GDPR: The Pandora’s Box is Open for Enterprise Websites

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Website Magazine in September 2017

GDPR Pandora's Box
Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties. 

Digital vendors and the GDPR

The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.

True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.

Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.

What goes online stays online

One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!

Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.

Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.

Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?

Limiting the risks

The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:

1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?

Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.

Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.

When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.

EU Publishers: Clean up your cookies or get burned by GDPR

This article originally appeared in Digiday: https://digiday.com/sponsored/mediatrustbcs-008-eu-publishers-clean-cookies-get-burned-gdpr/ 

The ticking clock on the General Data Protection Regulation (GDPR) website is a stark warning for digital publishers behind on preparations for the EU’s massive expansion of data privacy rules. The GDPR is coming, and soon.

Europe’s privacy laws are tightening even further, potentially limiting the data that publishers can collect and the ways they can collect it. The GDPR is technology neutral: but – once again – it’s the cookie that will be caught in the GDPR’s crosshairs. The GDPR has broadened the scope of personal data to include online identifiers, such as cookies and other identifying code such as pixel fires or device fingerprinting). Cookies gathering user data without a lawful basis (e.g. consent) will fall on the wrong side of GDPR. That puts publishers at risk of potentially groundbreaking fines and penalties. That’s why we’ve prepared this guide to the three types of cookies to watch out for, and how publishers can manage them.

https://digiday.com/sponsored/mediatrustbcs-008-eu-publishers-clean-cookies-get-burned-gdpr/

Continue reading

GDPR Compliance Risks on Websites

Authored by Matt O’Neill, General Manager, Europe, The Media Trust. 

The way the cookie crumbles

Website-compliance-risks

Today’s websites and apps (your corporate website included) are powered by sophisticated technology. After all, in order support consumer expectations—content consumption, search, social networking, shopping carts, travel booking, banking, news, gaming and so much more—websites incorporate robust solutions on the backend.

These solutions aren’t news to most InfoSec professionals, but it is where security problems start. Think about it. Almost 80% of a typical website’s functionality is outsourced to vendors providing specialized services such as data management platforms, marketing analytics, customer identification, image or video hosting, payment processing, content delivery and more. This third-party code operates outside the purview of your IT and security infrastructure, which means that you control less than 25% of the code executing on your website. As the website operator, you have no insight into when this code is compromised to act as a conduit for malware propagation and unauthorized audience data collection. Considering the current regulatory environment around data compliance, the above statistics should make you nervous.

Cookie crumbs

To put it bluntly: You can’t control what you don’t see, and the third-party code enabled functionalities on your digital properties are compromised more often than you think. Also, you have more third-party code than you realize.

As the security provider of choice for the world’s largest digital properties, The Media Trust scans websites for security and policy violations and actively manages more than 500 incidents at any one time. Some of the simplest websites average 10 third-party vendors, but most have dozens. The vendors continuously change and so do their actions.

The Media Trust’s website security and scanning team often detects persistent or unauthorized cookies with a lifespan of 30 years or more; one brand name ecommerce website recently dropped a 7,000+ year cookie. This is a huge issue with the EU’s General Data Protection Regulation (GDPR) which goes into effect in less than a year. Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity, including the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.

If you are wondering how GDPR affects your business, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU resident, therefore every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And, the global nature of the internet means any business with EU website traffic or app users needs to comply as well.

Clearly, enterprises should make some changes to digital operations in order to reduce exposure to GDPR violations. At a minimum, you need to do the following for all your digital properties—websites (desktop and mobile) and mobile apps included:

1. Communicate privacy policy

  • Write a clear privacy policy that explains use of third-party code and outlines any data collection activity
  • Place banner on homepage
  • Deliver Internal training

2. Provide easy-to-use opt in/ opt out mechanism

  • Explain need for tracking and how cookies are used to drive digital operations
  • Share links to individual privacy policies of all in-scope vendors on your site
  • Allow individuals to explicitly agree and/or refuse tracking

3. Understand how website/app-generated data is acquired, used & stored

  • Identify data: Registration, Cookies, IP addresses, device IDs
  • Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
  • Evaluate need for a specific policy regarding data collection of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)

4. Support data portability

5. Incorporate website intrusion in data breach reporting

While the GDPR mandate for websites has been clearly laid out, meeting it is easier said than done! With the fines for noncompliance enumerated in the regulation (between 4% of global revenues or €20 Million), InfoSec is under pressure from internal risk and compliance professionals to ensure all data elements are documented, assessed and controlled.   

Ignorance is real. So is anarchy.

With such a tall order, it is disturbing that so many InfoSec professionals overlook the perils of third-party vendor code going unchecked. Companies desperately need to incorporate digital vendors into their vendor risk management program. Most website/app operators are in the dark about how many direct and indirect vendors contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors.

Digital vendor risk management will highlight the security and compliance gaps inherent in the digital environment. For example, there really isn’t a clear chain of command when it comes to authorizing the presence of third-party vendors executing on a website. It is a fairly decentralized process, with departments like marketing, sales, IT, risk and legal all making decisions regarding the vendors they would like to use for various website functionalities. This makes creating accountability challenging, with most issues relegated to the IT and security departments to solve.

