website investigation

potential threats to data

protection techniques & law

The first thing that any company that is planning on retrieving personal data via a website should do is perform a risk assessment. This will help them understand what exactly threatens their operation. Usually this consists of specialists identifying what the actual risks are and the probable outcome if a worst case scenario were to occur.

Hackers, in my opinion, are the main danger to eBuyer’s operation. EBuyer uses another company to address all their security needs. This company is a certificate authority (CA) called thawte. They use secure socket layer (SSL) protocol to provide all eBuyer’s customers with a safe connection for all business including transactions. This technology makes sure that all the information that is sent between the customer and eBuyer is encrypted, ensuring that data cannot be intercepted or stolen while in transit. This protection technique solves the problem of data interception it also gives the customer some assurance that the transactional process is safe and sound.

Hackers can also attack data when it is being stored in eBuyer’s database and web server. Therefore they must have installed a powerful hardware and software firewall solution. Firewalls are utilities that act like a filter. They check and process every external request and internal answer – incoming as well as outgoing. Hackers can make use of open ‘holes’ (ports) in the firewall to gain access to the data, therefore eBuyer’s firewall solution must be very advanced.

Ebuyer also needs to protect the location where the data is stored on the inside. This can be done by the use of security guards, CCTV cameras and security swipe cards. Only authorised personnel should be allowed access to these restricted areas. All workstations within the company will be attached to a local area network, which in turn will be connected to customer data. Appropriate user names and passwords must be given to all who use these systems because of their links to personal information. These internal protection techniques will work if used correctly.

The law does also provide some defence…

…especially when protecting the integrity of data. Ebuyer must make sure that it follows the requirements of the Data Protection Act 1998. This piece of legislation should be well known to all organisations that collect data through their websites. The DPA is used primarily to protect an individual’s right to privacy. Within the DPA are eight principles that must eBuyer must adhere to. Personal information must be:

1. Fairly and lawfully processed.

   For the processing of personal data to be fair, eBuyer must collect their information directly from customers and always ensure that these individuals are aware of any other information needed to ensure fairness, taking into account the specific circumstances of the processing. This will include informing individuals of any disclosure of information about them to third parties, even including disclosure to any companies that are related business partners of eBuyer.

2. Processed for specified purposes.

   Unless it is obvious, eBuyer must give information to individuals about the purposes for which they intend to process the personal data before they collect any data from them.

3. Adequate, relevant and not excessive.

   Where information is to be used or disclosed for direct marketing purposes, eBuyer should be provide individuals with the opportunity to prevent this. This will give their customers more choice in deciding what is or what isn’t excessive use.

4. Accurate and, where necessary, kept up to date.

   All users must be able to access the information held about them quickly and be able to change any detail successfully. EBuyer grants their customers the ability to do this securely in the ‘customer’s account’ section of their website.

5. Kept for no longer than necessary.

   Ebuyer must not hold on to any personal information about former customers if they no longer make use of their website. These records should be deleted.

6. Processed in line with the rights of the individual.

   Each individual customer of eBuyer has the right to privacy, and all data has to be processed with this principle in mind.

7. Kept secure.

   Ebuyer’s “Consumer Terms of Sale” clearly states the following under ‘Data Protection’: “The Supplier will take all reasonable precautions to keep the details of your order and payment secure but unless the Supplier is negligent, the Supplier will not be liable for unauthorised access to information supplied by you.”

8. Not transferred to countries outside the European Economic Area unless there is adequate protection for the information.

   It should also be borne in mind that there may be more than one data controller involved in the collection of personal data eBuyer’s website, particularly where banner advertising is placed by a third party, or where a third party provides a secure payment mechanism. In such cases all data controllers should be identified and eBuyer must make sure that all of them are located within the EEA.

The register…

In the DPA all organisations that hold personal data are required by law to register with the Information Commissioner and declare all the purposes for which they make use of the personal information. Failure to notify is a criminal offence for those required to do so. There are conditional exemptions from notification where personal data are only processed for certain core business purposes. These include advertising, some marketing and the keeping of accounts and records. The exemptions will not necessarily be lost because personal data is obtained through a website or used for marketing by electronic means. They are more likely to be lost through publishing personal data on a website. Ebuyer must be a registered data controller.

Distance selling regulations…

All of eBuyer’s business is done online and the products are sent via post. Therefore they must also abide by the Distance Selling Regulations. These regulations require that the customer is provided with sufficient information before and after the purchase. Also, goods must be delivered within 30 days unless agreed otherwise. Customers have a ‘cooling-off’ period that allows them to withdraw from the sale for up to seven days after the sale is made. Ebuyer must refund the customer if his or her credit card is used fraudulently.

Other protection eBuyer should provide…

As well as preventing data interception, unauthorised access and keeping the integrity of the data in check, eBuyer should also protect the data from more ‘physical’ threats. They should prevent accidental data loss by creating back-ups of all personal information daily and storing it in a separate protected area. This measure will also prevent any loss due to natural disaster or fire.

Click next to continue...

< BACK | NEXT >