Privacy Matters: How to Regain Control of Your Website?

With website data privacy, let’s face it, we’ve lost control

You might be surprised by how little of your website’s code actually belongs to you. In a recent global poll by the International Association of Privacy Professionals (IAPP), 90% of respondents said their firms relied on third parties for data processing. That means that 90% of those sites have a significant critical code base that they don’t control.

It’s worse than it sounds because those third parties may themselves use functionality from fourth parties, fifth parties, etc., which are also outside the control (or even meaningful oversight) of the website owner. And they’re dependent on them for basic functionality without which their site doesn’t function – payment processing, for example, is almost always outsourced.

Assessing the size of the problem

Website data privacy isn’t a small problem. According to Reflectiz, for 2020, the average number of third-party applications on a website is 35, feeding an additional 31 fourth parties. That’s a lot of code that isn’t yours.

From a privacy control perspective, this is a huge problem. Not only are you reliant on a codebase you don’t own and have limited visibility into (which is in turn dependent on other parties you may not even be aware of), you are also putting your users’ data into the hands of all these other parties, all the way up the line wherever the line goes.

There are new MageCart attacks reported practically every week, and MageCart preys on payment applications. Any part of this chain could be attacked, including parts you’re unaware of. You’re still responsible for the data, so if one of them has a breach, it’s your breach.

Understanding your exposure

Even if your third-party app vendors don’t have a breach, depending on the jurisdiction you’re in, they can get you in trouble by merely moving data over a national border it shouldn’t cross. Or by doing things they shouldn’t do with the data.

In general, if you’re regulated, the regulations (GDPR, CCPA, HIPAA, etc.) only allow you to move personal information for specific purposes.

Bottom line: you are responsible for this data, but you don’t have complete visibility into what’s happening to it, much less control. Responsibility without control is terrible; responsibility without knowledge is even worse.

So what can you do?

‍1. Accept the risk.

There’s a concept called “risk acceptance,” where you identify a business risk but decide that it is cheaper to accept the potential consequences if it happens than it is to mitigate it. If the possible damage is slight and the expense to reduce the likelihood of it happening is large, this may make sense.

There are situations where this is the rational choice and cases where it isn’t. In 2021, with increasing customer concern about user data privacy and enforced regulation, this is a dangerous choice. But it’s your default choice if you do nothing else.

2. Approach website data privacy as a legal problem.

You can make sure that you know who all of the third parties in your environment are, what their user data privacy practices are, and what they claim to be doing with your data. You can review their agreements to ensure that they’re taking legal responsibility for what they do with data once it leaves your control, and you can use automated means to keep up to date on their privacy notices and the like.

In fact, 94% of respondents to that IAPP survey said they “rely on assurances in the contract,” which may not even involve an automated review of contracts for changes. With this information, you can then block apps you don’t want in your environment, and there is software out there (like Osano) to automate the process.

This is essential due diligence, and you should do this. But if this is all you do, you should be aware of the limitations: it may not adequately cover the third parties’ upstream suppliers. It doesn’t prevent your customers from being attacked if a third party themselves gets compromised, and it won’t necessarily protect you from reputational damage or regulatory action.

Also, the third-party environment is a moving target; it changes very rapidly, so it’s incredibly complicated to stay up to date.

3. Manage third-party code directly.

Since the average website uses 35 3rd-party apps that connect to another 31 plus other parties, the process of understanding what data each party collects, how they manage website data in transit, where they process and store the data, and knowing what they can change without your knowledge is a daunting and time-consuming effort. Especially if you are using a spreadsheet or something similar.

If any one party is deemed too difficult to manage directly or too risky from a privacy standpoint, you can simply bypass an app altogether, but you will most likely lose some required functionality.

There are some automation tools out there that can help with Third-Party Cyber Risk Management (TPCRM). For pure landscape visibility, tools like CyberGRX and Blacklight can help identify the scope of your third-party picture.

You can also use Tag Management Systems (TMS), like Google Tag Manger and Tealium, to help reduce the time needed to directly manage website data privacy issues.

However, there is growing evidence that even Subresource Integrity (SRI) and Content Security Policy (CSP) measures combined may not be enough to adequately protect against the latest security breaches.

Since the standard set of direct third-party management tools may not spot issues that arise at the fourth party or beyond level, ultimately, the direct management approach provides partial visibility and is incomplete as a stand-alone data security or privacy compliance practice.

4. Use a privacy automation platform.

You can install a website data privacy solution like Lokker on your site, and it will continuously filter all web transactions. Because it monitors all data which moves across the interface, unlike periodic scans, it will catch even rapid or intermittent changes in your third-party environment.

And because Lokker can enable automated processes, you can cut off a third-party application entirely or anonymize the data it sends back to its servers while preserving your web functionalities. Lokker enables you to control the data use extent and parameters requested by your vendors. This is critical in a digital environment where implied 3rd-party consent is no longer tolerable.

5. Defense in Depth.

The best option, confirmed in the privacy world as it is in the security world, is to have multiple overlapping safeguards: do several of these things to make sure you’ve covered the full range of potential threats.

That way, if one of them fails to catch a problem, the others can. In particular, consider combining a technical solution with a solid understanding of the legal agreements at play.

Website data privacy control begins with visibility

Want to assess your website’s privacy risk for yourself and see what you are up against from a 3rd-party control standpoint? Try Lokker’s free privacy scan today.

 

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.