By the end of this article, online shoppers who feel that their personal information is secure and confidential will have lost that feeling. Most electronic retailers lack a personal privacy policy and those that do have one are highly, though unwittingly, vulnerable to data theft. Which is why, as this author writes, the time has come for a security and privacy manifesto.
In early 1999, Scott McNealy, the CEO of Sun Microsytems, famously stated that, “You have no privacy – get over it.” Around the same time, I was busy evangelizing about five big lies I believed had been spread about e-business. These five lies were:
- People like to shop on the web (They didn’t – they just hated stores more).
- The e-business climate is improving (It wasn’t – regulators were meddling).
- The future belongs to the young (Even e-businesses needed adult supervision).
- First-to-market and flawless fulfillment are the keys to e-business success (Yes, but so long as the fundamental business model is sound – which it wasn’t in many cases); and
- The old rules don’t apply to the new economy (They did – as many investors in subsequently bankrupt dotcoms discovered).
The 8 years or so since 1999, almost a decade of online shopping, and the firm entrenchment of “e-tailers” as a viable shopping channel for consumers, have led to the emergence of a sixth and more insidious lie – perhaps the biggest lie of all about e-business: “Trust us – your personal information is safe.”
Internet pundits are quick to reassure us that online shopping is as safe as ever – even as safe as going to the local mall. However, reality says otherwise. According to Postini, the internet security provider, spam (including phishing mails) accounted for 93 per cent of all internet traffic in 2006 – a 144 per cent increase over 2005.1 The Privacy Rights Clearinghouse reports that over 100 million records containing sensitive personal information have been involved in 474 security breaches worldwide.2 The Association of Certified Fraud Examiners reported 1,038 cases of internal theft in 2006 that took the form of asset misappropriation, (including the theft of customer data) leading to a median loss of $150,000.00.3
What are e-tailers doing about it? If their websites are to be believed, they are doing very little, if nothing at all.
I recently reviewed the privacy and security statements of the Top 50 internet retailers – as judged by industry website InternetRetailer.com.4 A whopping 56 per cent, or 28 out of 50 had no explicit policy statement on their websites regarding the internal and physical security of consumers’ private information!
This article reviews what measures should be taken, what measures have been taken, and the potential consequences to businesses of any gaps between these states.
Information security defined
Paul Oman, at the University of Idaho, uses the acronym “CIA3N” (pronounced “sigh-ann”) to describe the 6 components of information security that pertain to internet and data security5:
- Confidentiality – information can only be read (but not modified or otherwise acted on) by those with permission to do so.
- Integrity – information can only be changed by those with permission to do so
- Availability – records can only be used (to compile lists or other actions) by those with permission to do so.
- Access Control – records can only be accessed by those with permission to do so – like having a key to the locked filing cabinet containing all customer records.
- Authentication – those wanting to access records must prove, beyond doubt, they are who they say they are (with passwords and the like).
- Non-repudiation – when records are accessed, the person who has accessed them cannot deny doing so (a trail exists).
The recent spate of well-publicized hacks and other internet attacks have led information systems departments in companies to develop and implement rigorous measures (with mixed success, for, as hackers constantly remind us, no information system is foolproof) to ensure the safety of electronic information. However, they have focused little attention on the weakest link of all – the human operators using these systems. According to the Association of Fraud Examiners, the average organization loses about six per cent of its total revenue to fraud and abuses committed by their own employees, including information theft and abuse. Rank in the company is no deterrent, either. Fraud committed by managers was four times that committed by employees. Executives caused losses 16 times greater than that caused by employees!6
Effective security includes both measures aimed to thwart those outside the organization (like hackers and crackers) as well as insiders (like employees who steal or misuse data). To this end, I developed and applied an index of e-tailing security that includes both electronic and employee-based measures and assessed security at the world’s top 50 companies (as determined by Internet Retailer).
An index of e-tailer security
The e-tailing security index is composed of 9 equally-weighed criteria that should be visible and apparent to any person viewing the e-tailer’s web site. It does not include any back-office or unseen measures. The reason for this is simple: security must be seen in order to be effective. A customer cannot “see” back-office security. As such, the presence or absence of any such measures does not factor into their assessment of the site’s security and subsequent purchase decisions.
The first two and most important factors assess the presence and prominence of the organization’s security and confidentiality policy. They attest to the firm’s public commitment to security and to the protection of customers’ information.
- Datasec Policy: Does a comprehensive security policy exist, does it state if the company has put measures in place to physically safeguard customer information from abuse and unauthorized access and use by employees, contractors, and hackers?
