The company should clearly disclose information about its institutional processes to ensure the security of its products and services.
Elements:
- Does the company clearly disclose that it has systems in place to limit and monitor employee access to user information?
- Does the company clearly disclose that it has a security team that conducts security audits on the company’s products and services?
- Does the company clearly disclose that it commissions third-party security audits on its products and services?
Definitions:
Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.
User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.
Indicator guidance: Because companies handle and store immense amounts of information about users, they should have clear security measures in place to ensure this information is kept secure. We expect companies to clearly disclose that they have systems in place to limit and monitor employee access to user information. We also expect the company to clearly disclose that it deploys both internal and external security teams to conduct security audits on its products and services.
Potential sources:
- Company privacy policies
- Company security guide
No Comments