La protection des données c’est toute l’année. Conseil du jour :
Tout mot de passe doit être fort, c’est-à-dire composé de caractères minuscules, de caractères majuscules, de chiffres et de caractères spéciaux.  

Fact sheets

Operating an Internet site: Follow some good practices

The digital economy has become more and more important in the world and as it has in Monaco; indeed numerous commercial sites have been created. Furthermore, the Commission would like to remind the data controllers of the right habits that must be followed when operating such sites if they want to ensure an adequate level of security of the data that they hold, and be compliant to the standards protecting personal data.

It is worth reiterating that individuals opening an account on one of the sites expect their data to be protected, and obviously be inaccessible to third parties. As indicated by the report on the draft law relating to the Digital Economy, we must create “The optimal conditions of trust in a digital economy”. Sharing, even unintentionally, the buying patterns, concerns and interests of clients who do not want to share such data, would obviously be a serious breach to their privacy.

Therefore, here are the essential points that a data controller in charge of operating a site must be aware of.

Secure the data exchanges on the site: setting up a protocol HTTPS

It is absolutely essential that the technical measures deployed by the webmaster of the Internet site guarantee the security of the data stored or exchanged.

The data controller must therefore take the necessary measures to shield the processed data against any violation of confidentiality by putting in place a secure communication protocol: SSL or TLS. That is, for the non-experts, to make the site http « S » illustrated by the appearance of a green lock in the address bar of your browser. This means that the data transiting on the site are encrypted and therefore protected.

Regarding data transiting via non secure communication channels, the data must be the object of technical measures aimed to render them incomprehensible to any unauthorized person.

Establish an effective password policy.

The data controller must ensure that users identify themselves individually using an identifier and a password reputed strong, or by any other authentication means that provides the equivalent security. The data controller must not know the passwords of his users.

A side note about passwords:

A brief inventory about the strength of a password:

The more characters in a password, the stronger and more robust it will be. If these characters include lowercase, uppercases, numbers, and special characters, the security is further increased.

Remember that the capacity of password cracking tools that allow you to break a password has accelerated in the recent years.

The following table indicates the time required to break a password depending on their complexity in 2011:

Password length

With lowercase

+ uppercase

+ numbers and symbols

6 characters

10 minutes

10 hours

18 days

7 characters

4 hours

23 days

4 years

8 characters

4 days

3 years

463 years

9 characters

4 months

178 years

44.530 years

Today, there are different methods to break passwords (brutal force, monte carlo sampling methods using Markov chains, dictionary, and so on) and using such methods, the time to break a password, for example, a password containing 6 characters in lowercase would take only a few seconds nowadays.

Here are some recommendations when choosing a password:

Password length

  • Choose a password of a minimum of 8 characters

Use keyboard combinations

  • Use special characters: letters, numbers, symbols and diacritic marks (^,¨,$,!,#/, etc.), alternating uppercase/lowercase

Use mnemonics

A string of characters too complicated can be difficult to remember. It should be possible to use a sentence or a meaningful word

A password for each user account

It is recommended to choose a password per account. Failing that, it is recommended to apply this rule to all sensitive accounts (for example, online banking). The password manager helps to alleviate this difficulty.

Change passwords frequently

The frequent changing of passwords is an easy way to avoid attacks such as phishing (identity theft). For example, for a password of 8 characters, changing it every 3 months is appropriate. Six months for a password of 9 characters.

 

The challenges of choosing passwords – best to avoid:

  • Passwords that use information that is too obvious (for example, date of birth, place of birth, phone number);
  • A linear string of characters: 123456, azertyuiop;
  • Writing down passwords on a piece of paper.

Be particularly careful to protect data relating to credit cards

The only data required to make a remote transaction by credit card are the number of the card, the expiry date, and the visual cryptogram (the three digits on the back of a credit card).

Online payments and the retention of credit card numbers must be subject to traceability measures to detect a posteriori any illegitimate access to data and to impute it to the person who accessed these data illegitimately. Indeed, the credit card data being particularly sensitive, it is important to understand which people within the commercial site could have had access.

The data controller must take all appropriate organisational and technical measures to preserve the security, the integrity, and the confidentiality of the credit card numbers against unauthorised access, usage, misappropriation, communication or modification by using secure payment systems in accordance with the state of the art and applicable rules. These data must be encrypted via a strong encryption algorithm.

When the data controller keeps credit card numbers as a final proof in case the transaction is disputed, these numbers must be subject to technical measures to prevent any illegitimate reuse, or any re-identification of the persons concerned. Such measures may include storing credit card numbers in hashed form with use of a secret key.

Furthermore, considering the sensitivity of these data, the credit card number shall not be used as a commercial identifier.

The data controller or his third party service provider shall not request any photocopy or digital copy back or front of the payment card even if the visual cryptogram and the numbers are partially hidden.

When the credit number is collected by telephone, it is necessary to put in place security measures such as traceability of access to the cards. An alternative secure solution, without any additional cost, should be proposed to clients who do not wish to transmit their credit card details in this way.

Pertaining to identity documents the Commission is particularly vigilant in terms of their collecting. The goal is to fight theft and identity theft, the illegitimate use of personal data contained in these documents, and the consequences that may result to the victims.

Relating to commercial sites, the collection is permitted only for the purpose of identifying the owner of the credit card or for managing payment requests or refunding after participating in a game.

