How much is your privacy and personal information worth to you? For hackers, that number is about $41.47/per hour profit totaling over $110 billion since 2010 (according to password app company, Keeper). $110 billion with a “b” – that’s how much hackers have stolen in just 7 years by breaking into databases and selling personal details.
If you think that’s a big number, check out just a few of the major data breaches over the last few years.
- 165 million accounts…. LinkedIn 2012
- 110 million accounts…. Target 2013
- 1.5 billion accounts…. Yahoo 2013 (1 billion) 2014 (500 million)
- 145 million users…. eBay 2014
- 360 million accounts…. MySpace, date unknown
- 143 million users…. Equifax 2017
(Needless to say those numbers are staggering. The total population of the U.S. is 323.1 million for some perspective).
With breaches becoming more and more prevalent, we are seeing increasing protocols, standards and organizations striving to protect personal information and payment data for individuals worldwide. Read on to find out more about the standards and regulations you should be abiding by for your business, website and your users sake.
PROTECTING PERSONAL DATA – THE GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) is a set of laws designed to strengthen personal data protection for citizens of the European Union (EU).
The regulations apply to any company that processes or stores the personal data of EU citizens no matter where the company or server is located. If your website has EU visitors or customers, you must make sure your website is compliant by May 25, 2018, or risk hefty fines.
Being dubbed “privacy by design”, the legislation requires companies to adopt stringent measures that protect the personal identities of any EU citizen. While such initiatives have been in place in the EU since 1995, the biggest and most consequential change is how the new regulations will affect so many companies across the globe. Every company, regardless of their physical location, is required to abide by the GDPR if they process, store or handle personal data of any EU citizen. (Hint: if you have a WordPress website this more than likely affects you. More on that below.)
Some of the other key GDPR privacy and personal data protection standards include the following policies:
If the website or company wants to use the personal data for any other purpose than how the personal data was granted, additional consent will need to be obtained from the individual. Once the data is no longer needed, the data legally needs to be deleted. The idea is to limit how much personal data is being asked for and stored in an effort to increase personal privacy.
Control of Personal Data
Additionally, the GDPR allows individuals the right to withdraw consent at any time, therefore enforcing websites to delete their data. The process making this request and having their information wiped clean must be as easy as giving consent was initially under the GDPR. The idea is to give full control of personal data back to the individuals.
Notify Users of Data Breaches
In the event of a data breach, companies must notify both the local data protection authorities and the individuals affected within 72 hours of discovering it. Since some data breaches comprise personal information that can put individuals at risk, this clause was created to ensure a timely notification to those users.
Large Fines for Violations
The GDPR will define and enforce the processes for handling personal data. Supervisory Authorities around the globe will be set up to monitor and audit companies. Depending on the violation, organizations can face up to $10-20 million euro fines, or 2-4% of their global revenues, whichever is greater. For a complete list of violations and penalties see the GDPR FAQ’s page
So, how can you and your business avoid violations and potential fines? With less than a year until GDPR goes into effect, the time to take action is now.
COMPLIANCE TIPS FOR ANY WEBSITE
While the US does not have the same protections in place (yet) for US citizens, if your site is built on WordPress, the odds of you having EU visitors are nearly 100%. The GDPR is working as a best practices model and potential guide in introducing stricter data protection rules across the globe, and the US might be next. Plus, why wait? Do it now and be ready. Protecting your clients and their personal information is the right thing to do for them and your business.
There are several preventative measures you can start putting in place now to ensure you are compliant:
- Maintain a secure firewall
- Use encryption – both on your network and on connected devices like laptops, cell phones, tablets (save reputation in event there is a breach or a lost device – credibility)
- Keep your antivirus programs up to date
- Implement training programs in your company so everyone knows what protocols are in place and how to uphold them
- Use strong passwords, change them often and consider setting up dual-factor authentication
COMPLIANCE TIPS FOR WORDPRESS SITES
According WordPress news, the ways a standard WordPress sites collect user data can include:
- user registrations
- contact form entries
- analytics & traffic logs
- any other logging tool and plugin
- security tools and plugins
First, to understand how data on your site is processed and stored, check out the plugin the Security Audit Log
From there, you will need to create a detailed policy explaining what personal data information you use, process and store, and then make this easily accessible to visitors. The next, and a little more daunting, task is figuring out a way to give your users a copy of their data you have on your site. We believe by May 2018 there will be a plethora of plugins designed to mediate a solution to this part of the puzzle, but you should start working on putting your own system in place, just in case. Another idea might be to avoid storing any personal data at all, and instead direct your contact forms to your email as an example.
In the event that a breach does happen, you will need to notify anyone who was affected. This can include any user that falls under the list above – a regular visitor, a commenter, someone on your email list, etc…
Finally, any plugins and tools you use on your WordPress site must be compliant with the GDPR or you run the risk of having the violation fall back on you and your site. If a plugin on your site collects data, it must follow the same rules as your site.
PROTECTING PAYMENT DATA – PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS
While the GDPR is focused on the protection of personal data, the Payment Card Industry Data Security Standards (PCI-DSS) are the framework for protecting payment data. If you process credit/debit card payments or other electronic payments you will fall under one of four PCI compliance levels based on your annual transaction volume. If you fail to comply and suffer a data breach, not only will you be looking at hefty fines ranging from $5,000-$500,000, you run the risk of losing your merchant account or, in other words, risk losing your ability to process credit card payments.
The Digital Dozen
There are 12 PCI DSS requirements, aka the “digital dozen”.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not sue vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt transmissions of cardholder data across open. public networks
- Use & regularly update anti-virus software.
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a security policy and ensure that all personnel are aware of it.
You might notice some overlapping themes when comparing them to the GDPR protections above. Again everything goes back to ensuring you are using the best practices to protect personal and payment data of your users.
In order to evaluate your current compliance, check out the PCI DSS Self Assessment Questionnaire:
WHERE TO START?
It all starts with making sure you are using a PCI compliant web host. Since our humble beginnings, security has been of utmost importance to us at KartHost™. We partner with the best of the best to ensure your data and that of your customers – both personal and payment – is safe with us.
As the deadline draws nearer we will work to keep you updated and informed to help you protect your users and your business.
Still have questions? Contact us with any questions or concerns: 832-220-0040.