10 tips for entrepreneurs on how to protect users' private information
Whether you own an e-commerce site, a content platform, or any other kind of websites, you find yourself today asking for an increasing amount of information from your users. The more you know about your users and their behavior, the better you can customize your services or products to fit their needs, thus growing your traffic and conversion rates.
But are you making sure to protect the data with which they entrust you in return for your services?
Possessing this much private information puts you as an entrepreneur – and your business – on the line, as stealing and exposing personal information incidents are increasing, since new technologies are making it an easier task.
Data hacking was a global issue last year, with human rights groups calling for companies like Google to stop handing over user data to governments, particularly during the United Nations’ 8th Internet Governance Forum 2013 (IGF) held in Indonesia.
According to Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than a half a billion cases of breached sensitive records have occurred since 2005. Further, nearly four-fifths of small businesses whose users’ data has been stolen go bankrupt or face prodigious financial losses within 24 months of the breach.
In an attempt to help users protect themselves online, explaining how personal data can be easily tracked and breached while users are trapped with so little to do about it, journalist John Naughton, used an interesting but alarming comparison last September in The Guardian, saying: “Imagine a gigantic, global web in which are trapped upwards of two billion flies. Most of those unfortunate creatures don't know – yet – that they are trapped. After all, they wandered cheerfully, willingly, into the web. Some of them even imagine that they could escape if they wanted to. We are those insects.”
Having our personal data exposed in a vulnerable way online his bad news. But there are several simple yet efficient ways to protect your users’ data from falling into the wrong hands.
On January 28th – Data Privacy Day – the US, Canada, and Europe commemorate the 1981 signing of convention 108, an international treaty dealing with privacy and data protection. On this occasion, we compiled ten tips for entrepreneurs to adhere to, in order to protect users’ private information:
- Limit the data. Ask only for the amount of
data that is necessary for your services. The more data you own the
riskier it gets for the user – and your business.
- Keep it to yourself. Be careful what data you
allow the public to see, especially when your service offers
interactions between users like following or chatting. It is best
that your application implements features that prevents it from
exposing personal information (e-mail addresses, phone numbers,
photos, relationship statuses, and real names).
- Track and isolate it. Make sure you keep
records on where the data is stored and that it is stored offline,
as wireless networks are very easy to hack into.
- Encrypt it. When exchanging data between two
or more data sources (from client to server), make sure the data is
encrypted in transit i.e. APIs and databases. It is important in
this case also to buy an https certificate for further protection,
especially for online stores.
- Protect the passwords. Never store passwords
in plain text. Always hash them; encrypting is not enough. And make
sure your own passwords are strong and protected as well. The
difference between hashing and encryption is: a)
hashing is a one-way, irreversible process which makes it
impossible to get the real text out of it. For example:
‘myPassword’ would look something like
'$2y$10$bq.VwaCeFqi6oaFEJ2iBkOpXqzSE6FuTpbqGUealxTCysOakK1WxK’.
While b) encrypting is a reversible process where
text is enclosed in a ‘digital envelope’ protected by a secret.
Think of it as a safe for which only you (your application) have
the key.
- Destroy it when you are done. As an example,
the ‘password reset’ tokens that you send out to your clients by
email that allow holders to change their password. This also
applies to offline practices, as all papers and documents should be
properly shredded before thrown away, to avoid any theft of
information on hard copy.
- Update your anti-virus software regularly.
Most breaches come in the form of a virus attack. You want to avoid
a security breach like Snapchat’s, which was
hacked two times in the past few months, exposing usernames and
phone numbers of more than
4.5 million accounts.
- Apply best practices in web security.
Protecting different vulnerabilities, like the possibility for SQL
injection and XSS attacks, which protects all data website
information from being hacked or stolen.
- Implement privacy regulations. Make sure all
your employees understand the importance of keeping clients’
information private. Don’t allow internal gossip unless it is
relevant for the business.
- Inform your users. Most importantly keep your clients apprised of how you are going to be using their data, who will be able to see it, and when.