Cyber threats come from many sources, each looking to obtain personal information (PI) for benefit or exploitation. As intrusions become increasingly sophisticated, more regulatory and internal safeguards are needed in response.
Internet privacy is a subset of the larger world of data privacy that covers the collection, use, and secure storage of PI generally. Internet privacy is concerned primarily with how PI is exposed over the Web, through tracking, data collection, data sharing, and cybersecurity threats.
A Pew Research Institute study found that controlling PI on line is “very important” to 74% of Americans. According to another Pew study, 86% of Americans have taken action to maintain their privacy — deleting cookies, encrypting email, and protecting their IP address.
Digital footprints are everywhere. Every time you visit a website, enter your credit or debit card information, sign up for an account, give out your email, fill out online forms, post on social media, or store images or documents in cloud storage, you are releasing personal information into cyberspace. Just who, other than the intended recipient, will receive or have access to the information you provided? Will it be shared with other parties? Your PI may be shared in ways you don’t expect or are unaware of. Your information may be at some risk because even the best information security programs are not 100% guaranteed.
Internet privacy laws
The potential for breaches of online privacy has grown significantly over the years. There is no single law regulating online privacy. Instead, a patchwork of federal and state laws apply. Some key federal laws affecting online privacy include:
- The Federal Trade Commission Act (FTC)– regulates unfair or deceptive commercial practices. The FTC is the primary federal regulator in the privacy area and brings enforcement actions against companies. This includes failing to comply with posted privacy policies and failing to adequately protect personal information.
- Electronic Communications Privacy Act (ECPA)  - protects certain wire, oral, and electronic communications from unauthorized interception, access, use, and disclosure.
- Computer Fraud & Abuse Act (CFAA)  – makes unlawful certain computer-related activities involving the unauthorized access of a computer to obtain certain information, defraud or obtain anything of value, transmit harmful items, or traffic in computer passwords. The law has been in amended six times.
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)  – governs sending unsolicited commercial email and prohibits misleading header information and deceptive subject lines. It also requires senders to disclose certain information, include a valid opt-out mechanism, and it creates civil and criminal penalties for violations.
- Financial Services Modernization Act (GLBA)  – regulates the collection, use, and disclosure of personal information collected or held by financial institutions and requires customer notices and a written information security program.
- Fair and Accurate Credit Transactions Act (FACTA)  – requires financial institutions and creditors to maintain written identity theft prevention programs.
Many states have also adopted laws affecting online privacy, for example, consumer protection statutes, laws that protect certain categories of PI, information security laws, and data breach notification laws.
In addition to complying with these laws and implementing robust information security programs, there are steps organizations can take to help mitigate cybersecurity threats.
How you are exposed and how to protect yourself online
Client, customer, and employee personal information in your possession can be subject to a data breach in a myriad of ways. E-mail addresses, banking, passwords, physical addresses, phone numbers and more can inadvertently find their ways to scammers, hackers, undesired marketers, and more. Most compliance and legal area employees have little idea how to go implement data protection from internet threats. What to do?
A threat playbook for your organization
One thing your organization can do is develop an Internet privacy quick reference playbook that is easily available to employees. It can provide threat and best practices to follow for your specific area:
Here are five of the most significant online threats to data privacy coming from the web and best practices to handle them:
- Unsafe web browsing practices
Many users don't scrutinize sites on which they find information. There are often signs that sites you visit can be malicious and ask for your PI: free offers, shortened URLs, pages socially engineered to trick users to set up an account and download malware from them.
What you can do
Keep your anti-virus up to date up to date. Use the most secure Internet browser -- Google Chrome or Microsoft Edge are the two best choices. Scan files with your anti-virus software before downloading. Don’t re-use passwords for multiple websites. Turn on your browser's pop up blocker.
- Cookies and web tracking
Cookies are files downloaded to your browser by a website that contain unique identifier data about the site. However, they don’t contain any personal information or software code. When a website "sees" the data it set in a cookie, it knows the browser is one that has contacted it before.
They can be useful for things like keeping your login information for a site so you don’t have to enter it again. Cookies can also be used to track your activities and capture your purchasing habits and then be shared with unwanted third parties affiliated with the site.
What you can do
Set your browser to delete cookies every time you finish browsing or set "opt out" cookies on your browser to cookies aren't allowed at all in your browser.
- IP address tracking
The COPPA Act specifically states that IP addresses are personal information since they are information about an identifiable individual associated with them. An Internet Protocol (IP) address is a numerical label behind the familiar web addresses we see every day. It identifies a device over the internet. Hacker often come through IP addresses as their first point of attack.
Undesirable parties may trace your PI by looking up your website address if it is listed in WHOIS, the central database containing all web addresses on the internet. Ownership information is readily available here.
What you can do
If you set up a website, you can request a private WHOIS listing from the database manager, Network Solutions. Their name, address and other ownership information will appear instead of yours.
When working on your personal computer, you can use a Virtual Private Network (VPN) tool. A good one is IP Vanish. You log into the VPN as an intermediary. After that point, your IP address is encrypted and goes through the VPN provider to the internet.
Employees or clients at home have “leased” IP addresses with their cable modem and ISP accounts. Your IP won’t change until you turn off your modem. Power it down as often as you feel the need.
- Using HTTP Instead of HTTPS Encrypted Web Server Connections
Personal data flowing between a user's machine and a website using plain HTTP protocol can be monitored by other companies or potentially intercepted and stolen by malicious hackers (often called the "man-in-the-middle"). That’s where Secure Sockets Layer(SSL) comes in.
What you can do
HTTPS or Secure Sockets Layer (SSL) encrypts information sent between a website and a user's machine. When purchasing or entering personal information on websites, always check for an “https://” or a padlock icon in your browser’s URL bar to verify that a site is secure before entering any personal information. When you see HTTPS instead of HTTP in your browser's address bar, you'll know it is a secure site!
If you're hosting a website, consider implementing SSL on your web server to ensure data privacy between you and customers. It will also help mitigate direct hacking threats. You will need to find a digital certificate authority (CA) such as Verisign to help set it up.
- The threat from the cloud
Cloud computing is the latest and greatest technological wave that brings up new issues for data privacy. This is especially true when you give up administrative and technological controls to an outside party. That in of itself is a major threat.
A cloud provider may be deficient in backup processes, security practices, employee controls, application interfaces & APIs to name just a few. Plus, you never know who has the "keys of the kingdom" to view all your data in there. Scary.
What you can do
Both you and the cloud provider are in charge of security, not just the latter. If you are storing data in cloud storage or using a cloud platform to host a website, there are a few things you want to consider:
- Find out from the provider who is in charge of each cloud security control.
- Train someone in the use of provider-provided identity and access tools so you can control yourself who has access to data and applications.
- Ensure the provider has all your data that is stored with them encrypted
- Major cloud providers all offer logging tools. Use these to enable self-security logging and monitoring to monitor any unauthorized access attempts and other issues.
A combination of government regulations and responsible individual practices can only thwart potential cyber threats not eliminate them. Your compliance & legal area can do its part by implementing comprehensive threat analysis and response measures.
Provide employee training on the administrative, technical, and physical safeguards for the handling of information