If you are working with web analytics, you need to be aware of your responsibilities, and of the risks you face.
Collecting and working with personally identifiable information means that you need to know what the law requires, and how to make sure that this information isn’t stolen from your systems.
There are some easy ways to protect yourself against the legal risks of non-compliance, and against hackers who want to steal the information you have collected. First and foremost, you should use web analysis software like Clicky that is GDPR compliant, and also ensure that you have in place data management tools for GDPR requests that store personal information securely.
Beyond these basic steps, there are also a number of techniques that you can use to harden your systems against intrusion. In this article, we’ll take a look at the legal responsibilities incumbent on companies that work with web analytics, and then show you how to protect your website from hackers.
As web analytics becomes standard practice for almost every online company, the databases that analytics software produces has become a major target for hackers. As a result, there have been many breaches of these systems in recent years.
Unfortunately, assessing who is responsible for these data breaches can be difficult. While national and international frameworks state that any company working with personally identifiable information is ultimately responsible for keeping it safe, the lengths to which companies must go in order to ensure this is less clear.
In a recent article, Josephine Wolff dissects “due diligence”, and posits that a company is only responsible for making decisions that reasonably ensure they meet their obligations under the law. This means that companies who use web analytics are responsible for following good software practices to keep their own systems secure. This involves keeping systems up to date with the latest security patches and also following the basic principles of secure data retention.
The consequences of not hardening your systems can be severe. The legal implications of falling victim to a hack are dependent on the country in which your company operates.
In the US, for instance, there are industry-specific guidelines on how certain organizations handle user data. The HIPAA and HITECH guidelines impose privacy standards on the ways the healthcare industry in the country can work with patient data, for instance, but organizations in other sectors come under far less stringent regulation. This is one of the reasons why hackers have recently taken aim at city governments, as these organizations typically don’t have the technical know-how to secure user data correctly.
More broadly, there are some international frameworks that most companies need to comply with. The Payment Card Industry (PCI) Security Council is a set of legislation that applies globally and regulates any company that processes credit card transactions. The gold standard at the moment, though, is Europe’s GDPR, ground-breaking legislation that gives European citizens rights over the way that companies process their data.
The GDPR (in particular) represents a huge legal risk for any company that works with web analytics. The legislation means that individuals can ask for a temporary cessation of all analytical activities that involve their data. If such a request is made, a company must immediately cease processing data on an individual, even if their data is just one tiny data point within a huge database generated by web analysis tools.
Beyond the legal risks that have been created with the GDPR, using web analytics also imposes a number of more technological risks on companies.
At the most basic level, this is because most companies today are running highly interconnected systems. This means that data collected via web analytics is connected to the other systems you use – including your website – in a complex (and sometimes highly insecure) way. In practice, this means that if your company is just starting to use web analytics, you need to harden your systems against intrusion, because the data you are collecting is a huge temptation for hackers.
Hardening your systems can be done in a variety of ways, but you should prioritize defensive measures that are able to protect you against a range of different cyberattacks.
Hardening your defenses in this way means thinking strategically about your systems and the way that they are connected together. In 2019, the idea of network segmentation seems slightly old-fashioned, but it is still a highly effective way of protecting your data from intruders. In fact, as companies have moved toward centralized cloud storage for all of their data, they have inadvertently helped out hackers: as William Ellis, founder of research firm Privacy Australia puts it, “as more of our personal information goes into the “cloud”, we become more interconnected but also much more vulnerable.”
The implication of this for companies working with web analytics is clear: if you are using analytical tools to collect huge amounts of personal information on website visitors, this should be stored separately from your other systems. In particular, all of the personal information you hold should be kept in ‘gapped’ servers that have secure connections with your other systems.
Not only is secure storage a legal requirement for companies working with personal information: storing data in this way is a necessity for any company that wants to avoid the catastrophic consequences of a major data breach.
The Bottom Line
As we’ve seen, almost all companies working with user data now need to ensure they are compliant with the GDPR (and other legislation relevant to their locality and sector). Not taking this seriously can have legal consequences, but it can also have even more damaging effects.
That’s because, if you are the victim of an attack that leads to a data breach, being sued might be the least of your worries. Customers lose trust after a data breach, and for many online companies trust is an integral part of their offer to their users. Protecting the data you hold, therefore, is as much about protecting your online reputation as it is about protecting the data themselves.