• Home
  • About
  • Blog
  • Get in Touch
JORDANNE BARRETT

Blog

View are my own

Being #Cyberaware in the Community

11/18/2018

1 Comment

 
Read about my interesting way of giving back to the community for Cybersecurity Awareness Month in October on Medium. 
​https://medium.com/@jordanne_76409/being-cyberaware-in-the-community-3a922a5fbc6a
1 Comment

Cybersecurity Privacy Law Certificate

11/18/2018

1 Comment

 
Read about my experience with Mitchell Hamline's Cybersecurity and Privacy Law certificate. ​
​https://medium.com/@jordanne_76409/cybersecurity-privacy-law-certificate-dda2743a4c4d
1 Comment

“How ‘The Wire’ Taught Me Encryption”

8/23/2018

0 Comments

 
https://medium.com/@jordanne_76409/how-the-wire-taught-me-encryption-131265bbc0c
0 Comments

Secure the card? TLS 1.1

6/25/2018

3 Comments

 
​While on a mission to “secure the bag” by making sure that we are getting our finances together, are you also making sure you are securing the credit card transactions on you e-commerce website? June 30, 2018 is the last day to upgrade to the new encryption protocol TLS 1.1 or higher to maintain PCI DSS compliance. If you are utilizing a shopping cart or payment card system your providers should have this taken care of; if you are using payment card systems that do not support TLS 1.1 or higher you will NOT be able to process credit card transactions starting on July 1, 2018.

What does this mean?

Transport Layer Security (TLS) is an encryption protocol used to establish a secure communications channel between two systems. Initially developed as Secure Sockets Layer (SSL) in the 90’s, revisions have been continuously made throughout the decades to improve securing the confidentiality and integrity of information starting with SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 and soon TLS 1.3. Your website and/or payment systems if they have not been upgraded to utilize TLS 1.1 or higher will be susceptible to security vulnerabilities which includes POODLE and BEAST.

How does this affect my website?

When a customer goes to your website and makes a purchase, there needs to be a safeguard such as an encryption protocol in place for information to be transferred from one device to another without interference. In order for your website to accept secure transactions it is most likely utilizing a SSL certificate which provides your customers the peace of mind seeing the green padlock in their browser. With financial and credit card fraud being rampant in the online world, the PCI Council has made efforts to create a secure standard for data protection by making it a requirement to decommission TLS 1.0 by June 30, 2018.

Are you ready?

Many websites, ecommerce carts, and payment card systems have most likely taken provisions to have TLS 1.0 upgraded, be sure to reach out to the support team of your provider for more information. TLS 1.0 will also affect browsers, be sure to upgrade all browsers on all your devices. If you have customers using extremely old IOS software, android software, out of date browsers, out of date computers, ipads, tablets that are not compatible with TLS 1.0 they will not be able to make purchases from your website. Here is a tool provided by Qualys to check your systems compatibility here.

Additional Resources:
  • OWASP TLS 1.3
  • PCI Council on TLS ending June 30, 2018
3 Comments

How will GDPR impact your eCommerce business?

5/3/2018

2 Comments

 
By now you have most likely been seeing references to GDPR all over your social media timelines. If you own a business that offers products or services through an eCommerce site you should be aware of what GDPR is and how it will impact how you conduct business with your customers in the EU.

What exactly is GDPR?
General Data Protection Regulation is a data protection law which was passed back in 2016 and derives from the 1995 Data Protection Directive focused on protecting the personal data of EU citizens and residents.

With recent events such as the Equifax breach and Facebook’s cambridge incident, the information being collected about us involuntarily is disturbing, especially when you find out that hackers now have your information that you did not give explicit consent to being collected.

The deadline for compliance is May 25, 2018, I am not sure if it is a strict deadline but your organization should be able to demonstrate steps are being taken to at least meet compliance.

Consequences
Currently the penalty for GDPR compliance is up to 4% of your organization’s global turnover or $20 million whichever is more.

What is your organization's responsibility?
Ignorance of the law is never an excuse, this information is not legal advice, the best advice I will give you is to contact a lawyer for guidance on what your organization should be doing to meet compliance.

Your business is defined as a data controller, your hosting company would be defined as a data processor.

A part of your organization's due diligence would be to reach out to your email marketing vendor, shopping cart vendor and email hosting company to find out what actions have been taken to make sure that the services you are utilizing meets compliance. Also check out each vendor's website maybe they have a section dedicated to GDPR specifically or updated their privacy policy.  

Steps your organization can take for compliance
  1. Review HOW data is being stored and WHERE data is being stored
    1. Review all assets within the company to find out where PII (personal identifiable information) such as customer emails, address, phone number, usernames are being stored. Your organization should be able to account for everywhere information is being stored along with the business justification and length of time of storage.
  2. Update Privacy Policy
    1. Be sure to review your organization’s Privacy Policy to address GDPR compliance.
  3. Be Transparent
    1. Be completely honest with your customers on what information is being collected when visiting your website (IP address, cookies, name, address, etc.).
    2. How and where personal information is being processed (Marketing, Sales, Billing, etc.).
    3. Explicitly state where customers can reach out to your organization to submit a request to access their personal data stored and/or request removal. Make sure your employees are properly trained on how to handle removal requests.
  4. Consent
    1. Customers should be giving explicit consent to any web forms on your website. No more pre-checked boxes agreeing to subscribing to emails, agreeing to terms and services, or use of cookies. Any current opt-in options on your site should be removed or simply unchecked by default.
  5. Create a data breach plan
    1. Have a plan if your site is compromised and personal information is leaked. Know the laws of your state and the EU for disclosing data breaches.

General Tips
  • Contact a lawyer for legal advice for your organization meeting GDPR compliance.
  • Abandoned cart emails should only be sent if the customer explicitly checks a box giving your website permission to remind them of their shopping cart.
  • Have a process in place on how to remove customer information if they request ‘to be forgotten’. You have 30 days to reply to customers requesting their information to be removed.
  • GDPR requires all data breaches to be reported within 72 hours.
  • Check your web hosting provider's website for GDPR compliant modules (Wordpress, Opencart, etc.).
  • Only collect information your organization needs, nothing more, nothing less including backups.
  • Review any contracts you have with third parties, check for privacy notices, and GDPR information.
  • Seek legal advice on whether your organization needs a Data Protection Officer.
  • If your website is geared towards kids, be sure to review the laws of consent for storing personal information for kids.

Helpful Links
Guide to the General Data Protection Regulation (GDPR)
General Data Protection Guide
Data Protection in the EU

2 Comments

    Archives

    August 2018
    June 2018
    May 2018

    Categories

    All

    RSS Feed

Proudly powered by Weebly
  • Home
  • About
  • Blog
  • Get in Touch