How The Cookie Crumbles

How The Cookie Crumbles

Cookies have been and continue to be an essential part of how we use the internet. In essence, cookies are small files created by websites you visit that are saved on your computer. The files contain information on what websites you visit and how you interacted with those sites.  

This might make any privacy-minded person pause. Why should we allow websites to create records of what we do online? Well, the answer isn’t so straight forward. Not all cookies are created equal. Some forms of cookies are essential to what we’ve come to expect from our online experience. Others are a little more suspect.  

First-Party Cookies

In general, first-party cookies are there to make our online experience easier and more convenient. They’re used by individual websites, and store information so you don’t have to re-identity yourself every single time you use a site. They allow you to stay logged into websites as you navigate between pages and visits to those sites. They save your location so you can quickly check the weather in your area or buy movies tickets without having to re-enter your information every time you use those sites. 

In short, we rely on first-party cookies every time we visit a website. Their essential to how we use the internet and don’t necessarily present a risk to your privacy online. 

Third-Party Cookies

Third-Party Cookies, on the other hand, are a different story. Unlike first-party cookies, these cookies track your movements between websites. These types of cookies are not created by the website your visiting, but by a third-party whose code is on that site. This could come from plug-ins, or, as is more often the case, from advertising platforms. These cookies can then keep track of your movement between any website that features these third-party codes.  

Because they are not limited to your interaction with one specific website, they can be used to construct a much larger and more detailed profile of not only your online presence, but personal characteristics, spending habits, and lifestyles.  

Taking Control of Your Cookies

Because cookies are such an important part of how we interact with websites, blocking all cookies is unnecessary and will make using sites far more inconvenient. However, depending on your level of comfort there are steps you can take to have more control of what cookies websites are using. 

  • One option is to change your browser’s privacy settings to ask permission before accepting cookies for all websites. You can choose which websites save cookies depending on your level of trust and how frequently you use those sites. 
  • Most browsers also give you the option to only block third-party cookies. This will still allow individual websites to save information about how you use their sites but will stop entities from tracking your movement across the web. There are also several ad-blocking extensions you can use that will remove advertising codes from websites when you visit them, effectively blocking those third-parties from saving cookies on your computer. 

Cookie Disclosure Requirements

By now, you’ve probably seen many websites display banners either stating that they are using cookies or asking consent for their use. This is due to several laws coming out of EU that now require websites to obtain consent to use cookies. The ePrivacy Directive was implemented in 2002 and was the first of such laws to require notification of a website’s use of cookies.  

However, the newly enacted GDPR has further enhanced these requirements. Now, websites are required to not simple notify users that cookies are being used, but most give information on how those cookies will be used and gain consent from users for each of those purposes.  

While the U.S. currently does not have such laws in place, if your organization has servers in an EU nation, you may still be subject to GDPR restrictions. In any case, it is likely such regulations will be also enacted in the U.S. soon, so many organizations are choosing to display such banners preemptively.  

Taking Aim at the CCPA

From the land of Silicon Valley comes privacy regulations that may have a tremendous impact on how tech companies use and share your data. 

Modelled largely off the EU’s GDPR, the California Consumer Privacy Act (CCPA) is the largest and most comprehensive online privacy regulation passed in the United States to date. The regulation provides California residents extensive rights over what personal information companies collect, how the information is used, and even gives consumers the right to opt-out of data collection all together.  

The bill was passed into law in September 2018 and goes into effect this coming January. With the door fast closing, the race is on to add amendments and further clarifications to the new law. Last Tuesday, California Senate’s Judiciary Committee voted on a series of new amendments that could limit the scope of the CCPA.  

Here is a brief primer on the three most contested amendments and their fate in last Tuesday’s hearing.  

AB-1416  

This amendment proposes that business should be able to sell personal information even if consumer has opt-ed out if the sale is “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity.” The amendment worried many privacy experts, who considered it to open major loopholes in the regulation. Specifically, according to one commentator, the bill would “would chip away at the rights of Californians by allowing law enforcement to get around existing warrant requirements to access personal information.”  

