[BreachExchange] Protecting Online Information

Fri Mar 25 15:54:19 EDT 2016

http://www.forbes.com/sites/stevepociask/2016/03/24/protecting-online-information/#e4a770a443c7

As consumers go online to browse websites and search for news and
information, they may be completely unware that their personal data is
being collected and retained by online companies. In some cases, that data
is being used by these online companies to market other services, shared
with affiliates, and sold to other companies.

Seldom do consumers take the time to read lengthy online privacy agreements
and, once they sign up with a website, they may have little control over
making sure their data is secured and not shared across other services,
applications and companies. Simply put, existing laws don’t offer consumers
any protection from such data sharing.

One of the prime perpetrators of this massive online data collection is
Google, whose record on data privacy has been littered with fine after fine
involving privacy violations. In return for using free Google services –
like its search engine, YouTube, Google+, Gmail and others – Google
captures, stores and shares its information from one product across all of
its products. Consumers may not realize that there is a price for these
free services – reduced privacy protections. And given Google’s astounding
market share, this data collection affects a lot of consumers, to say the
least.

This lack of protection is evident in merchants handing of credit card
information. While banks and credit unions that issue credit cards must
adhere to strict data security laws and notify you of breaches, the same
laws do not apply to merchants that handle your credit cards every day.
Merchants aren’t required to put in place firewalls on their servers, to
use data encryption, or even to have virus and malware protection to stave
off hackers. Yet, some merchants are keeping consumer transaction data for
longer than necessary in order to use consumer information for marketing.

No matter how aggressive your financial institution is in protecting your
credit card, it’s often merchants’ technology gap that allows for credit
card thievery. Fortunately, there is proposed legislation that would
require merchants to more adequately protect the consumer information they
collect and store.

The transfer of data between affiliated companies is yet another a major
consumer concern. Test-prep company Princeton Review has been cited as
potentially violating student privacy. The company offers courses to
improve student scores for SAT college-entry tests, as well as
graduate-level tests, like the MCAT for medical school and the LSAT for law
school. But The Princeton Review and Tutor.com, which connects students
with tutors, is now owned by Dallas-based Match Group Inc., which also owns
some 45 dating sites and hookup apps, such as Match.com and Tinder. Match
Group is expert at mining personal data for marketing purposes.

Again, there is nothing preventing the personal data of consumers (in this
case, a portion of which are minors) who sign up for The Princeton Review
and Tutor.com from being coopted by the sister dating sites to, in turn,
lure them onto that side of the umbrella company.

A researcher from Stanford University reportedly found that one of Match
Group’s websites, OkCupid, was leaking personal data to marketing partners.
That’s not OK for any company, but it’s certainly worse if we’re talking
about students who didn’t explicitly opt into this website in the first
place.

A big problem, too, is the vulnerability of the data to hackers. For its
part, Match Group is under no illusion that customer data is safe. In its
filing to the Securities and Exchange Commission for its initial public
offering last fall, it said something customers should cringe at: “We are
frequently under attack by perpetrators of random or targeted malicious
technology-related events. There can be no assurance that our efforts will
prevent significant breaches in our systems or other such events from
occurring.”

Looking across several industries, the practice of sharing private data
without appropriate consent leaves consumers – and, in some cases, minors –
vulnerable to marketing overtures by these companies and their affiliates.
Instead, these companies should be required to receive an explicit and
separate consumer approval – an “opt-in” agreement – from consumers before
their personal information is allowed to be sold or given to business
affiliates. Lawmakers need to take action to protect consumers from this
potential abuse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160325/6c22f1d5/attachment-0001.html>