E-businesses not encrypting transactions or protecting customer data: study

Privacy may be a major concern for all businesses, but when it comes to those who conduct transactions on-line, a recent e-business study indicated that a third of respondents do not encrypt transactions.

“E-Business: Trends, Strategies and Technologies,” is a report by the Cutter Consortium of Arlington, Mass., an affiliate of Cutter Information Corp. Its findings were based on data collected from 134 e-businesses from around the world.

The author of the report, Cutter Consortium senior consultant Chris Pickering, noted that the number of companies not using encryption for these transactions is both “surprising and disturbing.”

He said encryption technology, such as secure sockets layer (SSL), is readily available, generally understood and “it’s supported by every major browser.” He noted that SSL does tend to slow servers down, but companies should be overlooking that considering its advantages.

“I don’t understand why companies don’t take advantage of that at least to provide some security in transmission,” Pickering said. “Perhaps what is just as scary, though, is that people freely participate in those transactions. They send their data around unencrypted. It takes two to tango.”

The study found that of the issues businesses face in using the Internet, security ranked as the top concern, followed by cost and reliability, respectively. User connection speed, lack of standards followed by security, and backbone-related matters were the other issues ranked by those surveyed.

“People sometimes confuse or mix-match freely the terms ‘security’ and ‘privacy,'” Pickering pointed out. “They are separate issues…but they are related. If people are concerned about privacy, then the Web sites have to have good security to help protect that privacy.”

From a business standpoint, he said it’s obvious that consumers are particularly concerned with privacy on the Internet, as are business trading partners.

Despite what should be obvious, only 53 per cent of respondents to the survey indicated they have a formal privacy policy in place in regards to collected customer data.

“Obviously, one of your first concerns is to satisfy your customers. So, if for no other reason than that customers are concerned about their privacy, a business is well-advised these days to have a privacy policy. I think the reason that 47 per cent of the folks in our survey don’t have a privacy policy is because they just haven’t gotten around to it,” Pickering offered. “They just haven’t addressed it. Getting up on the Web, getting the storefront going, that type of thing, has probably occupied most of their time and energy.”

While he noted that customers and partners have a responsibility to keep what they want private safe, Pickering said once a business gets control of personal information it should take appropriate measures to protect it, both electronically and physically.

Implementing policies, such as only requesting the information that is necessary for the transaction, is wise, he said. Of the respondents that have a privacy policy in place, 73 per cent of them restrict use of customer information for internal use only, according to the report. Only nine per cent indicated that they share customer data with “carefully screened” outside parties, and none of the respondents rent out or share data.

Privacy seal companies, such as TRUSTe, offer some sense of security for partners or customers, according to Pickering. The vendors charge a fee and assess how well a Web site is complying with its published policies regarding privacy.

“To me, it’s a nice-to-have. It perhaps reflects at least whether a company is taking advantage of everything available to it right now to have a good privacy policy,” Pickering said. “I’m not as concerned about whether somebody’s participating in a privacy seal program as I am about how they’re using data that they have.”

What Pickering said may have contributed and created a lot of fear recently is that some Internet companies conduct themselves similarly to the way that direct mail cataloguers or credit card companies have conducted themselves historically – selling mailing lists, for example. The Internet is much more public, and so people feel a lot more exposed.

“We’re getting to the point where companies have to decide whether that is, and should be, accepted business practice. It’s quite clear that a lot of consumers are not happy with that approach to their data, even if it’s something as simple as an e-mail address,” he said.

The Cutter Consortium is on the Web at www.cutter.co