The bill was withdrawn by the author, Assemblyman Ken Cooley, at the last minute and so no vote was taken. However, according to some reports, it’s possible to bill will reappear for a vote next year, after the law has gone into effect. 

AB-873 

This amendment would exclude any de-identified data from the scope of the regulation. The real issue, however, is that bill lowers the threshold of what information is understood as de-identified. According to the amendment, data such as I.P. addresses and browser fingerprints would now be considered as de-identified information. However, according the senior counsel for policy and privacy at Common Sense Media, Ariel Fox Johnson, that information could potentially be used to re-identity data to specific users. “Deidentification is not a privacy protective technique if deidentified information can identify you.” 

The vote on the amendment was split 3-3, so the bill did not pass. Howeverthe bill’s author was granted reconsideration, so it is possible another vote on the amendment will be taken before the end of the summer. 

AB-25 

Another proposed amendment takes aim at restrictions on employers. As Bloomberg Law reports, the bill would exempt personal information employers have about their employees from the privacy law’s requirement that it be disclosed or deleted upon request.” 

The bill passed with 8-0 votes in favor, but with added changes that still require employers to inform employees about the types of information they are collecting about them and why. 

Next Steps 

The California legislature has until September 13, 2019 to pass bills amending the CCPA. Any bills up for reconsideration must still pass a vote in the Senate’s Judiciary Committee. All approved bills will then move to the Committee on Appropriations for a vote in August, to be followed by a vote of the full Senate. 

While it is likely some of these changes will go into effect, the results of the Judiciary Committee’s hearing make clear that the main purpose of the CCPA will remain intact. As a result, businesses should be taking this bill seriously and begin looking into what processes will need to be implemented in order to comply with these new regulations.  

 

Privacy Sells

There is no doubt that technology and digital tools have helped business grow. From more effective lead generation to highly-targeted marketing campaigns, there is a lot that organization can gain from using such tools.  And, there is a lot that consumers gain in terms of ease, cost and convenience.

Follow the adage that “there is no free lunch”, consumers do pay a number of costs related to the access to their data — the costs related to their ability to learn, costs related to their ability to expand beyond their narrow world past decisions, choices and interactions, costs related to their ability to feel and act independent and costs related to their privacy or their ability to choose how and with whom they share information about themselves.

Regulations such as the European GDPR and the California CCPA are upping the ante for businesses to install more privacy mechanisms in place.  And typically, when business hears regulation it hears disruption (in the bad way, not the sexy positive way disruption is used most times today).

But it doesn’t have to be that way.  Set aside the regulation and focus on your brand.  Focus on your relationship with your customer. Then ask yourself the following questions:

  1. Am I willing to be transparent of what I do with my customer’s data?
  2. Am I willing to tell my customers to whom their data may be shared (and hold those parties to the standards I am committing ourselves to with regards to the customer’s data)?
  3. Am I willing to ask my customers if it is ok to use their data for specific purposes?
  4. Am I willing to assist my customers if they wish to change or delete their data from our systems?
  5. Am I focused on only asking for or tracking data that I absolutely need in order to delight them and enhance our combined experience?
  6. Am I prepared to put in necessary safeguards to protect their data while it is on our systems?

If you can say ‘yes’ to each of these questions, not only will you have an opportunity to comply with privacy regulations, but you put yourself in the position of respecting your customer and enhancing your brand.

Perhaps privacy does sell.

 

 

Practice Makes Perfect

Given the increased threat of cyber-attacks facing organizations today, it’s not only important to have protections in place to prevent attacks, but also make sure you’re prepared if the worst actually happens. Having an incident response plan is an important first step, but frankly it’s not enough. You don’t want the first time you need your response plan to be the first time you use it. Running periodic incident response simulations is therefore a must. 