Putting the “Digital” in Vendor Risk Management

Yes, the odds are stacked against website operators, but creating a holistic digital vendor risk management program isn’t impossible. To create a risk management and GDPR compliance program for your digital properties, you should be able to answer the following:

Within 2 weeks:

  1. How many third-party vendors execute in websites and mobile apps
  2. What are the names of these vendors?
  3. What exactly are they doing, i.e., intended purpose and also additional, out-of-scope activity?

Within 1 month:

4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website/app performance?
6. What are the risks to data privacy?
7. What is my exposure to regulatory risk via vendor behavior?

Within 3 months:

8. Am I maintaining encryption throughout the call chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. If the corporate website isn’t fully secure, what happens when employees visit the site? Is the enterprise network at risk?

Once you’ve been able to answer the above questions, within a year’s time, you should be able to create comprehensive digital vendor governance process that looks like this:

GDPR Complian Blog Post Image

Agencies and the Ad Quality Quandary

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Increasing advertiser demands turn the wheels of change for agencies.

Media buyers and ad quality

There’s no denying that two major phenomena are actively reshaping the existing digital advertising supply chain:

  1. Accountability is being pushed upstream

Not long ago, digital publishers bore the brunt of the blame, shame and liability (financial and legal) for ad-related problems such as performance issues, unauthorized collection of audience data, and security concerns (malvertising). Today, armed with more public awareness (in the form of ad blocking, among others), industry best practices (e.g., TAG, IAB LEAN) and regulations (GDPR anyone?), publishers are finally pushing back on upstream partners when policy-flouting ads are served to their digital environments. And, many partners are listening. Now, several other ad tech players on the buy side of the digital supply chain are joining this publisher revolt and to direct accountability for creative issues to their upstream partners.

  1. Advertisers have spoken

Earlier this month, in an interview with The Wall Street Journal, P&G’s chief brand officer, Marc Pritchard didn’t mince words when it came to expressing his irritation with everyone’s acceptance of serious flaws with the digital advertising supply chain. While he highlighted the complexities of digital advertising and confusing agency contracts, what stood out were his comments on the quality of the digital ad experience for consumers:

“Sometimes we deliver a high-quality media experience, but all too often the experience is, well, crappy. We bombard consumers with thousands of ads a day, subject them to endless ad load times, interrupt them with pop-ups and overpopulate their screens and feeds…”

This comment from the world’s biggest advertiser underscores the importance of digital ad quality in regards to what is being “presented” to audiences today and rightfully so. According to recent research, the consumer packed goods (CPG) industry spends almost 20% of their $225 billion annual marketing budget on digital advertising, yet retailers and shoppers alike gave digital advertising low marks for effectiveness. This provides further impetus for more advertisers to focus on improving the digital ad experience, thus putting the sell-side is under immense pressure to not just launch high-quality ads into the digital supply chain but to prove that those are high-quality ads.

New priorities, New challenges

As the digital ad ecosystem evolves, agencies and media buyers need to re-establish trust with both consumers and advertisers. The first step is adopting industry best practices and standards for ad quality and security. This includes being judicious about audience data collection activity and keeping abreast of the ever-evolving guidelines for a plethora of ad formats.

Agencies have a lot of work to do. As depicted in the image 1, most media buyers today need to take a more farsighted approach to campaign development and scanning. The assumption that an ad, upon entrance into the digital ecosystem, is exactly the same when it renders on a website showcases this ignorance. To meet changing advertiser demands for a better digital ad experience, agencies need to look at:

Creative vs. Total Ad Experience Characteristics

Image 1

Simply put: agencies need to adopt a more comprehensive view of the entire ad experience – creative + ad (the actual creative with all the corresponding analytics code) + landing page, not just the creative. 

A paradigm shift in agency priorities is required. Agencies and media buyers are under unprecedented scrutiny to address ad quality as they are where creatives originate. Their inability to meet the changing demands of both advertisers and publishers directly impact the following areas:  

  • Ability to Launch and Serve Ads

As ad formats and standards continue to evolve, meeting these specs across publishers, platforms, and networks impact your ability to serve ads

  • Ad Spend and Campaigns

Delays in launching campaigns jeopardize ad spend and campaign metrics. Also, the inability to verify the campaign and its success – is the ad getting served the way it should be and to the target audience – could damage relationships with advertisers

  • Brand Image

Noncompliance with complex and changing regulations damage brand image and lead to penalties potentially for the advertiser, publisher and the agency itself

Pressure changes the status quo

While the brief to media buyers about what to do and what is expected is clear, it will be interesting to see how agencies actually adapt to the changing digital advertising landscape. Balancing advertiser demands while trying to achieve operational efficiencies and scale and trying to win a turf war against big consulting firms can prove to be a heavy lift for agencies. These bi-directional pressures coming from advertisers on one end and published on the other end of the digital ad supply chain will force revolutionary change. If done right, the end result is a transformed digital advertising ecosystem: positive UX via an optimized and profitably monetized channel.