Question 2
Domain 1: Data Collection, Use, Dissemination, and DestructionEngineers discover that a third-party analytics SDK is capturing full password-reset URLs in application logs. What should the privacy technologist recommend first?
Correct answer: B
Explanation
Full password-reset URLs can expose sensitive tokens, so the first step is to stop the leakage by disabling or reconfiguring the SDK. Any secrets or tokens already captured in logs should be rotated because exposed credentials may be reused for account takeover.
Why each option is right or wrong
A. Do nothing until the next major release
B. Disable or reconfigure the SDK and rotate any exposed secrets or tokens
Under the GDPR, a password-reset URL containing a token is personal data and often a security credential; Article 5(1)(f) requires integrity and confidentiality, and Article 32 requires appropriate technical measures to prevent unauthorized disclosure. The immediate remediation is to stop the logging at the source by disabling or reconfiguring the third-party SDK, then invalidate and replace any reset tokens or other secrets already exposed, because a captured token can be replayed until it expires or is rotated.
C. Expand logging to more screens so the issue is easier to study
D. Move the logs to a cheaper storage tier