Here are some steps you can take to perform your own incident response simulation: 

Review Your Plan 

  • Identify a response team. Make sure a you’ve designated a team to respond to any incidents and that every member knows their role within the overall response procedure. 
  • Conduct an inventory of your data. Make sure you know where your data is and what types are most sensitive. If you collect personally identifiable information or personal health information, for instance, you’ll definitely want to know where to find it in the event of a breach. 
  • Know what regulation and contractual requirements will govern your response. This often entails prompt notice of a breach to certain entities outside your organization. Insurance carriers, forensics teams, states attorney generals, and clients might need to be notified should something happen. Moreover, regulations vary from state to state and country to country, so it’s important to understand where your clients are located in order to know how to respond accordingly.  
  • Know who you need to contact that is outside of the organization.  Your insurance carrier?  Forensics?  Clients?  The FBI?  Make sure those contacts are documented so you do not have to hunt for them when the malware hits the fan.

Run Through a Scenario 

  • Malicious insider action, breach of sensitive data, host application compromise, denial of service attack; lost or stolen IT assets, and ransomware attack. are all examples of possible scenarios you could face. Of course, not all organizations will be vunerable to the same types of incidents, so take some time to identify the scenarios that could responsibly happen to you.  
  • Bring your response team together and walk through what steps need to be taken for every possible scenario, and make sure everyone know who will be responsible for what.  
  • After a run-through, note any questions or issues what need to be resolved. For example, are you unable to know if your backup works because they haven’t been tested? Are you capable of identifying exactly what data was exposed? Do you need a retainer for a forensics company to ensure prompt help? Comb through every detail and make sure every question is answered.  

Rinse and Repeat 

You’re probably not going to nail the response on your first try. That’s why it’s important to keep practicing these simulations until you feel confident that you and your team will be ready to respond quickly and effective should the worst happen.  

 

Doing simulations can actually help save costs in the event a breach occurs. According to The Ponemon Institute’s 2017 Cost of Data Breach Study, a fully functional response teams save on average 14% of total data breach costs, and fast responses to a breach can save up to 26% of response costs. Taking the time now to make sure you’re prepared can save time, money, and your reputation. 

Data Matters

Today, even small businesses collect and store an overwhelming amount of information. And with data breaches occurring all the time, it’s more important than ever that this information is properly secured. But with different databases and systems in place, it becomes easy to lose track of exactly what information you have.

Having a complete picture of your data will not only leave your business in a far better position to respond to a breach, but can help you grow in a number of ways. Properly organized consumer data is incredibly helpful for market research and data analysis, giving you a better sense of who your customers are and why they are working with you. Classifying your data can even help you save money on storage if, for instance, you are holding on to too much or redundant data. 

Here are a few steps you can take to help get a better handle on your data and make sure its protected.

Take an Inventory 

The first step to securing your data is to know exactly what you have. There is a variety of information that most companies collect and store. Proprietary and financial data, employee records, personally identifiable information (PPI), and personal health information (PHI) are all examples of some of the different types of data you may be storing. Consumer data is often covered by a variety of privacy regulations, so tracking what states and countries your customers reside is also important. Taking the time to complete a comprehensive inventory of what types of information you have, where that data is stored, and how it is transferred will go a long way to making sure your systems are secured. 

Rank by Sensitivity

Not all data is created equal. You might want to share some of your data with the world, where others will be regarded as highly sensitive. Ranking your data by sensitivity will help you keep track of what level of security you need for certain types of data. A ranking system commonly used is: public, internal only, confidential, and restricted. Of course, all companies are information systems are unique, so be sure to take the time to create a sensitivity ranking that makes sense for you. 

Define Controls

Once you’ve classified your data by sensitivity, you need to create security controls and procedures for each category. More sensitive data requires more advanced protections, where low-risk information may only need lower-level protections. 

Access restrictions are also essential to securing your data. Not all of your employees will need to access all of your information. Define access based on the level of the information’s sensitivity and the employees that need to utilize that information. You can also create time-sensitive access that will restrictive the availability of data after a certain amount of time. 

 

Regularly Re-Evaluate

Information and technology is constantly in flux. The types of data, its value, and who should have access to it will change regularly, and it’s important that your organization changes with it. Periodically re-evaluating your classification system and security controls will help you stay on top of data. 

 

Data Classification: It’s Good for Business 

Keeping track of your data will benefit your company by not only making your data for more secure, but will also allow you to determine what you can do to streamline your operations and make your business more efficient.