P15. Data breaches

The company should publicly disclose information about its processes for responding to data breaches.

Elements:

  1. Does the company clearly disclose that it will notify the relevant authorities without undue delay when a data breach occurs?
  2. Does the company clearly disclose its process for notifying data subjects who might be affected by a data breach?
  3. Does the company clearly disclose what kinds of steps it will take to address the impact of a data breach on its users?

Definitions:

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Data breach —  A data breach occurs when an unauthorized party gains access to user information that a company collects, retains, or otherwise processes, and which compromises the integrity, security, or confidentiality of that information.

Notice / notify — The company communicates with users or informs users about something related to the company or service.

Indicator guidance: Companies should have clearly disclosed processes in place for addressing data breaches, including clear policies for notifying affected users. Given that data breaches can result in significant threats to an individual’s financial or personal security, in addition to exposing private information, companies should make these processes publicly available. Individuals can then make informed decisions and consider the potential risks before signing up for a service or giving a company their information. We expect companies to have formal policies in place regarding their handling of data breaches if and when they occur, and to make this information about these policies and commitments public prior to a breach occurring.

Potential sources:

  • Company terms of service or privacy policy
  • Company security guide
No Comments

Post A Comment

Sign up for the RADAR

Subscribe to our newsletter to stay in touch!