How to protect customer data and prevent GDPR breaches on your WordPress site

For UpdraftPlus’s own privacy policy and how we deal with GDPR, please go to the privacy centre.

Up until the advent of the internet, the most a company would know about their customers was their names, address, maybe their purchase history and little more. Fast forward to 2021, and businesses have access to all aspects of a customer’s (or potential customer) interests, bank details, email addresses, hobbies, desires, passions and goals – as well as some very personal information that the potential customer might not even be aware they are sharing. While this information has allowed companies to better serve and market towards customers, if this treasure trove of personal data gets into the wrong hands, it can cause a major problem for all involved. 

In this blog, we will discuss how to protect customer data and prevent GDPR breaches. But first it is important to define what a data breach is and what GDPR means. 

What is a data breach? 

A data breach is an incident that allows outsiders or unauthorized personnel to access or obtain confidential information from a system, without the permission of the owner. While cybercriminals represent the most common threat to data protection, they aren’t the only culprits. Employees and coworkers can either accidentally or maliciously share data with unauthorized persons, which can also result in a data breach. 

What is GDPR? 

GDPR stands for general data protection regulation, and as the name implies, it is a regulation that addresses data protection and privacy. While GDPR applies to countries and companies operating with the EU, countries all over the world have similar GDPR-like policies in place.

In May 2018, the EU implemented the GDPR to ensure that citizens of the EU and EEA region have greater control over what personal information they allow access to, how that information is used and what assurances they have regarding the protection of that information by the companies involved. The GDPR directive stipulates that personal data includes name, IP address, banking details, email address, photo, location, or medical information. This regulation applies to every company with customers that are EU and EEA citizens. 

10 ways to keep your customer subscription data safe and prevent GDPR breaches

If a company finds itself victim of a data breach, it can find itself facing an expensive bill. Under GDPR guidelines, a company can face fines of up to 20 million or 4% of their annual turnover due to a breach. However, the following practices can drastically reduce your chances of experiencing a security breach. 

1. Only collect essential data 

Your company’s database should consist of only information that is crucial to your marketing efforts. The more personal the information that is obtained from customers, the more valuable they will be to hackers and cybercriminals.  

A crucial part of customer data management is deciding which data you should collect and what you don’t need. Between 60% and 73% of data collected by companies is unused for analytics, which shows that organisations probably don’t need as much information as they think they do to conduct business. 

What comprises essential data for your company depends on your marketing goals and your ability to analyze the data to gain insights. Since marketing goals evolve, regularly evaluating the type of data you collect can save you trouble and aid your compliance with data protection regulations. 

2. Perform routine vulnerability and risk assessments

According to the Center for Internet Security (CIS), vulnerability management is the third most important action you can take to protect your organization from data breaches. 

The processes involved in vulnerability management include identifying possible security breaches and classifying them according to their threat level. Regular risk and vulnerability assessments help you identify holes in your defences and take measures to plug them. 

When carrying out these assessments, you should leave no stone unturned. Inspect and evaluate your data storage, software and data security policies – like the use of personal devices and remote ‘work from home’ access for employees. 

WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.

You can also install the All In One WordPress Security plugin on your WordPress site. This plugin can help improve your website security. It works by analyzing your site and reduces security risk by checking for vulnerabilities. By implementing and enforcing the latest recommended WordPress security practices and techniques, you can help patch any potential weaknesses, before they become an issue. 

3. Involve every member of your team 

It is imperative that every employee play their role to prevent a breach. Your defences are only as strong as your weakest link and without proper security awareness and education, employees can unknowingly become that weak link to hackers and cyber criminals. 

Employees should also be trained on how to identify security threats – what comprises “sensitive information” and how to immediately report data leakages and breaches. Employees should also be aware of the latest phishing and hacking techniques employed by cybercriminals (such as legitimate looking fake emails), and how to prevent them.  

