A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?
Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.
Why this answer
Option D is correct because it provides a structured, factual communication that addresses the legal and privacy stakeholder's need for accountability, risk assessment, and contractual compliance. The timeline and evidence establish the sequence of events, service impact quantifies the breach of SLA, required corrective actions demonstrate remediation steps, and contractual follow-up triggers legal review of penalties or liabilities. This approach avoids speculation and focuses on verifiable data, which is critical for legal teams to assess regulatory obligations (e.g., GDPR breach notification timelines) and potential litigation.
Exam trap
CompTIA often tests the misconception that legal stakeholders need immediate public relations content or internal blame assignments, but the trap here is that legal teams require objective, evidence-based data to assess liability and regulatory compliance, not subjective or premature communications.
How to eliminate wrong answers
Option A is wrong because disclosing confidential unrelated customer data would violate data protection laws (e.g., GDPR Article 5) and is irrelevant to the vendor's outage; legal stakeholders need only data directly tied to the incident. Option B is wrong because internal blame speculation is subjective, unverifiable, and could create legal liability or prejudice; legal teams require objective facts, not finger-pointing. Option C is wrong because drafting a public press statement before internal legal review risks premature disclosure, misrepresentation, or admission of fault, which could harm regulatory defense or contractual negotiations.