by Webnme on Sep 5th 2011
COPPA (Children’s Online Privacy Protection Act)
Web sites that collect information from children under that age of thirteen must comply with the Children’s Online Privacy Protection Act and related Federal Trade Commission regulations. If you are planning to collect information from children who are protected by this law and related regulations, you should read “Frequently Asked Questions about the Children’s Online Privacy Protection Rule” at http://www.ftc.gov/privacy/coppafaqs.shtm and “How to comply with Children’s Online Privacy Protection Act” at http://www.coppa.org/comply.htm. For questions about this law and related regulations, you may want to consult your own attorney.
Data and Security Breach Notification Laws
43 states have data breach notification laws that require companies to notify consumers whose personal information has been compromised. You can review these laws online via: http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state. Aside from state laws, there is also pending federal legislation on data breach notification obligations.
What does this mean for you? If you are planning to collect and/or store any personal or customer information provided by visitors to your site, you may end up with a legal obligation to notify those people, if their personal information is compromised. In addition, many states impose strict time limits on these notifications requiring that they be issued within days of when the compromise is discovered. If you are planning on collecting or storing personal information, you definitely need to consult an attorney and work out a plan for how you would respond to a data breach situation.
Data in Transmission
If you plan to collect any personal or sensitive information, it is essential that your site use Secure Sockets Layer (SSL) to allow data to and from your site to be encrypted. Sites using SSL for encrypted data transmission have addresses that begin with “HTTPS” instead of the usual “HTTP”. Using SSL reduces the chances that data to and from your site may be intercepted by an unauthorized party and enhances the security of customer data.
While it is possible to self-certify your site and have SSL for little or no cost, your visitors will see warnings that there is a problem with the website’s security certificate and that the site may be attempting to fool you or intercept any data your provide. This will generally result in customers backing away from your site. To avoid this, you will want to purchase an SSL certificate from a Trusted Certificate Authority, which may run you $2,000.00 or more.
Data at Rest – Storage
If you plan to store any personal or sensitive information that you would not make public, you need to make sure that your hosting arrangement provides you with encrypted data storage. Non-public data needs to be protected while it is in storage by using encryption. This applies to both the data on the web server and any back-up and local data storage. A failure to provide this level of protection may expose you to liability in the event data you control is compromised and exposed.
Data and Web Site Security
Data and web site security is your responsibility! As you plan your web site, you should continually ask your web developer how he/she is going to mitigate risks and make your site less vulnerable to exploits and attacks. For any new capability that you add to your site whether it is a WordPress Theme, application, application plug-in, or script; you need to ask whether the new addition is going to add new risks and if so what is being or has been done to mitigate those risks.
If you plan to collect and store personal or sensitive information like credit card numbers, you may also want to engage a security consultant who can review your site’s code for vulnerabilities and if warranted, conduct penetration testing to see whether there are any vulnerabilities that can be exploited. It is better to learn from a consultant that you have hired than from an actual incident where you may incur liability for the loss of data.