Inform inability to identify users
Summary
The system must inform its users whenever it can demonstrate its inability to individually identify them using the information it has collected from them.
Description
Systems usually request information from their users or collect it based on their interactions with the application. Some regulations related to the collection of personal data are only applicable if users can be identified using this data. Whenever the system is unable to individually identify its users with the data it collects from them, and it can demonstrate this, it must inform them of this situation.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References
- GDPR-11_2. Processing which does not require identification
- PDPA-6A_26B. Notifiable data breaches
- CMMC-AU_L2-3_3_4. Audit failure alerting
- CMMC-CM_L2-3_4_8. Application execution policy
- HITRUST CSF-11_a. Reporting information security events
- ISA/IEC 62443-SI-3_7. Error handling
- NIST SSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
- OWASP Top 10 Privacy Risks-P3. Insufficient data breach response
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.