4. Adhere to data protection regulations 

Data protection laws and guidelines are more stringent today than they were just a few years ago. This is in part because the amount of personal data collected by organizations has increased dramatically with the advent of smart phones. Additionally, the rise in the sophistication and potency of cybercriminals and their operations has seen ‘hacking’ and the theft of personal data become an almost acceptable career in some countries. 

In this day and age, abiding by data protection regulations such as GDPR helps you to prevent leakages and avoid potential fines. It can also save your company’s reputation and increase customer trust. 

5. Restrict data access 

Just like secrets, the fewer people that have access to data, the lower the chance that it will be leaked. It is worth remembering that not all employees need the same level of access to sensitive customer information.  

A good code of practice to follow is to segment customer data, and then grant levels of access to staff for each segment depending on the staff member’s need to access that information. 

While this may be a time consuming and painstaking process, compared to potential lawsuits, hefty fines, reputation damage and potentially millions of dollars in lost revenue; it is more than worth it. 

6. Data encryption 

Data encryption is the practice of encoding data (such as messages and files) to make them unreadable to unauthorized persons. By following the process of converting sensitive information from the plain, readable format to ciphertext; you can achieve data that is in an encoded format. 

A crucial aspect of your data security plan should include provisions for encryption of sensitive data. Personal data across all devices used for company functions should be encrypted including messages, calls, and emails. 

With data encryption, you can securely save sensitive data on the cloud or on connected servers. 

7. Two-Factor authentication (2FA)

Two-factor authentication is a data security measure that requires two different forms of identification to gain access to an online account. 2FA combines a password with another credential – such as a one time password, security badges or biometric data (such as a fingerprint). This adds an additional layer of security and by requiring 2FA across all company devices and systems – this would improve your data security hugely. 

8. Regular security updates 

You may have suspected it, but the main reason giant companies like Apple provide regular updates for their software (iOS & Mac OS) is to patch up weak spots and loopholes that hackers could potentially exploit. 

By regularly updating your security software, you can reduce its weaknesses and increase its efficiency. 

9. Online and offline data backup 

While this is not particularly intended to prevent a breach, it can save you a lot of time, money, and trouble in the event of data theft or loss. Having a secure backup means that your customer subscription data, as well as other sensitive information, is safe. 

The longer your site is suffering from downtime as you try to recover the missing data, the more money you lose. A recent report suggests companies can lose as much as $300,000 per hour due to the downtime in the event of a hack, bug or server issue. 

By backing up your site using UpdraftPlus, you can be sure that you will always have a secure backup of your original website, should you ever need to restore it. 

10. Have a data breach response plan 

If all else fails and your preventative measures are still breached, then what? Having a Plan B, such as an organizational data breach response plan, can mitigate the potential damage of a data breach. Under GDPR guidelines, your customers have the right to know that their data and personal information could be compromised within the first 72 hours of a breach. As such, your plan should always include how to inform your customers. According to the US Chamber of commerce, 68% of small businesses lack a disaster recovery plan. Putting together a plan for your organization puts you a step ahead of the curve. 

Data breaches that companies can experience

Data breaches can occur through various means, but here are the most common. 

Phishing
Phishing is when cyber criminals try to gain access to sensitive data, such as your banking details and passwords. They achieve this by posing as a reputable company or individual you may already have dealings with and often informing you of a problem that requires you to click on a link that downloads malicious software on your computer. Training employees on how to spot phishing attempts in emails, messages and adverts can help prevent these types of attacks. 

Brute force cyber attack
This is a more direct type of attack GDPRwhere hackers use software tools to try to guess your password. With the rapid speed of modern computers, it takes far less time to guess passwords correctly than it used to. Your best chance against this type of cyber attack is to have longer and more secure passwords. A good practice would be the use of password phrases; as they are easier to remember, and harder to guess. 

Malware
Intruders can install malware or spyware on your devices to allow them access confidential files without your notice. Malware is typically a piece of malicious software, and it’s activities and presence can go unnoticed for a long enough period of time to cause significant damage. Malware can be installed on your computer physically or virtually through sources such as an email link. Learning how to spot these attacks and restricting access to your computer can help avoid this type of attack. 

