More than ever, protecting the data you collect from your website and services is critical to your business. Companies that have failed to protect user and customer data have been subject to audits, investigations, and fines, as well as a loss of customer confidence that can affect stock prices, company value and the bottom line.
The European Union, California and even China have passed privacy laws requiring companies to protect customer data and take reasonable steps to prevent unauthorized disclosure, access to or deletion of customer data.
European Union Approach to Data Protection
The European Union takes a holistic approach under the General Data Protection Regulation (GDPR), requiring general steps to keep data secure in Article 32 based on the kind of data collected:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
This means you must look at the data you collect and take proportional steps to protect such data on the site. Any data that identifies or refers to a person is protected, even if they work for another company. Further, there are special protections in place and restrictions on collecting “sensitive personal data” such as racial or religious data, biometric and healthcare information, membership in trade unions, political and philosophical beliefs and even sexual preference information.
Websites affirmatively offering services into the European Economic Area countries or with a physical presence there, processing data on behalf of companies that do either must comply with this requirement or be subject to fines of up to 40 million Euro or 4% of global revenue, whichever is greater. Websites or services that track the behavior of persons located in the European Economic Area are also subject to the jurisdiction of GDPR.
U.S. Approach
It is generally presumed that if you collect data on your website you will keep it safe. If you don’t, both the Federal Trade Commission and various state Attorney General offices will investigate you and possibly fine you. The Sarbanes-Oxley Act requires publicly traded companies to identify risks to data that could affect business or operations, including the conduct of their vendors (SOC reports can cost tens of thousands of dollars to put together). California has similar broad protections requiring companies that collect and sell data or collect data on children to protect that data.
Beyond the general protections, the United States approaches and regulated privacy on a sector by sector basis. For instance, healthcare information (and personal information) collected and shared with health care providers, doctors or insurance companies must be protected and kept private under the Healthcare Insurance Portability and Accountability Act (HIPAA). Similarly, the Financial Services Modernization Act (sometimes referred to as Gramm-Leach-Bliley) requires similar protections for financial services data.
Before you think that “my company or website is too small to have to do this,” remember that European Union data regulators and state consumer affairs offices are all staffing up regulatory teams to look into these matters. Also, remember that small players can cause major damage. The Target data breach, which resulted in the exposure of 40 million credit card accounts was caused by an air conditioner repairman who plugged an infected thumb drive into a Target HVAC system.
Simple Steps Toward Website Security
Here are a couple of suggestions to protect data on your website.
Vet Your Vendors. Poor choices in partners can hurt your business reputation. GDPR requires processors and controllers to be legally responsible for vetting their vendors to ensure compliance. California will have a similar law in place as of 2020. Make sure that your vendors provide you with copies of their security plans, data breach response plans and provide contractual assurances that they will live up to these documents.
Have Your Own Plan. The most determined hackers can get in anywhere, but you can mitigate damage with good practices and data breach plan. Keep your data secure with SSL and encryption. Use anti-virus programs, firewalls and test your systems for flaws regularly. Have a written document as to what your practices are and be prepared to share it with your business customers. It is also important to have a data breach plan. The GDPR and HIPAA and many states require notification of affected parties if there is unauthorized access, disclosure, alteration or deletion of customer data.
Learn and Keep Best Practices. In addition to GDPR, the U.S. has specific rules and regulations for protecting healthcare and financial data. This can include encryption, but can also require that you keep data segmented or tokenized (using a code to link to data as opposed to linking data to names or email IDs) to make sure that a hacker cannot get all the information they want to steal at once. If you keep names in one database and customer data in another on separate unconnected servers, the separate pieces are worthless unless they are paired together.
The IT industry also has standard practices. Update your patches as soon as they are released and learn about NIST cybersecurity and response standards as many large companies require compliance from their vendors in order for them to stay in line with SEC disclosure requirements under Sarbanes-Oxley. Consult with an attorney and make sure you stay compliant.
Keep Your Privacy Promises. Having a vague privacy policy or security policy that does not make clear that you protect data is as bad lying and not doing what you say you do. It also can violate unfair trade practice laws and bring investigations from the FTC and your state attorney general. Take the time to get to know your data flows and explain them to your users in a way that is easy to understand. Also If you change your privacy policy you are required to inform your customers.
Training Makes a Difference. Even if you have a secure system, the most common form of hacking comes from staff who accidentally give hackers access, not broad outside hacking attacks. Train your team regularly on cyber-hygiene to keep them up to date on how to avoid phishing (stealing passwords and introducing viruses through emails and links disguised to look at the legitimate website and communications). Show staff how to update their preferences to keep their systems secure and use passwords that are harder to guess.