Author Avatar Protect Data – Privacy

by Webnme on Sep 5th 2011

Data Protection and PrivacyPrivacy

Your web site should have an easily accessed privacy policy that states what information you collect and how it is used.  Web sites without a privacy policy may be inaccessible potential visitors who have filtering software installed that looks to see whether a web site has a privacy policy in place.

If you plan to include ads, you should be aware that the Terms of Service (TOS) for the advertising broker will require that you have a privacy policy.  If you use AdSense, for example, you must have a very carefully worded Privacy Policy using language specified by AdSense on your web site.  The TOS also require that the privacy policy be linked to every page.  (You can see how this is done and a sample of the privacy policy at http://blog.webnme.com.)   Many web sites place a link to their privacy policy at the bottom of each page near the copyright notice.  A failure to have an acceptable privacy policy can get you dropped from advertising programs and it can be extremely difficult to be reinstated.

COPPA (Children’s Online Privacy Protection Act)

Web sites that collect information from children under that age of thirteen must comply with the Children’s Online Privacy Protection Act and related Federal Trade Commission regulations.  If you are planning to collect information from children who are protected by this law and related regulations, you should read “Frequently Asked Questions about the Children’s Online Privacy Protection Rule” at http://www.ftc.gov/privacy/coppafaqs.shtm and “How to comply with Children’s Online Privacy Protection Act” at http://www.coppa.org/comply.htm.  For questions about this law and related regulations, you may want to consult your own attorney.

Data and Security Breach Notification Laws

43 states have data breach notification laws that require companies to notify consumers whose personal information has been compromised.  You can review these laws online via:  http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state.   Aside from state laws, there is also pending federal legislation on data breach notification obligations.

What does this mean for you?  If you are planning to collect and/or store any personal or customer information provided by visitors to your site, you may end up with a legal obligation to notify those people, if their personal information is compromised.  In addition, many states impose strict time limits on these notifications requiring that they be issued within days of when the compromise is discovered.  If you are planning on collecting or storing personal information, you definitely need to consult an attorney and work out a plan for how you would respond to a data breach situation.

Data Encryption

Data in Transmission

If you plan to collect any personal or sensitive information, it is essential that your site use Secure Sockets Layer (SSL) to allow data to and from your site to be encrypted.  Sites using SSL for encrypted data transmission have addresses that begin with “HTTPS” instead of the usual “HTTP”.   Using SSL reduces the chances that data to and from your site may be intercepted by an unauthorized party and enhances the security of customer data.

While it is possible to self-certify your site and have SSL for little or no cost, your visitors will see warnings that there is a problem with the website’s security certificate and that the site may be attempting to fool you or intercept any data your provide.  This will generally result in customers backing away from your site.  To avoid this, you will want to purchase an SSL certificate from a Trusted Certificate Authority, which may run you $2,000.00 or more.

Data at Rest – Storage

If you plan to store any personal or sensitive information that you would not make public, you need to make sure that your hosting arrangement provides you with encrypted data storage.  Non-public data needs to be protected while it is in storage by using encryption.  This applies to both the data on the web server and any back-up and local data storage.  A failure to provide this level of protection may expose you to liability in the event data you control is compromised and exposed.

Data and Web Site Security

Data and web site security is your responsibility!  As you plan your web site, you should continually ask your web developer how  he/she is going to mitigate risks and make your site less vulnerable to exploits and attacks.  For any new capability that you add to your site whether it is a WordPress Theme, application, application plug-in, or script; you need to ask whether the new addition is going to add new risks and if so what is being or has been done to mitigate those risks.

If you plan to collect and store personal or sensitive information like credit card numbers, you may also want to engage a security consultant who can review your site’s code for vulnerabilities and if warranted, conduct penetration testing to see whether there are any vulnerabilities that can be exploited.  It is better to learn from a consultant that you have hired than from an actual incident where you may incur liability for the loss of data.

About Webnme

The developer's first experience with computers was with Fortran IV. Wow that's ancient. After graduate school, he taught history for a number of years at a community college before attending law school and becoming an attorney. In 1997 he changed careers to become a web developer/designer with an interest in all things web related. He currently maintains several dozen websites including a family of websites for a non-profit corporation that gets over five million page views monthly. This is his developer website. The opinions expressed are his own.

View all posts by Webnme

Leave a Reply


Copyright © 1999-2015 - WEBnME Developers | Privacy Policy | Read My Blog

Powered By Wordpress | WordPress Theme By Ridgey | Site Designed by WEBnME Developers