As a consequence of cyberattacks there have been some significant changes over the last few years with regards to customer privacy and protection of data. After a prolonged period of negotiation, the European Union introduced the General Data Protection Regulations (GDPR) as a means of enhancing overall protection. The GDPR, still in its infancy, introduced on 25 May 2018, is already enhancing the protection of confidential data.
There are various steps you can take to protect your customer’s privacy and also protect yourself from potential legal action further down the line.
SSL certificates and HTTPS
SSL certificates and the new secure version of HTTP, known as HTTPS, is standard protocol as of July 2018. The SSL certificates work by matching identification data held on your web server with that held by a Certificate Authority from whom you purchased the certificate. This ensures that visitors to your website are safe from redirects and other similar types of fraudulent activity. If the identification information held on your server differs from that held by the Certificate Authority then browsers and search engines will display an unsafe site warning.
An SSL certificate is a vital part of the process to convert your website to HTTPS. This ensures that any information sent from a visitor to your server and vice versa is encrypted. In the unlikely event of what is known as a “third man interception” any data would be worthless without the encryption key. SSL certificates and HTTPS secure protocol will be an integral part of protecting customer privacy going forward.
In a recent interesting development, Google has launched the .app TLD for the app industry with particular focus on mobile applications. This domain name TLD has built-in SSL and enhanced protection to improve mobile privacy. Mobile traffic will grow significantly in the short, medium and longer-term. As a consequence, customers will rejoice since Google launched this new initiative to protect the many apps we use today.
Request and retain minimal data
We have all logged onto websites which ask us for an array of information when you sign up. From your date of birth to your mother’s maiden name, your pets name to your full address and more. It is advisable for online businesses to minimise the amount of data they collect to that which is relevant.
In a perfect world you should be able to destroy confidential data connected to closed accounts. That data should also disappear as soon as you purchase products/services. Unfortunately, there are different legal obligations around the world as to how long companies can retain this information. So, you should only retain the minimal amount of private and confidential information and in a secure environment.
Data privacy audit
After the introduction of new regulations covering customer privacy, companies need to undertake a regular data privacy audit. This will clarify a number of issues such as:
- Required information
- Retained information
- Whether you receive/store information securely
- Whether the company fulfils its legal obligations
Larger companies must now appoint a member of staff in charge of data privacy who will be the first point of call for regulators. They will also be in charge of overseeing customer privacy/data complaints and associated queries. In the years to come there is every chance we will see even tighter regulations regarding data privacy.
Malware is now a major problem because it is simple, effective and proven to be extremely lucrative for scammers and fraudsters. Virus creators simply inject rogue codes into emails which activates when you click on a link or open an attachment. There is a constant battle between cyber security companies and those on the other side of the fence. One member of staff introducing malware into your system could cause havoc and put customer privacy at risk.
As a consequence, many e-commerce companies and individuals are now placing their online security and data protection in the hands of professional third-parties. The cyber security sector has shown enormous growth in recent years and this is likely to continue going forward. As long as there are ongoing malware attacks, and other fraudulent activity, there will be a need for enhanced protection. Nowadays this may even incorporate artificial intelligence as security businesses try to stay one step ahead of the fraudsters.
Operate on a need-to-know basis
In years gone by the majority of companies operating online gave broad system access to the vast majority of their employees. While this was useful when employees were switching roles, confidential data should be available on a need-to-know basis. This reduces the number of people with full access to confidential information. More importantly, it also offers a clearer audit trail in the event of any fraudulent activity.
This need-to-know basis should be extended to physical access to server rooms and data storage/backup facilities. Allowing an employee to access information which is not part of their working remit could potentially be very dangerous. This may seem a little over the top but just think about the number of employees at larger companies. It is essential that online businesses put their customer privacy first and foremost.
Previously seen as an overkill by many, the GDPR has in fact been well received by consumers on the whole. You will no doubt have come across various companies yourself which require confirmation of your privacy settings before you can access their services. The majority will have a relatively small number of options but there is a growing belief that Internet users now feel more in control. In the event that they disagree with the privacy setting options they can simply log off and go elsewhere. Putting the power back into the hands of consumers is already making big businesses think again.
Creating plans in the event of a breach
You could just look at some of the major internet giants for guidance in the event of a breach. Sadly, they are not always the best example. We have seen numerous data breach announcements months if not years after the event during which time private data may have been compromised and possibly sold numerous times on the dark web. You should have a documented procedure in place in the event of a data breach. This way all employees know what to do and all customers get informed as soon as possible.
There are also ways and means of working with your web host provider to mitigate the impact of a breach. Indeed, the storage of encrypted data is becoming a vital element of modern day e-commerce safety. If audited by the regulators, they will ask for your breach plans. In reality, these plans will change over time. You may also react differently to different types of breach. Come what may, you need to have procedures in place.
Confidence, confidence, confidence
The moment that customers begin to lose confidence in your services and more importantly the security of their data can often be difficult to come back from. A number of companies have found it impossible to regain their former status after a data breach leading to the draining of confidence from customers. It is possible to rescue the situation if you are able to inform them quickly enough, take the relevant action from your side and recommend actions to be taken by your customers. They won’t be happy there has been a breach. However, they will likely appreciate finding out before serious damage can be done. It also ensures they can change their username and password to protect other online accounts. Far too many people still use the same username and password across multiple websites.
There are growing legal obligations when it comes to the protection of customer data and privacy. However, these are overshadowed by the moral obligations and the need to maintain the confidence of your customer’s. The key to a resilient data protection policy is to appreciate the risks, make investment in mitigating these risks and continuously monitor traffic and access to your networks. Funds used to enhance security should be seen as an investment in the future not a cost. If customers know you take their privacy seriously why would they look elsewhere?