Do You Know Where Your Data Are?


NEW YORK — With online stock trading, Web-based banking or Internet retailing, it’s important to be sure that you’re dealing with a legitimate business before making a transaction.

And beyond basic credibility questions, it’s good to know how vigorously these e-commerce ventures work to protect your personal and financial data once the deal is done.

Earl Westerlund, a software developer from Rochester, N.Y., said he’s very careful about sharing his personal financial data. “I would not conduct financial transactions over a site that was not secure,” Mr. Westerlund said in an e-mail interview. “I also shy away from businesses that will not promise not to sell my transaction information.”

There are several ways to ensure a consumer Web site is not only secure, but security minded. Reputable companies tend to have prominently placed links to their privacy-policy statements, which spell out the steps the site takes to protect consumer data and whether they sell that data to other companies. These statements often are laden with technical terms and jargon, but it’s well worth the effort to read them through thoroughly.

Another sign that a consumer site is working to protect your information is the appearance of logos and links from security software and service companies on the site’s home page. Over time, Thomas E. Noonan, chief executive officer of Internet Security Systems Inc., Atlanta, said e-commerce sites are likely to develop an online “Good Housekeeping Seal of Approval” approach to communicating their commitment to data security.

Consumers also can look to groups such as TRUSTe, an independent, nonprofit privacy organization based in San Jose, Calif. A TRUSTe certification logo indicates that “the Web site must provide reasonable security to protect the data that is collected.”

To be sure, any disreputable company can copy a certification logo from a consumer-advocate or security-software site and place it on a home page to provide the appearance of legitimacy. As always, if you have any doubts about the reliability and trustworthiness of a consumer Web site, trust your instincts and move on.

Internet watchers say there’s an ongoing battle in cyberspace between companies and software developers trying to design secure systems and hackers who try to penetrate systems for sport or ill-gotten gain.

This has created a demand and a market for software companies that specialize in data security and services. They sell their products to the banks and brokers and online retailers that are seeking customers online.

Raj Dhingra, senior vice president of world-wide marketing at SonicWALL Inc. of Sunnyvale, Calif., said projections show spending on firewalls, virtual private networks and related Internet security software and services is expected to double in 2001 from 2000. This is based on a growing awareness of the security threats and the costs of intrusions.

Keeping up with online security software and services companies could be a full-time job. But smart online consumers can arm themselves with some knowledge of this field and make good judgments about doing business online.

Here are some things to look for:

— One of the biggest fears for online investors and shoppers is a computer hacker breaking into a Web site where they previously have done business. Clever hackers can steal a credit-card number, a bank-account password or enough information about the person to pull off “identity theft” where personal information is used to fraudulently open up new accounts under the victim’s name.

So it’s important to look for sites that incorporate security software and service on consumer Web sites that indicate the sites not only are protecting your data from hackers, but also from internal threats.

Mr. Dhingra of SonicWall said 30% of network intrusions come from outside the company and cost $50,000 to $60,000 per attack. About 70% of intrusions come from inside the company — disgruntled workers, mistakes, etc. — and cost $1 million per attack.

“It heightens the need for security,” Mr. Dhingra said.

Mr. Noonan of Internet Security Systems concurs that times have changed and much greater computer security is now required. Much of the data-security problem on the Net comes from the fundamental mismatch between the original design of the Net and the demands of e-commerce. The Net was designed for an open exchange of information among scientists, while e-commerce requires confidential exchanges of information, especially payment items.

“How do we protect the security and integrity of information on a system that was designed to be open and accessible?” asked Mr. Noonan.

— VeriSign Inc. (VRSN), Mountain View, Calif., is somewhat better-known than some of Internet security software companies, based on its role of registering dot-com Web addresses. Anil H.P. Pereira, senior vice president, said confidence in the validity of a Web address actually is the beginning of confidence in a safe and secure e-commerce experience.

Beyond Web address, VeriSign is well-known for its “digital certificates,” which are electronic credentials used to identify parties online and enable both private, encrypted communications as well as “digital signatures” which provide irrefutable proof that an online transaction has occurred.

Last month, VeriSign announced it “extended its managed digital certificate services to enable smart card and other device manufacturers to embed digital keys and certificates into their products.”

Mr. Pereira said the company continues to expand its software and security services. He said digital certificates can be attached to things like cable modems or Web-enabled mobile phones. With the certificates in place, online merchants will be more confident that they are dealing with bona fide consumers and offer more and better services.

“Digital certificates have advanced,” Mr. Pereira said. “We’re really moving in a number of directions.”

— Most reputable companies, seeking to comply with federal financial privacy laws, will include privacy policy statements. Though these legal documents can be long-winded and sometimes confusing, it’s important to read through them carefully to ensure that you know what information is being shared and with whom.

It’s important to remember that many online financial and consumer sites compile a lot of sensitive information in addition to credit-card numbers. Many track spending habits and amounts of purchases in addition to any personal information that may have been recorded when users first “register” with the site. Combine that with your name, address, phone number, and other key information about your life, and suddenly the site has a lot of information that could easily become available to unwanted third parties.

Some sites will agree not to share personal information with third-party companies, but will use a loophole that allows them to share the data with unspecified affiliate companies or “partners.” To ensure that you’re information is shared only on a “need-to-know” basis, exercise your right to “opt out” of allowing these sites to share your information.

The Privacy Rights Clearinghouse, a nonprofit organization in San Diego, has posted on its Web site an opt-out form letter to send back to consumer Web sites that outlines exactly what information they can and cannot share with other parties.

Copyright (c) 2001 Dow Jones & Company, Inc.