If you are involved in designing, maintaining or managing a website, then you should have noticed a new EU-wide amendment to the law as it relates to web browser cookies and consent.
While much has been written about the failure of many portals to adhere to the new cookie rules – which became law in the EU member states at the end of May – the reality is that all EU sites, no matter how large or small, will eventually have to adhere to the new rules.
Some sites will be better placed to amend their cookie administration than others, but my observations suggest that the new rules will potentially be a major headache for those portals that make use of location-based (geolocation) information on their visitors.
In a nutshell, the EU rules mandate that the placement of cookies onto a user's device requires consent from a user unless they are "strictly necessary" for a service requested by the user. It appears that an exception to the rule will be narrowly interpreted by the Information Commissioners Office (ICO) in the UK, allowing short-lived cookies, for example, that permit internet users to shop online easily and quickly.
The UK's ICO has issued some helpful guidance notes centering on the need for sites to perform a cookie audit, a user-impact assessment and an action plan.
Geolocation and the New Legislation
Geolocation is a discipline that is firmly on the modern internet-savvy business agenda, because it can bring tremendous marketing rewards to the site concerned in the form of geo-marketing activities, targeted-messages, and so on. The introduction of the new cookie legislation presents a number of risks to portals that use geolocation. These risks can potentially outweigh the rewards because the site is required to interpret a lot of the data on the user ‘in the clear’, including location, time and web-browsing habits.
Therefore, organizations need to be cautious when embracing mobility and all the features that come with it, and include mobile devices within their corporate security strategy and integrate the devices within the business asset management program.
The issue here is that a growing number of mobile devices have corporate information stored on them and are used for enterprise activities.
The new EU cookie directive obliges service providers to explicitly indicate that the browsing session on a given set of web pages is being tracked/recorded.
This directive is here to stay, and its implications and resulting implementations pose difficulties from a security perspective. Many of the ways a business will implement the required advisories will involve the use of intrusive messages that advise users about the privacy policy – and some sites will not let further browsing take place until the user has explicitly accepted the required conditions. This necessary approach will be difficult for businesses that strive for user-friendly experiences on the web to accept.
However, implementing the EU cookie directive on a secure and effective basis is needed, because the data involved are both high-risk and personal. Sensitive data that could be leaked typically include information on gender, age and other attributes that could allow your ‘digital persona’ to fall into the wrong hands, including internet marketers.
This leads us neatly into the privacy aspect of the new legislation. As a result of the internet, we have few barriers and few secrets. Many think that is cool to post where we are, what we are doing, with whom, when and even why. In fact, according to the 2012 geolocation survey conducted by global IT association ISACA, 32% of individuals in the US are using location-based services more now than they did 12 months ago (worryingly, 43% don’t read the agreements associated with location-based apps, so most aren’t sure of the information they’re providing to organizations).
Clearly, organizations need to address how they are gathering location-based information and what they do with it. This business security process is about defining a security posture around classification of information, data collection practices, etc., that can identify a person's present location – and equally important, past and future locations. Organizations must clearly indicate the methods of collection, the retention policies, and when – and how – the information will be destroyed.
The Costs of Non-compliance
Failing to comply with the new EU cookie directive will certainly have ramifications such as fines, as well as legal and reputational consequences. And, while the financial implications can leave a big impact, the cost of reputational damage is likely to be far greater. The concept of privacy, when dealing with personal information, centers on the individual's trust in an organization and its information systems. It is this trust that allows us – as individuals – to make a judgment call on whether we are happy to release information to an organization.
Unfortunately, we have seen several recent examples of recognized brands suffering data/information breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must communicate the technical and organizational mechanisms they have in place to protect user information – such as encryption, processes and procedures.
Complying with the Directive
Businesses using geolocation applications and data collection methods have a responsibility to behave ethically and protect consumers’ information. While there are clear differences in how the US, Europe and other regions of the world treat the explicit consent of internet users, businesses around the world should provide opportunities to opt-in – not by default, but with explicit consent from the user.
Companies also need to include geolocation data as one of the priorities within their audit governance strategy. The definition of governance, by the way, is "setting strategic direction, and achieving corporate goals, ascertaining that risks are managed and that resources are used responsibly". The governance of geolocation data should be addressed using these facets of the definition.
ISACA can assist greatly in the planning process that is central to the task of meeting the EU cookie directive’s governance requirements. Earlier this year, the association released the COBIT 5 framework (available as a free download). COBIT 5 is created for business and IT professionals. Its guidance helps enterprises bridge the gap between IT control requirements, technical issues and business risks. ISACA’s COBIT 5 for Information Security provides additional guidance on the enablers within the COBIT framework and equips security professionals with the knowledge they need to use COBIT for more effective delivery of business value.
The bottom line is that, if properly governed, geolocation is a tool that can be very effective for both consumers and businesses, and the EU cookie directive will, in the end, protect both of these parties.
Ramsés Gallego is international vice president of ISACA and a member of ISACA’s Guidance and Practices Committee, the CISM Certification Committee and the CGEIT Certification Committee. He is also the author of ISACA white papers on geolocation, virtualization and sustainability and CISM Director for the ISACA Barcelona Chapter. Gallego also served on the planning committee of the inaugural ISACA World Congress and chaired the planning committee for ISACA’s Information Security and Risk Management Conference in Europe.
Gallego is also security strategist at Quest Software, where he defines the vision of the security discipline and oversees the deployment of services. With a background in business administration (MBA) and law, Gallego has more than 15 years of security experience with expertise in the risk management and governance areas. Before joining Quest Software, he worked at CA Technologies (formerly known as Computer Associates) for eight years, was regional manager for SurfControl in Spain and Portugal, and most recently was chief strategy officer of the Security and Risk Management practice at Entelgy.