- Access: Is the policy easily accessible from the root home page?
Three factors deal with electronic measures aimed at thwarting hackers:
- SSL (Secure Socket Layer): Does the company process transactions using encryption like SSL, or third-party secure vendors like Verisign?
- Cookies: Does the company state whether or not it uses cookies, and the purpose of placing these cookies on a customer’s computer?
- IP Tracking / Web beacons: Does the company state if it tracks IP addresses, where viewers go on the site, and from the site, and why it tracks these data?
Finally, and most importantly, the last four factors address measures put into place to safeguard information from internal subornation:
- Internal Use: Does the company clearly state that it will use the data gathered for internal purposes only, like order fulfillment?
- Not Sell: Does the company explicitly state that it will not sell personal information to other parties for the purpose of solicitation? This includes offshore vendors.
- 3rd Parties: Does the company state if it will provide personal information to domestic or international third parties (like staff at fulfillment centers or shipping companies), and the purpose of providing such information?
- Opt-Out: Does the policy state that it will allow consumers to opt out of either providing personal information or unauthorized use of this information? If so, it also measures the ease of opting-out.
How the Top 50 Fared
Security Policies, Access, Hacker Protection and Third-Party Usage:
As expected, most (46 out of 50), but interestingly not all of the e-tailers had security and privacy policies that were accessible from the root, or first home page. In most cases, information about access to the policy was buried in the small print at the bottom of the page and usually not visible on the first screen. Therefore, to gain access, customers would have to scroll down to the bottom of the page, find the small-typeface link and click it. As a public commitment to data security, this type of arrangement is only token and a weak afterthought. For one company’s policy, American Eagle Outfitters’, the light grey font used to denote the privacy policy was barely visible against the home page’s backdrop of grey clouds on a blue sky!
Moosejaw.com, on the other hand, presented its policy in a prominent hyperlinked dialogue box entitled “mean lawyer privacy policy” beside its physical contact information, not in the small print. In doing so, it draws attention to its commitment to privacy and security in a tongue-in-cheek manner that is consistent with the rest of the site’s irreverence. Clicking on the link brings customers to a page of text outlining its policy that begins with “Because we love you…”
Four companies, FreshDirect, GreenMountainCoffee, Chiasso, and Bodybuilding, failed to provide a link to their privacy policies on their home pages. A site search using the keywords “privacy policy” revealed them, though much deeper in their websites. It could be that because these firms are smaller, they may not have the savvy to indicate their commitment to security and privacy on their home pages.
All 50 merchants provided state-of-the-art protection from hackers and other outside intruders. They were quick to state that they used SSL or similar encryption protocols. All of them used cookies to track usage, and readily acknowledged that they tracked IP addresses. Moreover, all freely gave personal information to third-party fulfillment agents (like credit card companies and shippers). Fourteen of the sites went so far as to state that they would sell (and profit from selling) individual information to other companies!
For example, The Gap’s policy states that it will freely exchange customers’ information with its affiliates stores Old Navy and Banana Republic as well as with any and all promotional partners (for example, in its recent Baby Gap contest, with Kodak Corporation and Child Magazine). Dell Corporation’s policy states that it will not sell personal information to third-party companies without customers’ “express consent.” Yet, Dell fails to indicate how, if at all, this consent will be obtained, or how information will be protected from sale, if at all. The same holds true for the aforementioned quirky Moosejaw.com, whose managers are not all that consumer-protection oriented when it comes to generating additional profits from the sale of customer information. This is in contrast to Amazon, which states that consumers will actually be contacted should the company sell information to a third party.
SmartBargains.com’s policy says that the company will “Occasionally…provide our postal mailing list (consisting of customer names and postal mailing addresses, but not e-mail addresses) to other companies whose products we believe may be of interest to you..”, placing the onus on site users to opt-out.
Electronic e-tailer Best Buy both gives and takes. On the one hand it states that it will not “…sell or rent…personal information to third parties…”, yet retains the right (again forcing the consumer to opt-out) to “…use information about you and your visits to our Web site to send you targeted ads and marketing information.”
Some e-tailers are explicit in their refusal to sell information to third parties. Polo.com’s policy holds that the company “…does not share, sell or trade with third parties your Personal Information gathered online…[the company] does not contribute to or participate in cooperative databases, which give other companies access to such Personal Information.” AE.com goes further; obliging any third-party to use the information provided only for the purpose that AE has given it, barring these agents from building and using mailing lists of their own.
