Inform inability to identify users
Summary
The system must inform its users whenever it can demonstrate its inability to individually identify them using the information it has collected from them.
Description
Systems usually request information from their users or collect it based on their interactions with the application. Some regulations related to the collection of personal data are only applicable if users can be identified using this data. Whenever the system is unable to individually identify its users with the data it collects from them, and it can demonstrate this, it must inform them of this situation.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Machine | 🔴 |
Squad | 🟢 |
References
- GDPR-11_2. Processing which does not require identification
- PDPA-6A_26B. Notifiable data breaches
- CMMC-AU_L2-3_3_4. Audit failure alerting
- CMMC-CM_L2-3_4_8. Application execution policy
- HITRUST CSF-11_a. Reporting information security events
- ISA/IEC 62443-SI-3_7. Error handling
- NIST SSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
- OWASP Top 10 Privacy Risks-P3. Insufficient data breach response
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.