search

WhoIsFishie / Proposal-for-data-mishandling-act

this is a repo where devs can come together to brainstorm and create a proposal on how to handle maldivian companies who mishandle user data
GNU General Public License v3.0
0 stars 0 forks source link

Major Violations #2

Open WhoIsFishie opened 9 months ago

WhoIsFishie commented 9 months ago

discussion to decide what acts falls under a major violation.

WhoIsFishie commented 9 months ago

not fixing a bug that causes the leaking of private user data within 90 days of reporting.

WhoIsFishie commented 9 months ago

Failure to Remediate Reported Security Bugs: Companies that receive reports of security vulnerabilities related to personal data handling must address these issues promptly. Failure to take corrective action within a specified period, such as 90 days from the date of reporting, shall be considered a violation.

Insecure API Usage: Companies should be held accountable for using insecure Application Programming Interfaces (APIs) for data handling. This includes APIs that lack proper authentication mechanisms, encryption, and access control, potentially exposing personal data to unauthorized parties.

Lack of SSL Certificates: Failure to implement Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates for data transmission, especially in cases involving sensitive personal data, should be considered a violation. This puts data at risk during transit.

Failure to Encrypt Data: Storing personal data without encryption is a violation. Companies should be required to encrypt data at rest and in transit to protect it from unauthorized access.

Data Retention Violations: Companies should establish clear data retention policies. Violations may occur if personal data is retained for longer than necessary without the consent of the data subject.

Inadequate Access Controls: Failing to implement appropriate access controls, such as role-based access or two-factor authentication, could lead to violations as it makes data more vulnerable to unauthorized access.

Data Misuse: Using personal data for purposes other than those specified during collection, or without the explicit consent of the data subject, should be deemed a violation.

Failure to Notify Data Breaches: Companies must promptly notify affected individuals and relevant authorities of data breaches. Failing to do so should be considered a violation.

Inadequate Employee Training: Companies should provide training on data security best practices to their employees. Violations may occur if employees mishandle data due to a lack of training.

Lack of Data Protection Impact Assessment (DPIA): In situations where processing operations are likely to result in a high risk to the rights and freedoms of individuals, failing to conduct a DPIA, where required, should be considered a violation.

Absence of Data Protection Officer (DPO): Companies subject to the requirement for a Data Protection Officer (DPO) but failing to appoint one or provide necessary resources and support for the DPO's role should be penalized.