This document discusses security and privacy issues for both consumers and website owners. It covers topics such as types of security risks like hacking and viruses, privacy laws like the Data Protection Act, and how to implement preventative measures. The key implications are reputational damage and fines for non-compliance, so both groups benefit from measures to reassure users and protect their data/systems.

1. Security & Privacy Issues for
the Consumer & Site Owner
By: Alexandra MacLeod and Liane Van Diepen
10039412/12063364
20 March 2013

2. Introduction
 Security
 Types of Risks
 Privacy
 Data Protection Act 1998
 Privacy and Electronic Communications Regulations
 Cookies
 Email Marketing and SPAM
 Managerial Implications & Preventative Measures

3. Security - Consumer Concerns
 Stolen credit card details
 Phishing
 Downloading viruses
 Website has security
certificates
Source: Smart Insights (2012)

4. Security – Site Owner
 What is information security?
 Ensuring your website is available 24 hours a day for your
customers
 Ensuring only the correct people can administer the website’s
content
 Preventing unauthorised alteration or destruction of your data
 Avoiding your website being used to distribute other peoples’
software
 Ensuring that your employees cannot accidentally delete
valuable information
 Stopping your website being used to damage users’ computers
 Protecting your reputation
Source: Watson Hall Security, Smart Insights (2012)

5. Types of Security Risks
 Denial of Service Attack
 Hacking
 Destruction of Data - viruses
 Malware
 Phishing
 Secure Payments/Website Encryption
Source: Watson Hall Security (2013);
Symantec Internet Security Threat
Report (2012);

6. Denial of Service Attack
 Hackers overload website
with traffic
 Website can't handle
volume and shuts down
 Major disruption to service

7. Hacking
 Unauthorised website
access/publication
 Malicious intent /
monetary gain
 The Sun newspaper
hacked by infamous
LulzSec hacking group
 1 million online users
 Data Protection
obligations

8. Destruction of Data - Viruses
 Computer viruses can shut
down company websites
 I Love You Virus
 Attachment sent via email
 Overwrites photo/video
files
 Shutdown websites
including Ford and Chrysler
due to employees opening
infected email attachments

9. Malicious Software on Websites
 “When it comes to computer
viruses, you’re now more
likely to catch one visiting a
church website than surfing for
porn” – Symantec (2012)
 Malware – viruses, worms,
Trojans, bots
 Infects website the user’s
computers
 Downloadable files on websites
are a hotbed for viruses
 External content on websites
such as videos and photos are
virus-prone
Source : Symantec Internet Security
Threat Report (2012)

10. Secure Payments/Website
Encryption
 Secure payments
 Well known payment system such as
WorldPal or PayPal which uses encryption
 Use Transport Layer Security (TLS) and
Secure Socket Layers (SSL) certificates to
reassure customers:
 Padlock
 HTTPS
 Green Address Bar
 Legally incorporated name
Source: Global Sign, (2013)

11. Phishing
 Masquerades as an official
website communication
 Requests users' login
information
 Uses information to
fraudulently obtain funds
from their account
 Who is responsible for the
customer’s loss?

12. Managerial Implications
 Reputational damage
 Trust
 Disruption
 Inconvenience
 Loss of traffic
 Costs

13. Managerial Preventative Measures
 Secure website design from
the beginning –
difficult/expensive to add
later
 Antivirus software is always
up to date
 Firewalls
 Phishing notifications via
email
 Employee email filtering
 Securesign SSL/TLS
Certificates
 Split login screens

14. Privacy
 Data Protection Act 1998
 How data is collected and used
 Privacy and Electronic Communications Regulations
 Cookies
 Email Marketing and SPAM

15. Consumer Concerns
 Data leakage – how secure
is my data and what
happens if it is lost/leaked?
 Data use without consent
 Annoyance/Waste of time
 Not having opt in/opt out
notices
Source: Smart Insights (2012)

16. Data Protection Act 1998
 Eight Principles:
 1. Fairly and lawfully processed
 2. Processed for limited purposes
 3. Adequate, relevant and not excessive
 4. Accurate and up to date
 5. Not kept longer than necessary
 6. Processed in accordance with the individuals rights
 7. Secure
 8. Not transferred to a country outside the EEC unless it
has adequate protection
Most breached principle in
2012

17. Data Protection Act 1998
 Applies to customers as well
as employees
 Personal data
 Name, address, NI Number
 Sensitive data
 Political views, religion,
ethnicity
 Data subject access requests
 Enforced by the Information
Commissioner’s Office

18. Data Protection Non-compliance
 Monetary – up to £500,000
 Undertaking
 Prosecution

19. Privacy and Electronic
Communications Regulations
 Electronic Marketing
Activities
 Email marketing and
SPAM
 Cookies
 Enforced by the Information
Commissioners Office

20. Cookies
 What is a Cookie?
 A small text file that stores user
information on their computer
 What is it used for?
 Shopping cart
 Personalisation
 Cookie Ingredients
 Domain
 Name
 Value
 Expiry
 Path
 Secure
 HTTP only

21. Privacy Directive 26 May 2012
 Website notification that cookies are in use
 Gives option/instructions how to disable and find further
information