In sum, these Top 50 e-tailers protect their customers’ records from all but the most determined hackers. They nonetheless generally acknowledge that they track IP addresses, drop cookies into customers’ computers, compile usage information and share personal information for fulfillment purposes. Many (10 out of 49) willingly sell information to third-party marketers for the purpose of solicitation. The remaining majority is either mute or deliberately vague, thus leading wary consumers into believing that their information will eventually end-up in a number of mailing lists.
Protection from internal fraud, use and abuse
While the majority of e-tailers took appropriate measures to safeguard customers’ privacy, most did not disclose the very thing that jeopardizes consumers’ privacy the most, namely, the measures employed to protect information from being stolen, or inappropriately accessed by employees, contractors, and other insiders. In fact, 28 out of 50 e-tailers failed to elaborate on what measures, if any, they took to prevent employees from unauthorized access to or theft of their customer database.
This is not as uncommon as it might first seem. Understandably, companies are loath to acknowledge such breaches. Yet, massive data losses are regularly reported. Most recently, the Canadian Imperial Bank of Commerce (CIBC) was criticized for losing a hard drive containing unencrypted personal and financial data for 470,000 customers, lost in transit between Montreal and Toronto.7 This was the third such loss or theft of customer data for the bank! The proliferation of innocuous-looking small storage devices like USB drives and iPods (which are basically hard drives) make each employee and every person who comes into a business’ site a potential data thief.
Ironically, the vendors in the “Computers & Electronics” category fared worst of all with only 1 e-tailer of 8, YesAsia.com, stating it had measures in place to safeguard data in its possession. Stalwarts like BestBuy.com, Dell.com, and Palm.com never stated how they would protect information from misuse by employees, if at all. One vendor, GameStop.com even went so far as to warn consumers to safeguard their computers from unauthorized access, thus absolving itself of responsibility should this occur, without a reciprocal offer to do the same!
Apparel vendors like The Gap and Nike.com also failed to provide clear, unequivocal protection, joining 5 of the 9 vendors in this category that did the same thing. Only one of five jewelry vendors had a policy, and none of the four houseware sellers had a clear statement.
Of the 12 e-tailers with such policies on their sites, which ones provided consumers with the best protection? Omaha Steaks clearly stated that it updates its technology regularly. It has put into place strict procedures restricting physical access to data, and has established and enforced strict rules for outside companies and independent contractors. JC Penney stated that it informs all employees about its responsibility to protect customer privacy, and limits the information it provides others. Costco uses “…technical, contractual, administrative and physical measures in an effort to protect against unauthorized access.”
Apple’s (iTunes.com) policy is the clearest (lawyer-jargon free), most extensive, and most consumer-oriented of the 50 sites reviewed. The policy begins with the clear, unequivocal statement that “Apple takes your privacy very seriously…[it] does not sell or rent your contact information…” The company also enjoins its contractors, stating that they “…are also obligated to protect your personal information in accordance with Apple’s policies, except if we inform you otherwise at the time of collection.” Finally, the company denoted its commitment to internal security: “Apple takes precautions – including administrative, technical, and physical measures – to safeguard your personal information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration and destruction.”
Implications for businesses and managers
The advisory of caveat emptor has never rung as true as it does for e-tailing today. The sum total of all U.S. internet retailers (1,530) had sales of over $108 billion in 20068. The Top 50 etailers (3.3 per cent of all etailers) accounted for nearly $28 billion, or over one-quarter of this total. If the majority of the best etailers fail to state what internal security measures they take to protect private information, then the prognosis for the industry, and for consumers, is dire.
Privacy and security policies may seem like software license agreements: never read and always tacitly accepted in the rush to use the product. In all cases save one (the quirky Moosejaw.com again), firms’ privacy policies were buried on the bottom of the home page, in a small font. However, in 2006 alone, e-tailers lost almost U$2 billion because of consumers’ security fears. About one-half of these losses ($913 million) came from customers who avoided sites that seemed less secure. The remainder came from those who were too afraid to conduct business online at all9.
The lesson for business after a decade of e-business might well be that customers now “Trust – but verify”. We are increasingly living in a bit-based world; since 1999, more than 90 per cent of all documents have been created on computers10. As consumers become increasingly aware of web site security, they will vote with their mice. Companies have an ethical responsibility to them, and a fiduciary responsibility to their shareholders to ensure that appropriate policies are put into place, clearly communicated, and consistently enforced. To do otherwise is to ignore the rising tide of consumer awareness, and to risk shareholder wealth when customers abandon their websites in favor of e-tailers who have adopted fair and transparent policies.
