...
In this noncompliant code example, security manager checks are used within the constructor but are omitted from the writeObject() and readObject() methods that are used in the serialization-deserialization process. This allows untrusted code to maliciously create instances of the class. Despite the security manager checks, the data is not considered sensitive, as a sensitive serializable class would violate SER03-J. Do not serialize Prevent serialization of unencrypted, sensitive data.
...