22. Email Marketing and SPAM
 What is SPAM?
 Emails sent without consent
 Sent in bulk and impersonalised
 Email Marketing Regulations
 Consent must be given to receive marketing communications - except where there is a
defined relationship
 Must contain an unsubscribe link in the email
 ICO can investigate complaints relating to SPAM sent from the UK

23. Email Marketing and SPAM
 Consent
 User must “opt in” rather than
“opt out” – i.e. the check box
should be unticked
 Must be made clear that they are
consenting to receive
communications
 What is a defined
relationship/soft opt-in?
 Obtained customer details during
course of previous sale
transaction
 Marketing is of similar products
 Option to opt-out is given in
every future message

24. PECR Non-compliance
 Written request for
compliance
 Monetary – up to £500,000
 Undertaking
 Prosecution

25. Managerial Implications
 Large fines
 Reputational damage
 Trust
 Angry customers

26. Managerial/Consumer
Preventative Measures
 Appoint a Data Controller for your
organisation who will be
responsible for DPA and PECR
obligations – legal obligation under
DPA
 Ensure fully compliant with all
legislation and regulations
 Security and privacy notices on
the website in plain English to
reassure customers
 Be careful who your email address
is given to
 Don’t click on spam and
attachments
 Unsubscribe/ Opt out

27. Conclusion
 Security
 Priority
 Reassurance for customers
 Privacy
 Comply with laws and regulations
to avoid punishment
 Reassurance for customers
 For more information:
 Symantec Internet Security
Threat Report 2011 (published
April 2012)
 ICO website

28. References
 Chaffey, D., 2013. Website Security Requirements. [online]. Available at:
http://www.smartinsights.com/ecommerce/payment-security/website-security-
requirements/ [accessed 28 February 2013]
 Chaffey, D., 2012. Research on consumer attitudes to online privacy. [online]. Available
at: http://www.smartinsights.com/marketplace-analysis/customer-analysis/research-on-
consumer-attitudes-to-online-privacy/ [accessed 28 February 2013]
 Chaffey, D., Mayer, R., Johnston, K. and Ellis-Chadwick, F., 2000. Internet Marketing.
Essex: Pearson.
 Financial Ombudsman Service, 2013. Disputed technical transaction. [online]. Available at:
http://www.financial-ombudsman.org.uk/publications/technical_notes/disputed-
transactions.htm [accessed 10 March 2013]
 Global Sign, 2013. Security Certificates. [Online]. Available at:
https://www.globalsign.co.uk/ssl/domain-ssl/ [accessed 18 March 2013]
 Halliday, J., 2012. The Guardian reaches nearly 9 million readers across print and online.
[online]. Available at: http://www.guardian.co.uk/media/2012/sep/12/guardian-9-
million-readers-nrs [accessed 10 March 2013]
 Information Commissioner’s Office, 2013. Data Protection Act Claiming Compensation.
[online] available at:
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/c
laiming_compensation.pdf [accessed 12 March 2013]
 Information Commissioner’s Office, 2013. Electronic Mail (Regulations 22 and 23). [online]
available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/electronic_mail.aspx [accessed 10 March 2013]
 Information Commissioner’s Office, 2013. Privacy and Electronic Communications
Regulations. [online] available
at:http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx
[accessed 3 March 2013]
 Information Commissioner’s Office, 2013. Sensitive details of NHS staff
published by Trust in Devon. [online] available at:
http://www.ico.gov.uk/news/latest_news/2012/sensitive-details-of-nhs-staff-
published-by-devon-trust-06082012.aspx
 Information Commissioner’s Office, 2013. Viral Marketing. [online] available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/viral_marketing.aspx [accessed 3 March 2013]
 Oremus, W., 2013. Unprotected Sects. [online] Available at:
http://www.slate.com/articles/technology/technology/2012/05/malware_and_computer_vi
ruses_they_ve_left_porn_sites_for_religious_sites_.html [accessed 12 March 2013]
 Norton, 2013. Phishing [online]. Available at:
http://uk.norton.com/security_response/phishing.jsp [accessed 10 March 2013]
 Paypal, 2013. Security. [online]. Available at:
https://www.paypal.com/uk/webapps/mpp/paypal-safety-and-security [accessed 10 March
2013]
 Perlroth, N, 2012. Six big banks targeted in online attacks. [online. Available at:
http://www.bostonglobe.com/business/2012/09/30/banks-hits-wave-computer-attacks-
group-claiming-middle-east-ties/gsE6W3V57nBAYrko1ag8rN/story.html [accessed 10 March
2013]
 Seltzer, L, 2010. ‘I Love You’ virus turns ten: what have we learned? [online]. Available
at: http://www.pcmag.com/article2/0,2817,2363172,00.asp [accessed 28 February 2013]
 Symantec, (2012). Internet Security Threat Report 2011{online]. Available at:
http://www.symantec.com/content/en/us/enterprise/other_resources/b-
istr_main_report_2011_21239364.en-us.pdf [ accessed 12 March 2013]
 Teixera, R, 2007. Top five small business internet security threats. [online]. Available at:
http://smallbiztrends.com/2007/06/top-five-small-business-internet-security-threats.html
[accessed 3 March 2013].
 Watson Hall, 2013. Top 10 Website Security Issues. [online]. Available at:
https://www.watsonhall.com/resources/downloads/top10-website-security-issues.pdf
[accessed 28 February 2013]