A security and privacy manifesto
In addition to the security measures aimed at thwarting hackers, e-tailers should implement a Web Consumer Bill of Rights that includes the following five measures:
-
Rescue the privacy policy from the web page’s appendix.
Security and privacy must be seen to be done in order to be done. As such, privacy policies should be prominent on a company’s web site (easily discernable on the FIRST screen), not buried somewhere in the small-print-land of insignificance. -
Eschew obfuscation
Privacy policies should explain, in clear and simple language, exactly what information the company gathers, why it gathers it, what it does with it, what rights consumers have, and how they can safeguard these rights. This includes a clear and convincing rationale for placing cookies on customers’ hard drives, and for tracking IP addresses. -
Eliminate the negative
Do not force consumers to opt out of allowing other uses of their information. Rather, place the onus on the company to contact consumers and ask them for permission. Negative-option billing is as distasteful now as it was a decade ago, when the cable companies tried it. -
Privacy and security begin at home
A great number of resources have been dedicated by hardware manufacturers, software vendors and others to protecting systems and data from outside intrusion. Yet, paradoxically, the most egregious of security breaches often involve ill-meaning (and sometimes innocent) insiders. E-tailers need to develop, implement, and, most importantly, enforce comprehensive security and privacy policies inside their organizations. When was the last time someone was terminated for misusing information? “Trust – but verify” applies equally to employees. -
Commit contractors to have and uphold the same standards as yours.
In a bit-based world, information is freely exchanged in a universal format. Bits also last forever (or at least longer than paper records) and are easily stolen or manipulated. While this has speeded up transactions, it has also made it easier for records to fall into the wrong hands. Many e-tailers acknowledge that their responsibility ends at their company’s physical or virtual door. They abrogate their responsibility to consumers by tacitly letting third-party fulfillment agents (and other contractors) do as they will with consumer information, including re-selling and creating mailing lists. For example, Canada Post needs only a few clicks to set-up an online store, and to provide access to millions of Canadians. Companies should only do business with third-party suppliers who agree to abide by the same rules regarding privacy that the e-tailer does. That is, if the e-tailer promises not to solicit or otherwise use customers’ information for any purpose other than order fulfillment, then so too should the contractor.
This research took place during the first quarter of 2007.
This copy is for your personal use only. To order more than one copy for distribution to your colleagues, clients or customers, please quote the reprint number at the end of the article and contact Ivey Publishing: case@ivey.uwo.ca.
Footnotes
- Postini Press Release, “Postini Message Security and Management Update for the New Year Reveals that Spam Continues to Grow Unchecked,” January 10, 2007 at http://www.postini.com/news_events/pr/pr011007.php accessed February 7, 2007.
- Privacy Rights Clearinghouse, “A Chronology of Data Breaches,” February 3, 2007 at http://www.privacyrights.org/ar/chrondatabreaches.htm accessed February 7, 2007
- The Association of Certified Fraud Examiners, Inc. “2006 Report to the Nation on Occupational Fraud and Abuse.” Austin, TX: The Association of Certified Fraud Examiners, Inc.
- Siwicki, B. (2006). “The Internet Retailer Best of the Web Top 50 Retail Sites,” December, 2006 at http://www.internetretailer.com/article.asp?id=20674 accessed February 7, 2007.
- Oman, P. (2006). “Defense Against the Dark Arts: Safeguarding Computers from Hackers, Crackers, and Identity Thieves.” Tutorial at the 39th Annual Hawai’i International Conference on Systems Science, January 4, Kaua’i, HI.
- The Association of Certified Fraud Examiners, Inc. op cit.
- Lau, K. (2007). “CIBC’c loss of back up drive hints at lack of safeguards,” ITWorldCanada, January 22, available at http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?ID=idgml-cc412218-2e4e-4c22-9a75-d31412d693f2 accessed February 7, 2007.
- US Census Bureau News (2007). “Quarterly Retail E-Commerce Sales 4th Quarter 2006,” February 16, 2007. U.S. Department of Commerce, Washington, D.C., press release CB07-23.
- Schuman, E. (2006). “Gartner: $2 Billion in E-Commerce Sales Lost Because of Security Fears,” eWeek.com, November 27, 2006 at http://www.eweek.com/article2/0,1895,2063979,00.asp accessed February 7, 2007.
- Ricciuti, M. & J. Evers (2007). “Solving the Web security challenge,” CNET News, June 28, available at http://news.com.com/Solving+the+Web+security+challenge/2009-1002_3-6189437.html?tag=item accessed July 4, 2007.