Navigating Data Responsibility

As we take a step back and think about how much the Internet has grown over the past 20 years, we realize how much content/data has been made available to everyone.

Moving forward, there’s no reason to expect data availability to slow down. In fact, insideBIGDATA claims:

There are many sources that predict exponential data growth toward 2020 and beyond. Yet they are all in broad agreement that the size of the digital universe will double every two years at least, a 50-fold growth from 2010 to 2020.

That’s a lot of growth.

As website owners, we have always had a responsibility to provide a safe experience for our audience who come to our websites. In addition, we also have an added responsibility to provide a safe haven for the data they trust us to hold onto.

Attackers are also getting smarter and their tactics are becoming more complex. So it’s important to understand one of the core reasons they may target your website–the data you’re collecting. Whether you’re a blog, a small college, or a healthcare clinic. Your data is a target.

As such, it’s your responsibility to protect the data you collect from an audience that is trusting you implicitly to do right by them. Think about the following questions:

What data am I collecting?
What compliances do I need to abide by to stay out of trouble?

We’ll start by addressing the first question. Bear in mind we’ll be focusing on data as it relates to web applications. However, these acknowledgments may also pertain to any network level hardware/software you’re deploying as well.

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is a category of sensitive information associated with an individual person, such as an employee, student, subscriber, or consumer. It is information that can be used to uniquely identify, contact, or locate an individual.

PII should be accessed only on a strictly need-to-know basis and handled and stored with care.

Social Security numbers are a type of PII, the legal requirements for protecting them are much more stringent than for other PII due to its sensitive nature as it can lead to serious attacks such as identity theft.

When it comes to website applications, one important factor to consider is that PII can come in many forms that we collect for email campaigns/webinar sign-ups, such as:

Email & home addresses
Phone numbers
Work-related information (employer, title, etc.)

As a webmaster, it’s critical that you do everything in your power to ensure that the PII that passes from the browser to the web server is properly encrypted via HTTPS.

We do have a helpful guide on installing your own SSL certificate here.

On a related note, this also means that we are complying with the requirements of the General Data Protection Regulation (GDPR). We personally collect only the data necessary for business and security purposes, which already puts us ahead of GDPR guidelines, by storing the minimum amount of PII in our proprietary systems and cache.

Student, Family, & Institutional Data

The Family Educational Rights and Privacy Act (FERPA) is one of the most important federal regulations in the educational sector. It aims at protecting the privacy of students data and that of their parents.

FERPA requires that all institutions funded by the federal government under programs administered by the U.S. Department of Education comply with certain rules and procedures with regard to maintaining and disclosing the student’s educational records. This includes grades, enrollment details, and even billing information that will associate with their tuition.

Failing to comply with FERPA can cause serious consequences as an educational institution that breaches FERPA may lose its federal funding.

Credit Card, PAN, and other Payment Card Industry Information

This would include credit/debit cards or other forms of payment with an individual’s personal account number (PAN), billing zip code, among other related details. This data is governed by the Payment Card Industry (PCI) Data Security Standard. You’re required to ensure this data abides by the 12 requirements the PCI DSS mandates. We have a working blog post series on PCI.

There are four levels of PCI compliance as mandated by the card issuers Visa and Mastercard. These are the definitions according to the volume of credit card transactions per year:

PCI Compliance Level 1: Over 6 million Visa and/or Mastercard transactions processed per year
PCI Compliance Level 2: 1 million to 6 million Visa and/or Mastercard transactions processed per year
PCI Compliance Level 3: 20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year
PCI Compliance Level 4: Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year, all other companies that process up to 1 million Visa transactions per year

Protected Health Information

The Health Insurance Portability and Accountability Act (HIPAA) regulates Protected Health Information (PHI). This information is most likely found at health clinics and hospitals and can include the following:

Past, present, or future physical or mental health data of an individual.
Past, present, or future payment data for the payment of health care for an individual.

As the web grows, another aspect to consider is the Electronic protected health information (ePHI). It is defined as any Protected Health Information (PHI) that is created, stored, transmitted, or received electronically.

Researchers at educational institutions should be aware that health and medical information about research subjects may also be regulated by Health Insurance Portability and Accountability Act (HIPAA) in order to remain complaint there, on top of other Family Educational Rights and Privacy Act (FERPA) compliance standards.

If you are a webmaster working for a specific educational institution, please be conscious of the proper handling of this data. It’s common that public institutions may not be part of a centralized security network so storage and encryption of this data may fall on your shoulders.

Does Sucuri Help with Compliance?

We definitely do remain compliant with these security standards as we are not a data controller or processor. As such, we do not store data at rest with https. Our Sucuri CDN never caches logged in users and posts. This also means, by its very nature, that we’re a FERPA & HIPAA compliant solution.

In addition, we’re also a Level 1 PCI Certified Provider. If you have any questions, please don’t hesitate to email support@sucuri.net to retrieve a copy of our current Attestation of Compliance (AOC).

We touched on different data types and best practices in two webinars:

E-commerce Compliance: PCI meets GDPR