This guest post is by Matt Setter of MaltBlue.com.
Do you run a web-based business and collect data about your customers? If so, do you have professional practices in place to ensure the protection of that information and the privacy of your customers? No? Then ask not for whom the bell tolls, as it tolls for you—Privacy Breach Notification Laws are here.
Before you scramble to fire off an email to your service provider to disable your ecommerce facilities or remove all forms from your blog, don’t. If you’re running a small site or a modest-sized mailing list and don’t collect any information on your visitors, then please don’t be alarmed.
However, irrespective of the scope of your online presence, please take a few minutes to get yourself up to date on what privacy breach notification laws are, and how they impact you.
Despite how much we love all things web, we know that it can be a bit of a wild west out there. We hear reports of security breaches at companies big and small, such as the recent ones at both LinkedIn and eHarmony. But do we stop to think just how much impact these breaches have, and what our legal obligations are?
What happens if the password that the person used for one hacked account was the same one they use for many other accounts, or all of them? What if the attack was particularly malicious and the attackers decided to comb the information and carry out subsequent attacks based on the identified information?
What if, as a result of the attack(s), a civil case was brought against you for the damages caused to one or more of your customers? Are you prepared to deal with the security breach or the consequent legal ramifications?
As I said, we love the web. I sure do. We love its convenience, simplicity and immediateness. But it comes at a price—one most of us haven’t considered in too much depth.
What are the laws?
Lucky for us, some people have. In 2002 the ball started rolling in California, with Senator Joe Simitian, who authored a bill to require that businesses notify customers when a successful breach of their security occurs. This bill was amended in 2011 to become even stronger.
The bill states:
“notification to affected California residents will need to include, at a minimum:
- The name and contact information of the reporting agency, person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of the breach;
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number;
and, to the extent it is possible to determine at the time the notice is provided:
- The date of the notice and any of the following:
- the date of the breach,
- the estimated date of the breach or
- the date range within which the breach occurred;
- Whether the notification was delayed because of a law enforcement investigation (if applicable); and
- A general description of the breach incident.
- In 2002 the European Union (EU) started enacting a series of directives that affect all member states, including the Data Protection Directive and Directive on Privacy and Electronic Communications.
- Australia doesn’t have these same laws, but a recent study, reported on by the University of Canberra, indicates that the laws may be coming soon.
- New Zealand is set to overhaul its privacy laws through the course of 2012 and beyond.
- Wikipedia page on security breach notification laws
- Wikipedia page on the Directive on Privacy and Electronic Communications
- Wikipedia page on the protection of personal data
- UK Information Commissioner’s Office page on privacy security breaches
- Compliance Focus page on Privacy Breach Notification Laws
- California bulks up security breach notification requirements
- Australians demand online data breach notification
- Privacy crimes make data breach notifications mandatory
- Privacy laws to be overhauled in NZ
- Information on the NZ Government’s review of privacy laws.
You may be thinking this is just for California and it doesn’t relate to you because you live in Massachussets or Washington. Or maybe you live outside the US, in Canada, Australia, New Zealand, the United Kingdom or elsewhere.
But you’d be wrong. If you’re outside the US, the situation’s potentially even tougher:
It’s fair to say that if all these jurisdictions are moving in the same direction, a number of the others will likely follow suit—if they’re not already.
What can you do?
While this is all concerning stuff, there are steps that you can take—from simple, right through to complex—to protect your site from security breaches. Perkins Thompson suggest a set of steps that we can use as a basis of what to do to put our blogs in a good position.
Adopt “commercially reasonable” data security measures
Be aware of security breaches for bloggers by staying up to date on current events. Look for simple methods, such as using plugins that help protect your user accounts whether on your blog or on your organization’s computer network.
Secure physical access to mobile computing and mobile storage devices
Don’t leave your laptops and phones lying around, as you likely have sensitive information on them. We all slip from time to time, so make sure you have a good password protecting access to them. Consider using 1Password which provides secure protection of your passwords, accounts and sensitive information.
Limit the scope and duration of data retention
Do you need to keep all the information that you have? How long do you need to keep it for? If it’s no longer required, then consider getting rid of it.
Develop procedures to monitor and audit data security in your company
Whether your business is big or small, find a security vendor or consultant who you can talk with to assess your security needs. If necessary, consider a security audit.
Train and educate your employees, and follow your company’s data security policy or agreement
Ensure that all of your staff know that security is serious and are following the policies. Security doesn’t need to be draconian, but a normal matter of course.
Carefully select third-party providers
Consider cyber-insurance policies
Though insurance can be an “after the fact” type of approach, it can be a good to have in case something goes wrong. UK Insurance broker, Chris Knight, has this to say:
“Many businesses do not fully understand the risks associated with using the internet, but it is now possible to purchase cover for Cyber Liability and Privacy Breach Notification.
“These provide cover for legal action taken against the business in the cyber world and the cost of notification of any breach that may occur.”
Develop procedures to quickly respond to a data security breach
Even the best companies and organisations can be hacked—it’s a fact and we know it. But users often respond in a positive way despite this if the company responds in both a timely and professional manner. Consider implementing a set of procedures to respond to such a situation occurring on your blog.
How secure is your blog?
I appreciate that I may have caused a lot of concern and alarm by addressing this topic, and in part I apologise. But it’s better to be educated and prepared than to be caught off guard and fighting fires.
Are you prepared for a data breach to your site? Do you have adequate measures in place to respond should a breach occur? Share your thoughts in the comments. And if you’re keen to find out more, have a look at these resources.
Matthew Setter is a freelance writer, technical editor and proofreader. His mission is to help businesses present their online message in an engaging and compelling way so they’re noticed and remembered.