Last week, John Henry, JH CEO and Owner, along with Justin Molitoris, Barrett McNagny attorney, hosted a webinar on data security and privacy. A variety of topics were covered to help businesses learn about how to keep themselves and their customers protected.
The US Privacy Law Framework is a patchwork. Unlike our European counterparts, there is no singular federal law related to data security and privacy, so businesses must follow federal laws, state laws, industry standards, and contractual obligations in order to be compliant. At the Federal level, there are some industry-specific laws for finance, health, education and online activities. But more than that, businesses must do what is reasonable for their business.
Businesses operating or engaging customers/users in the state of California must follow CPRA regulations. California has the strictest state laws in the country, so if you are meeting CPRA guidelines you will be covered in all states. Illinois' Biometric Information Privacy Act (BIPA) has received some notice in the last couple of years, but has been in effect since 2008.
In addition to regulations from Federal and State, businesses must adhere to specific industry standards such as PCI compliance for those utilizing online payment card processing. More on this later.
There are two areas to achieve organizational compliance. A Website Privacy Notice or Website Privacy Policy and Internal Privacy Program. Let's take a look at each.
Website Privacy Note (Privacy Policy)
The FTC and states attorneys general are empowered to enforce "unfair and deceptive trade practices." Your privacy policy creates a contractual obligation with your site visitors. If you are not meeting what is stated, you are engaging in deceptive trade practices. If you are not being deceptive, but take no action to maintain and protect your site visitors (not acting reasonably) you are engaging in unfair trade practices.
Your online privacy policy should include any data collection you are doing, this includes what data you are collecting, what it is used for, how it is used, where it is stored. While you can find free form documents online, these will not be tailored to your business. If you have site visitors from California, your policy must contain the requirements from CA law.
Internal Privacy Program
An internal privacy policy tells your organization and its employees how data is collected, stored, managed and accessed. It also details what happens during a breech. You'll need to determine who is responsible for these policies. This person(s) will be in charge of implementing, updating and enforcing the policies.
An internal policy should cover the reasonable administrative safeguards. This includes training employees on best practices, proper record-keeping, annual audits and vetting of service providers. Additionally your policy should cover reasonable physical safeguards such as procedures for when team members leave the organization, what happens when a device with access is lost, procedures for changing passwords and training team members to recognize abnormalities on their computer.
Basic Website Security Practices
There are a few basics you should follow for any website to ensure you are doing what is needed for secure transfer of information.
- Use an SSL certificate (What's an SSL?)
- A clearly outlined Privacy Policy and Terms of Use
- Maintain and update your hosting environment - the cheapest route is not the best route
Doing the basics means you are maintaining your reputation online. Earning a customer or visitor's trust is essential in an online world.
Ecommerce, the Next Level
If you have an ecommerce website you need to be doing more than the basics to ensure a secure website. You need to keep in mind:
- PCI Compliance - tokenization of credit card information is the safest way to ensure sensitive data is kept that way.
- Sensitive Data - basic information about a user could be considered sensitive in the user's mind.
- Convenience vs Liability - providing convenience to the end user shouldn't come at the cost of security. You are liable every step of the way so make sure you and the customer are protected.
- Data Storage & Encryption - encrypt passwords and other sensitive information every step of the way. Even if your database is breeched, the encryption key should keep any bad actors from getting to your sensitive data.
- Hosting Infrastructure - a well maintained hosting environment patched with the latest security is a must.
- Customer Password Policies - educate customers on strong passwords. Using predictable passwords (dictionary words or Summer2022!) makes the customer more vulnerable. Consider making customers choose longer passwords or changing their password with regular frequency.
Rights of Users
The rights of users is important. Ensuring they've been giving proper notice which details their right to know what information will be used is key. Users must also be able to request their information to be corrected or forgotten. A common practice and one that is enforceable by various laws is the right to opt-out and opt-in. Emails and text messages are the most prevalent options for opt-in and opt-out. The CAN-SPAM Act covers users for emails.
As mentioned in the beginning, Europe has had user rights front of mind longer than the US. If you are doing business in Europe you must be GDPR compliant. Read about GDPR compliance here.
And don't forget about rights for children! A juvenile user must be opted in by an adult in order to collect data. Additional regulations are provided in COPPA. Read more about YouTube and COPPA here.
Back Up Your Data
Should the unfortunate happen and you do experience a security breech, having back-ups is more important than ever.
Basic and full backups should be completed on a regular basis. A full back up can take some time, so plan ahead. Consider where your backups are stored. If a breech occurs you'll need to figure out when it occurred so you can restore back to before that point. If you are backing up infrequently this could be detrimental to your business. Ensuring your backups are working (no full disc space or failed crons) is essential. These processes should be part of your internal game plan and managed by the person handling your Internal Privacy Program guidelines.
Phishing and Passwords
Breeches can happen through two main channels: phishing and password issues. Phishing scams are those involving emails that look like they are from someone you know. Educating your employees and your vendors on your policies can help to limit your liability. When all else fails, never make a change specifically a financial one based on an email, always follow up in person or by phone.
We already mentioned customer password education, but this includes your internal team, too. Use multi-factor authentication whenever possible. Ask yourself "is this a weak password?" when using a shared login. Make your WiFi password easy for guests but more difficult for internal network access. This password should change frequently.
Here is a good tool to check if your email has been part of a breech. We'd also recommend using a password manager and generator to ensure a strong password. And if you learned nothing else today, don't use the same password for everything!