Human error, accidents and theft
In a way, human error will play a role in almost all the types of cyber attacks. Granted, malicious software will take advantage of already existing weaknesses in your system’s defences, but you still have to be careless with your computer or click on a malicious link for it to work. On the other hand, a stolen computer or a laptop left at a bus stop can potentially give the thief access to sensitive data. 

What to do in the event of a data breach? 

Bad press, lawsuits, financial losses and distrust are some of the effects of a data breach. In the event of a breach, the focus shifts to how you can manage your organisations reputation and build back trust in employees and customers alike. Here is how you can do that: 

Good PR
An excellent PR team will work to ensure your customers understand you are on their side. It helps if you have a PR team on standby with a pre-planned sequence of actions that can be implemented within hours in the event of a data breach.  

Transparency
What’s worse than a breach and leak of sensitive customer data is a cloud of dishonesty and deceit in its aftermath. The pushback and consequent cost of the breach can be mitigated with a level of transparency and cooperation with the affected customers. 

Kick-start your data breach response plan
Regardless of how much you try to prevent it, with advancing technology and cybercrime sophistication, there’s still a chance of a data breach, no matter how small. Actions in your response plan should include a public address and some sort of compensation plan for the affected customers. 

Conclusion 

$4.24 million is the average cost of a data breach in 2021 according to IBM. That’s a significant enough amount of damage for it to be taken seriously. Whether or not your business operations are digital, if your customer data is stored on any technological device, you should pay attention to the steps above. Learning how to protect customer data and prevent GDPR breaches imply that you are prioritizing your customers’ privacy. That practice boosts your reputation and encourages brand loyalty.

The post How to protect customer data and prevent GDPR breaches on your WordPress site appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Data protection and privacy centre

This is our data protection and privacy centre that contains all the information you need on what we do with your data.  WP-Optimize is a brand of Simba Hosting Ltd. Many of the policies below are linked to our the website of our flagship product, UpdraftPlus, which shares the same policies. All of these policies are written to protect you, your data, and our ongoing ability to provide you and everybody else with sustainable services. Not everybody likes having lots of documents of this sort, but, they are largely mandated by the law (e.g. the EU GDPR law), and intended for everybody’s good. They are not because we are eager to find some smallprint to use to pounce upon our valued customers! You can read about our general approach in this blog post.

WP-Optimize privacy policy

How we collect and process your data

Terms and conditions

Data protection policies and agreements of/with relevant third parties

  • N.B. It’s normal to have lots of suppliers. Don’t get worried and think “gosh, my data goes to a lot of people”. The point of the General Data Protection Regulation is to ensure the opposite. The agreements all generally say something equivalent, as required by law, to “though data may be processed on our systems, we have no permission to do anything with it that was not required by the customer (whether through direct action or necessarily to provide the service they purchased)”. The agreements are part of the process of assurance that data is being handled according to best privacy practices. As required by law, we do not have any suppliers who cannot provide such assurances.
  • Simba Hosting Ltd to XIBO Ltd (Xibo are a UK company who process data that we have gathered as part of our provision of support and other services)
  • Cloudflare (used by us for website security and performance services) – privacy policy; and a copy of our data processing agreement (for which a copy signed by both Simba Hosting Ltd. and Cloudflare exists).
  • Stripe (our payment processor for card payments) – general policy on data transfers, and privacy shield policy.
  • Linode (a supplier used by us for technical resources for various servers (not all of which process any customer data)) comply with the EU-US “Privacy Shield” framework – see here. Here is a copy of the Data Processing Agreement with them.
  • ReSmush.it (compression image service) – We do not store any information on our servers during compression and the ReSmush.it service, pictures are stored for no more than 15 minutes after which are removed from the server.  Only information is saved is filesize, time of process and picture name which are for statistics only. See here for a response from the ReSmush.it team.
  • NitroSmush (compression image service) –  privacy policy when compressing images on their servers.

Miscellanea

Data protection, privacy, the GDPR, right to be forgotten, etc.