The Commission demands that the conditions for remote collection must be protected and notably that copies of identity documents be stored in a secured page. It is for that reason that the Commission adopted by ruling n° 2015-113 a recommendation on the collection and retention of copies of official identity documents, which is available on its Internet site www.ccin.mc.

The Commission also recommends that the persons whose copies of identity documents are collected be invited to transmit them in black and white and crossed out, in order to render them difficult to reproduce.

Apply adequate storage times

Data relating to credit cards must be deleted once the transaction has been completed, that is, when the payment is effective. The data may be kept for proof in case of possible dispute of the transaction, in intermediate archives, for thirteen months after the debit. This delay may be prolonged to fifteen months in order to take into account the possible use of a payment card with deferred debit.

These data can be kept longer subject to obtaining the express consent of the client, previously informed of the pursued purpose (facilitate the payment of regular clients, for example). This consent can be collected via a check box, not selected by default, and cannot result from the acceptance of the general terms and conditions. The data pertaining to the visual cryptogram should not be stored. When the expiry date of the card is reached, the data relating to the said card must be deleted.

With regards to the keeping copies of identity documents, these can be kept for a maximum of 6 months when they are used as supporting documents to verify the identity of the concerned card holder, and should be deleted as soon as the identity of the concerned person has been verified in relation to refunding or remote payments.

Controlling access to information

Clearances and passwords should be updated regularly to ensure that only the authorised persons can access the data relevant to carrying out their missions.

It is also appropriate to set up a logging mechanism to record accesses and processing operations. These logged data should be kept for a period of three months to one year from the date they were collected.

Maintenance operations should be fully traceable and the stored material should no longer contain personal data. Indeed, it is necessary to be careful when changing equipment, notably hard drives, which are a source of data leaks if these media are not correctly erased when they are scrapped.

Clearly informing the concerned persons

The persons concerned should be informed, by the general conditions and/or in a dedicated section on the site, of their rights pursuant to the article 14 of the Law n° 1.165 of the 23 December 1993, amended.

What about cookies

In accordance to what is happening to other neighbouring European countries, the Commission has decided to strictly regulate the use of cookies by internet sites by requesting that the said cookies be explicitly accepted by the internet users, after these users have clearly been informed of the final purpose of the said cookies.

Used to facilitate online navigation, cookies are small online files related to text files that are registered on the hard drive of a computer as soon as the user navigates the Internet.

They allow internet sites to store a wide variety of personal information including data pertaining to the identification of the user (her electronic identifier, her email address...) but also her navigation habits and preferences. It is thanks to these that a user can avoid having to type the same information each time she visits the same site.These cookies should be kept on the user’s computer for a variable duration of up to 13 months and can be read and used not only by the consulted site but also by partner advertisers or customers (purchases), for marketing purposes.

The Commission has therefore considered, in accordance to the article 14-2 of the Law n° 1.165 that data controllers should inform their users of the use of cookies and the means by which the users can oppose. The Commission considers that it is forbidden to make the access to a service available on a communications network conditional with the acceptance, by the subscriber or the user concerned, of the processing stored on her terminal equipment, except if the preservation or technical access is solely for the purpose of facilitating or facilitating the transmission of a communication over an electronic communications network, or is strictly necessary to provide a service specifically requested by the subscriber or user.

However, the Commission on one hand makes the distinction between technical cookies and navigation, and on the other hand, cookies for measuring audience and navigation tracking.

Therefore, for technical cookies and navigation which are cookies that facilitate navigating between pages on the same site and are necessary to allow users to use certain features, the Commission considers that simple information to the users is sufficient as the cookies expire automatically when the browser is closed. It is important for the user to understand that if the user decides to disable cookies on her browser, the access to the services provided by the site could then be altered, or even refused.

On the other hand, regarding the use of cookies to measure the audience and navigation tracking such as the module Google Analytics, which are powerful tools used to analyze the traffic on a site (the number of views by page, time spent on each page, number of clicks, screen resolution, preferred language, site visited, timestamp of pages visited...), the Commission subjects this use by express consent of the user of the site.

This consent takes the form of prior information to the persons concerned, for example, via a pop-up containing information about the use of cookies on the internet site, and via the use of a script to materialize the visitor's consent.

Thus, this visitor should be able to indicate whether she accepts or refuses the use of cookies before entering the site and before the cookies are installed on her computer. If the user accepts, the cookies will be installed on her computer and she will be able to continue browsing. On the other hand, if the user refuses, a pop-up should be displayed informing the user that her choice has been taken into account, the cookies will not be installed on the user’s computer, and that the user can continue browsing.

Provide for contractually the guarantees to ensure the protection of the data processed with its service providers and subcontractors

The use of tools or software developed by a third party in the context of implementing the processing of data of a personal nature remains under the responsibility of the data controller, who must notably verify that the tools or software meet all the obligations required by article 17 of the Law n° 1.165.

The data controller retains the responsibility of personal data communicated or managed by subcontractors and, optionally, the contract established between the parties must mention the security objectives that the subcontractor must follow.

Update security

In the previous sections, we saw that several security measures are needed today to protect personal data on the sites. But the techniques of intrusion, or simply malicious, evolve thus security must evolve also. If security is up-to-date, it is important to maintain such a standard over time. Today’s security may not be tomorrows! For example, for HTTPS, we have already reached version TLS 2.1, and version 1.3 is being prepared.

A study on secure exchanges over the Internet showed that whilst 30% of the users of the Internet increased their level of security every quarter, 30% do not and use obsolete security.