Society, the role of the privacy
professional is only one of many you play. In all matters, however, you must consider the
financial bottom line. While these problems with privacy protection have been significant,
the additional revenues of sales of items such as shirts and coffee cups from the store
have been significant. The Society’s operating budget is slim, and all sources of revenue
are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the
customer data from the store would now be stored on a data cloud. “The good news,” he
says, “is that we have found a low-cost provider in Finland, where the data would also be
held. So, while there may be a small charge to pass through to you, it won’t be exorbitant,
especially considering the advantages of a cloud.”
Lately, you have been hearing about cloud computing and you know it’s fast becoming the
new paradigm for various applications. However, you have heard mixed reviews about the
potential impacts on privacy protection. You begin to research and discover that a number
of the leading cloud service providers have signed a letter of intent to work together on
shared conventions and technologies for privacy protection. You make a note to find out if
Jason’s Finnish provider is signing on.
What process can best answer your Questions about the vendor’s data security
safeguards?