The digital economy has become more and more important in the world and as it has in Monaco; indeed numerous commercial sites have been created. Furthermore, the Commission would like to remind the data controllers of the right habits that must be followed when operating such sites if they want to ensure an adequate level of security of the data that they hold, and be compliant to the standards protecting personal data.
It is worth reiterating that individuals opening an account on one of the sites expect their data to be protected, and obviously be inaccessible to third parties. As indicated by the report on the draft law relating to the Digital Economy, we must create “The optimal conditions of trust in a digital economy”. Sharing, even unintentionally, the buying patterns, concerns and interests of clients who do not want to share such data, would obviously be a serious breach to their privacy.
Therefore, here are the essential points that a data controller in charge of operating a site must be aware of.
Secure the data exchanges on the site: setting up a protocol HTTPS
It is absolutely essential that the technical measures deployed by the webmaster of the Internet site guarantee the security of the data stored or exchanged.
The data controller must therefore take the necessary measures to shield the processed data against any violation of confidentiality by putting in place a secure communication protocol: SSL or TLS. That is, for the non-experts, to make the site http « S » illustrated by the appearance of a green lock in the address bar of your browser. This means that the data transiting on the site are encrypted and therefore protected.
Regarding data transiting via non secure communication channels, the data must be the object of technical measures aimed to render them incomprehensible to any unauthorized person.
Establish an effective password policy.
The data controller must ensure that users identify themselves individually using an identifier and a password reputed strong, or by any other authentication means that provides the equivalent security. The data controller must not know the passwords of his users.
A side note about passwords: A brief inventory about the strength of a password: The more characters in a password, the stronger and more robust it will be. If these characters include lowercase, uppercases, numbers, and special characters, the security is further increased. Remember that the capacity of password cracking tools that allow you to break a password has accelerated in the recent years. The following table indicates the time required to break a password depending on their complexity in 2011:
Today, there are different methods to break passwords (brutal force, monte carlo sampling methods using Markov chains, dictionary, and so on) and using such methods, the time to break a password, for example, a password containing 6 characters in lowercase would take only a few seconds nowadays. Here are some recommendations when choosing a password:
Use keyboard combinations
Use mnemonics A string of characters too complicated can be difficult to remember. It should be possible to use a sentence or a meaningful word A password for each user account It is recommended to choose a password per account. Failing that, it is recommended to apply this rule to all sensitive accounts (for example, online banking). The password manager helps to alleviate this difficulty. Change passwords frequently The frequent changing of passwords is an easy way to avoid attacks such as phishing (identity theft). For example, for a password of 8 characters, changing it every 3 months is appropriate. Six months for a password of 9 characters.
The challenges of choosing passwords – best to avoid:
|
Be particularly careful to protect data relating to credit cards
The only data required to make a remote transaction by credit card are the number of the card, the expiry date, and the visual cryptogram (the three digits on the back of a credit card).
Online payments and the retention of credit card numbers must be subject to traceability measures to detect a posteriori any illegitimate access to data and to impute it to the person who accessed these data illegitimately. Indeed, the credit card data being particularly sensitive, it is important to understand which people within the commercial site could have had access.
The data controller must take all appropriate organisational and technical measures to preserve the security, the integrity, and the confidentiality of the credit card numbers against unauthorised access, usage, misappropriation, communication or modification by using secure payment systems in accordance with the state of the art and applicable rules. These data must be encrypted via a strong encryption algorithm.
When the data controller keeps credit card numbers as a final proof in case the transaction is disputed, these numbers must be subject to technical measures to prevent any illegitimate reuse, or any re-identification of the persons concerned. Such measures may include storing credit card numbers in hashed form with use of a secret key.
Furthermore, considering the sensitivity of these data, the credit card number shall not be used as a commercial identifier.
The data controller or his third party service provider shall not request any photocopy or digital copy back or front of the payment card even if the visual cryptogram and the numbers are partially hidden.
When the credit number is collected by telephone, it is necessary to put in place security measures such as traceability of access to the cards. An alternative secure solution, without any additional cost, should be proposed to clients who do not wish to transmit their credit card details in this way.
Pertaining to identity documents the Commission is particularly vigilant in terms of their collecting. The goal is to fight theft and identity theft, the illegitimate use of personal data contained in these documents, and the consequences that may result to the victims.
Relating to commercial sites, the collection is permitted only for the purpose of identifying the owner of the credit card or for managing payment requests or refunding after participating in a game.
The Commission demands that the conditions for remote collection must be protected and notably that copies of identity documents be stored in a secured page. It is for that reason that the Commission adopted by ruling n° 2015-113 a recommendation on the collection and retention of copies of official identity documents, which is available on its Internet site www.ccin.mc.
The Commission also recommends that the persons whose copies of identity documents are collected be invited to transmit them in black and white and crossed out, in order to render them difficult to reproduce.
Apply adequate storage times
Data relating to credit cards must be deleted once the transaction has been completed, that is, when the payment is effective. The data may be kept for proof in case of possible dispute of the transaction, in intermediate archives, for thirteen months after the debit. This delay may be prolonged to fifteen months in order to take into account the possible use of a payment card with deferred debit.
These data can be kept longer subject to obtaining the express consent of the client, previously informed of the pursued purpose (facilitate the payment of regular clients, for example). This consent can be collected via a check box, not selected by default, and cannot result from the acceptance of the general terms and conditions. The data pertaining to the visual cryptogram should not be stored. When the expiry date of the card is reached, the data relating to the said card must be deleted.
With regards to the keeping copies of identity documents, these can be kept for a maximum of 6 months when they are used as supporting documents to verify the identity of the concerned card holder, and should be deleted as soon as the identity of the concerned person has been verified in relation to refunding or remote payments.
Controlling access to information
Clearances and passwords should be updated regularly to ensure that only the authorised persons can access the data relevant to carrying out their missions.
It is also appropriate to set up a logging mechanism to record accesses and processing operations. These logged data should be kept for a period of three months to one year from the date they were collected.
Maintenance operations should be fully traceable and the stored material should no longer contain personal data. Indeed, it is necessary to be careful when changing equipment, notably hard drives, which are a source of data leaks if these media are not correctly erased when they are scrapped.
Clearly informing the concerned persons
The persons concerned should be informed, by the general conditions and/or in a dedicated section on the site, of their rights pursuant to the article 14 of the Law n° 1.165 of the 23 December 1993, amended.
What about cookies |
Provide for contractually the guarantees to ensure the protection of the data processed with its service providers and subcontractors
The use of tools or software developed by a third party in the context of implementing the processing of data of a personal nature remains under the responsibility of the data controller, who must notably verify that the tools or software meet all the obligations required by article 17 of the Law n° 1.165.
The data controller retains the responsibility of personal data communicated or managed by subcontractors and, optionally, the contract established between the parties must mention the security objectives that the subcontractor must follow.
Update security
In the previous sections, we saw that several security measures are needed today to protect personal data on the sites. But the techniques of intrusion, or simply malicious, evolve thus security must evolve also. If security is up-to-date, it is important to maintain such a standard over time. Today’s security may not be tomorrows! For example, for HTTPS, we have already reached version TLS 2.1, and version 1.3 is being prepared.
A study on secure exchanges over the Internet showed that whilst 30% of the users of the Internet increased their level of security every quarter, 30% do not and use obsolete security.