CCSP Question #250: Real Exam Question with Answer & Explanation

The correct answer is D: The cloud customer. Even with cloud provider negligence, the cloud customer is ultimately responsible for a PII data breach due to their ownership and governance accountability for the data.

Submitted by luis.pe· Apr 18, 2026Legal, Risk and Compliance

Question

Who is ultimately responsible for a data breach that includes personally identifiable information (PII), in the event of negligence on the part of the cloud provider?

Options

AThe user
BThe subject
CThe cloud provider
DThe cloud customer

Explanation

Even with cloud provider negligence, the cloud customer is ultimately responsible for a PII data breach due to their ownership and governance accountability for the data.

Common mistakes.

A. The "user" is a broad term, often referring to an end-user of the customer's services, and does not hold ultimate responsibility for organizational data breaches.
B. The "subject" refers to the individual whose PII was breached; they are the victim, not the responsible party.
C. While the cloud provider may be contractually liable for their negligence and may face fines or legal action, the ultimate responsibility for data ownership and regulatory compliance often rests with the cloud customer.

Concept tested. Shared responsibility model and data ownership

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Topics

#Shared Responsibility Model#Data Breach Liability#PII Protection#Cloud Governance

Community Discussion

No community discussion yet for this question.

Full CCSP Practice Browse All CCSP Questions