 Title
|
Fraud Sites and Insecure Communications (Q&A)
|
I would like to know how businesses may ensure that their consumer customers are not fooled by cloned websites or even cloned e-mails (obviously banks are of especial interest in this area)?
It is incredibly hard for companies to ensure customers are not fooled by cloned websites. It is important for companies to have a clear policy of not sending emails with click throughs and it is their responsibility to make sure this is well communicated. Barclays Bank, for example have a security warning on their official website that customers must read before proceeding, this reminds them that they will never ask customers to visit the site via emails for the very purpose of protecting against phishing.
You can visit the page below to read an open letter from
Rob Chesnut, head of eBay's global Trust & Safety organisation.
http://www2.ebay.com/aw/uk/200506.shtml#2005-06-02174544
How might companies set about catching the fraudsters?
ISPs should be able to track the source of fraudulent websites by recording or monitoring where the phishing emails come from.
How about supporting phishing reporting sites? – the public have an important role to play in this.
Can a company that is cloned be held liable for negligence for not doing enough to prevent this kind of fraud?
Companies can’t be held liable for negligence. However, it is important that companies take the necessary steps to prevent this fraud happening as far as possible so as to avoid being associated with it. Once fraud is associated with a company it is often hard to completely clear a name.
What should companies do to ensure that they are compliant with the DPA and not liable because of poor server configuration?
Hostway recently did a survey which showed that over half of SMEs are at risk from non compliance due to security risks associated with poor server configuration. According to the DPA, SMEs must ensure that they have processes and procedures in place to protect the personal information they hold about individuals, including information held on websites and related servers, without proper server configuration SMEs are at risk of breeching this Act. Companies need to ensure they have the skills, or they get someone who has the skills, to properly configure their server. This involves ensuring only essential programmes are running on their servers, not just agreeing to all the recommended settings, and doing regular data audits in order to check only necessary information is stored on a server. Finally tight security is a must.
Since many companies store personal data on their servers, what principles should they follow under the DPA to ensure that data is handled correctly?
The seventh principle of DPA is to keep data secure. This means that servers which hold personal data must have sufficient protection in order to keep this safe. By following the ideas already mentioned this should be reasonably straightforward.
Further Information:
The eight principles of good practice
Anyone processing personal information must comply with eight enforceable principles of good information handling practice.
These say that data must be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept longer than necessary
6. processed in accordance with the individual’s rights
7. secure
8. not transferred to countries outside European Economic area unless country has adequate protection for the individual
_________________________________________
|
Click here to print our PDF pricelist.