Threat Notification

Criteria: The company notifies appropriate authorities and those affected when a data breach occurs.

See the test in action:

• Smart lock
• Smart pressure cooker
• Smart baby monitor

Methodology for Assessing Each Indicator

1) The company will notify the relevant authorities without undue delay when a data breach occurs.

• Obtain and review the company’s legal documents, particularly their privacy policy, usually available on the company’s website.
• Look for information about how the company will respond to a data breach.
  • Note that the term “breach” is unique enough that doing a web search for it, confined to the website of the manufacturer, can be useful.
• Most states require notification of a data breach to affected residents “as expediently as possible” while others require notification within a certain time frame, such as 45 or 60 days. In most cases, delay is permitted if it is in the service of ascertaining the scope of the breach and restoring the integrity of the affected systems.
• If the legal documents indicate that the company will notify the relevant authorities within a timeframe that allows for investigation into and remediation of the breach, mark PASS.
• If the legal documents indicate that the company will notify the relevant authorities but does not commit to any time frame for doing so, mark PARTIAL PASS.
• If the legal documents contain no commitment to inform relevant authorities in the event of a data breach, mark FAIL.

2) The company clearly discloses its process for notifying data subjects who might be affected by a data breach.

• Obtain and review the company’s legal documents, particularly their privacy policy, usually available on the company’s website.
• Look for descriptions of the company’s data breach practices, particularly for notification of individuals affected by the breach (as opposed to notification of government authorities).
  • Note that the term “breach” is unique enough that doing a web search for it, confined to the website of the manufacturer, can be useful.
• If the legal documents disclose how the company plans to act in the case of a data breach, including details about when and how individual data subjects will be informed of the breach, mark PASS.
• If the legal documents do not clearly disclose the company’s process for responding to a data breach, mark FAIL.
  • Note that it is not enough for a company to simply state that affected data subjects will be informed. Some greater level of detail is required to pass this indicator.

3) The company clearly discloses what kinds of steps it will take to address the impact of a data breach on its users.

• Obtain and review the company’s legal documents, particularly their privacy policy, usually available on the company’s website.
• Look for descriptions of the company’s data breach practices, particularly regarding what the company will do in the event of a data breach to address the impact of a breach on its users.
  • Note that the term “breach” is unique enough that doing a web search for it, confined to the website of the manufacturer, can be useful.
  • Some examples of steps a company might take include paying for credit monitoring and restitution for any monetary losses due to the breach.
• If the company’s legal documents describe what steps the company would take to address the impact of a data breach on users, mark PASS.
• If the company does not mention any steps the company would take to address the impact of a data breach, mark FAIL.