Cyber threats come from a variety of sources, each wanting to obtain personal information (PI) for profit or malicious ends. As intrusions become more sophisticated, additional regulatory and internal countermeasures are required.
The combination of physical and online monitoring has been found to have a detrimental impact on internet privacy. Internet privacy is a subset of data privacy, which covers the gathering, use, and safe storage of personal information. Internet privacy is primarily concerned with how personal information is displayed over the Web via tracking, data collection, data sharing, and cybersecurity risks.
The majority of Americans (74%) consider PI control online to be “very essential,” according to a Pew Research Center poll. According to another Pew survey, 86% of Americans have taken action to protect their privacy — deleting cookies, encrypting email, and changing their IP address.
You create a digital footprint every time you go online and do anything that requires you to input personal information, such as visiting websites, making purchases, signing up for accounts, filling out forms, or using cloud storage. What, besides the intended receiver, will get or have access to the information you supplied? Will it be disseminated among other parties? Your PI may be shared in unexpected ways. Because even the most secure information security practices are not completely guaranteed, your data may be at risk.
The laws surrounding internet privacy
As the internet becomes more integrated into our everyday lives, the potential for breaches of online privacy increases. These days, there is no overall federal law that regulates online privacy—instead, a combination of state and federal laws apply. Some key federal laws affecting online privacy include:
- The Federal Trade Commission Act (FTC)[1914]– The Federal Trade Commission is responsible for regulating unfair or misleading commercial practices. This means that if a company does not adhere to its posted privacy policy or fails to protect customer information, the FTC can take enforcement action against them
- The Electronic Communications Privacy Act (ECPA) [1986] – safeguards certain wire, oral, and electronic communications from unauthorized interception, access, use, and disclosure.
- The Computer Fraud & Abuse Act (CFAA) [1986] was created to prevent people from gaining unauthorized access to a computer to commit fraud or other crimes. The law has been amended six times since it was first enacted.
- The Children’s Online Privacy Protection Act (COPPA) of 1998 regulates websites and online service providers that collect personal information from minors under the age of 13. PrioBeforelecting any data, these entities must obtain verifiable parental consent. In addition, COPPA requires website operators to post a privacy policy, collect only necessary information, and establish reasonable security measures.
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), passed in 2003, sets guidelines for commercial email and prohibits 10:00 EST headers and misleading subject lines. In addition, senders must include valid opt-out mechanisms as well as their physical addresses. Finally, the CAN-SPAM act established civil and criminal penalties for violators.
- The Financial Services Modernization Act (GLBA) of 1999 regulates the collection, use, and disclosure of personal information held by financial institutions. It requires customer notices and a written information security program to protect this sensitive data.
- The Fair and Accurate Credit Transactions Act (FACTA), passed in 2003, requires financial institutions to have written identity theft prevention programs.
Many states have implemented legislation regulating internet privacy, including consumer protection statutes, protections for particular types of PI, information security laws, and data breach notification rules.
Organizations should also follow the recommendations in the previous section, including following the stipulations of these laws and establishing strong information security programs.
How to avoid being exposed and how to safeguard oneself online
Numerous ways exist for scammers, hackers, and others to access the personal information of your clients, customers, and employees. This can include email addresses, banking info, passwords, physical addresses, and phone numbers. Most compliance and legal teams lack the knowledge necessary to effectively protect this data from internet threats. So what should you do?
A threat playbook for your company
Having an easily accessible internet privacy quick reference playbook for employees is one way your organization can help mitigate potential threats. This will also provide best practices specific to your area that should be followed.
Here are five of the top online threats to data privacy and steps for dealing with them:
Unsafe surfing practices
Oftentimes, users don’t carefully inspect the sites they find information on. There are usually indicators that these types of sites can be malicious and ask for your personal information: free offers, shortened URLs, pages specifically designed to trick users into setting up an account and, downloading malware from them.
You don’t always need antivirus software, but it’s a good idea to use one. Keep your anti-virus software up to date. Google Chrome and Microsoft Edge are the two most secure Internet browsers. Before downloading any files, check them with your anti-virus program. For multiple websites, don’t reuse passwords. Pop-up blockers should be switched on in your browser if possible.
Cookies and internet tracking
Cookies are files downloaded to your browser by a website that has unique identifier information about the site. They do not, however, contain personal data or software code. When a website “sees” the data it set in a cookie, it knows it is obviously contacted it.
Cookies can make things like logging in to a site more convenient by storing your login information. However, cookies can also be used to track your activities and purchases without your consent, which is then shared with affiliates and other third parties associated with the site.
Options for you
Cookies are a common Internet tracking technology. They allow websites to remember your preferences and track your surfing activity, even if you close the browser or delete cookies. Cookies aren’t allowed at all in your browser unless you set it that way yourself.
Tracking of IP addresses
The COPPA Act encompasses IP addresses as a personal information because they identify an individual. According to the act, Internet Protocol (IP) addresses are numerical labels that devices use to connect over the internet. Furthermore, these addresses show up in WHOIS- a central database containing all web addresses on the internet- which undesirable parties may access to gain knowledge about you or your website.
Options for you
If you create a website, the database manager, Network Solutions, will provide you with a private WHOIS registration. Instead of displaying your name, address, and other ownership information, it will show that of the database shop.
You can employ a Virtual Private Network (VPN) tool while working on your personal computer. IP Vanish is a good one. You log into the VPN as an intermediary and encrypt your IP address. The internet then sends your IP address to the provider, who encrypts it before sending it back to you.
If you have an employee or client at home, they may have a “leased” IP address with their cable modem and ISP accounts. Your IP won’t change until you turn off your modem. Power it down as often as necessary to prevent any issues.
Using HTTPS Instead of HTTP for Secure Web Server Connections
Personal data transmitted between a user’s device and a website via plain HTTP protocol can be spied on by other companies or maliciously intercepted and stolen by hackers (often called the “man-in-the-middle”). That’s where the Secure Sockets Layer(SSL) comes in.
Options for you
When information is sent between a website and a user’s machine, it is secured using HTTPS or Secure Sockets Layer (SSL). Always verify that a site is secure by looking for an ” https://” or a padlock symbol in your browser’s URL bar to ensure that a site is secure before entering personal information. When you view the address bar of your browser and see HTTPS rather than HTTP, you’ll know it’s safe!
When hosting a website, data privacy between you and customers can be improved by implementing SSL on your web server. This will also help reduce the risk of direct hacking attempts. To set this up, you’ll need to find an appropriate digital certificate authority (CA), such as Verisign.
The cloud’s dangers
Cloud computing is a newer technology that has data privacy issues when users relinquish administrative and technological controls to an outside party. This is because Trust/Controls are major components of security. When you do not have control or knowledge over how your information is being stored, it creates opportunities for bad actors to access and misuse your data.
A cloud provider may be lacking in, among other things, backup procedures, security measures, personnel controls, application interfaces & APIs. Plus, you don’t know who has “the keys to the kingdom” and can look at all of your data. It’s terrifying.
Options for you
You and the cloud provider are both responsible for security. If you’re using a cloud platform to store data or host a website, consider the following:
- Find out who is in charge of each cloud security control from the provider.
- Someone must teach you how to use the provider-supplied identity and access solutions so that you can restrict who has access to data and applications.
- Check that all of your data is securely encrypted with the provider.
- All major cloud providers provide similar logging capabilities. To monitor any unlawful intrusions and other problems, utilize these to enable self-defense logging and monitoring.
While government regulations and individual responsibility can help reduce the number of potential cyber threats, they cannot eliminate all threats. Your compliance & legal department can do its part by implementing comprehensive threat analysis and response measures.