Personal data we provide online is beyond our control to a certain extent. For purchases, online stores also request sensitive customer data by asking for addresses and payment information. Store operators have to store this data for ten years and protect it at the same time.
iXtenso spoke with Doctor Peter Schill about costumer data protection in stores. Schill explains where the difficulties are and how theft and data abuse can be prevented. He is Department Head of Data Protection & Data Security at the German Federation of Service for Online Providers (BDOA) and Managing Director Sales & Marketing at Leading Security Experts GmbH in Darmstadt.
Under what conditions may store operators store customer data? How long may they keep it and what may they do with it?
An operator may only collect and store customer data for the purpose of the order he/she is asked to fill. This is clearly regulated. Generally, he has to request all data he needs: if the product is send by mail, he needs a postal address; if he sends out an e-mail confirmation, he also needs an e-mail address. Normally, he does not have to delete the collected data. On the contrary, for tax purposes, data that is required for the traceability of the business deal has to be stored for ten years. In the context of the data privacy laws, every customer can however demand that the data is locked or no longer being used after the order has been processed. The customer has to explicitly authorize any further data processing, storage or use. However, he/she cannot request a deletion per se.
What is the current technical standard for customer data protection? What methods are people using to obtain unauthorized access to this data?
Unfortunately, there is no technical standard. Although there are methods to protect data, there are no mandatory regulations. Typically, every attacker from the outside first tries to find a weak spot in the store. This could be an old web server version for instance that has a known weak spot. Older versions of shop applications that were not patched, can also have known weak spots. Many web shop systems are also not being used in the condition they were supplied to the customer.The storeowner can install additional upgrades. If those have not been carefully checked, access via input fields might be possible.
If an attacker has gained access to the system, he will try to access the databases. He is going to try whether he can gain administrator access or whether the system has a weak or default password. Cross-site scripting is also very popular.
Where does the store operator find assistance, if he/she has problems with compliance or the implementation of data protection?
There are different organizations like the German Federation of Service for Online Providers that provide help. The Federal Office for Information Security as well as the TÜV (Technical Inspection Agency) provide handouts and information pamphlets on this topic. Many organizations that are professionals in data protection provide free information, also to download. Normally, a personal consultation entails a fee.
What are possible legal consequences for lacking data protection? In the worst-case scenario, what happens if customer data is lost?
When data is lost, this usually constitutes a violation of privacy policy. In case of negligence, the store operator might have to pay corresponding penalties or receives warnings. In addition, customers can file claims for damages, if they were harmed by the data loss. The storeowner is liable, since he/she is also responsible for data security.
What is important to know for international transactions? Do store operators have to respect data protection acts of other countries or does German law generally apply if the company headquarters are in Germany?
When a transaction is made in Germany and it is a German store, German data privacy laws apply, even if a German store ships goods abroad. The jurisdiction of the country that collects the data applies in this case. We are lucky this way, because German data privacy laws are very strict.
In closing, can you make a recommendation to store owners: are there rules or regulations that ensure effective data protection?
You have to differentiate between the organizational and technical aspects of data protection in this case. On the organizational side, every employee, who has access to data, has to be trained of course. He/she has to sign a corresponding data privacy statement. Only those employees that actually have to handle data should be granted access to the data.
On the technical side of things, the easiest way for data protection is to operate the database on another, especially secured server, and not on the shop server. If someone were able to invade the shop system, he/she would not automatically gain access to the database. Of course, it is also very important to install all patches, so the system is on the latest security level. The administrators should use secure two-factor authentication. If the data is highly sensitive, the operator should consider a system that allows data encryption. However, the question in this case is always whether the operator is able to afford this type of system. This is especially difficult for small shops. The systems are then located at large hosting companies and the operator has no influence over it. Maybe he/she also does not have his/her own server, but just a leased web space. This way, the technical protection options with smaller systems are oftentimes less than with large ones.
Interview conducted byTimo Roth; iXtenso.com
First publication on EuroCIS.com