We’re receiving an increasing number of questions which relate to the EU’s incoming General Data Protection Regulation (GDPR), which becomes law towards the end of May 2018.

At UpdraftPlus (and across all our associated products – WP Optimize, Keyy, UpdraftCentral, MetaSlider), we aim to comply with both the letter and the spirit of this new, quite heavy, law. Its aim is to set a new gold standard for data collecting, processing and retention, and associated rights. We are all individuals too, and we think that the GDPR is bringing in some very valuable tools to allow consumers to have control and protection of their data. As such, we intend to treat all clients – whether EU citizens or not – as if they were EU citizens. We want everybody to know that we aim to treat their data with maximum respect and care.

To this end, over recent weeks, we have been doing a lot of “behind the scenes” work on GDPR and data protection issues. One of the fruits of this is our “data protection and privacy centre”. This has quite a number of useful links giving information on what data we have (and usually, don’t have, because we didn’t collect it in the first place), and what we do with it (and what we don’t do with it).

We still have plenty of work to do before the GDPR comes in, but we want to assure all our users that we see being “best of breed” in this area as a priority, and that we are energetically pursuing that goal

David Anderson (lead developer)

The post Data protection, privacy, the GDPR, right to be forgotten, etc. appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

UpdraftPlus CCPA privacy notice

On January 1st 2020, the California Consumer Privacy Act (CCPA) introduced new data privacy rights for California residents – forcing companies that conduct business in the state of California to implement structural changes to their privacy programs. The new law is a response to the increasing role personal data plays in business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

Though UpdraftPlus may not necessarily meet the criteria necessary in order to comply with the CCPA law (1. Have $25 million or more in annual sales – 2. Buys, sells, or shares information on 50,000 or more individuals, households, or devices – 3. Derives more than half of our annual revenue from selling personal information), we have made every effort to meet and achieve CCPA compliance for the privacy rights of our California based customers. As such, we are providing this CCPA-specific privacy notice to supplement the information and disclosures already contained in our Data Protection and Privacy Centre. This notice applies only to individuals residing in California with an UpdraftPlus account from whom we collect personal information.

What is the CCPA?

The CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

Much like the GDPR law that was enacted in May 2018, many of the same rules on the use of customer data are represented in the CCPA. However the CCPA does takes a broader view than the GDPR of what constitutes private data.

How does CCPA differ from GDPR?

GDPR applies to the processing of all personal data, regardless of what that data is intended for or how it will be processed.

The CCPA is more specific regarding what kinds of data are protected and under what circumstances. While GDPR has strict user “opt-in” consent options before companies can access any of your data, CCPA only requires companies to supply the option to “opt-out” when user information is going to be actively sold or shared.

The CCPA does not provide the same protection to a wider range of user data types that the GDPR does. These include:

  • Data that is already legally available to the public
  • Medical information that’s protected under California’s Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPPA)
  • Personal information covered by California’s Driver’s Privacy Protection Act

And other similar data sets.

UpdraftPlus does not sell personal information

The following categories of personal information have been defined by the CCPA. This information may have been collected and/or disclosed for a business purpose by ourselves in the last twelve months. The examples of the personal information provided in each category are taken from the CCPA and are included so you can better understand the specific information contained within a category. More information about the specific information UpdraftPlus gathers and how that information is used and processed can be found here.

 

CategoryWe CollectWe Sell
A. IdentifiersYes                               No                               
Examples: Name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.                                                            
B. Categories of personal information in Cal. Civ. Code 1798.80(e)Yes                               No                               
Examples: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.                                                            
C. Characteristics of protected classifications under California or Federal lawNo                               N/A                               
Examples: Race or color, ancestry or national origin, religion or creed, age (over 40), mental or physical disability, sex (including gender and pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity or expression, medical condition, genetic information, marital status, military and veteran status.                                                            
D. Commercial informationYes                               No                               
Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.                                                            
E. Biometric informationNo                               N/A                               
Examples: Physiological, biological, or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.                                                            
F. Internet or other electronic network activity informationYes                               No                               
Examples: Browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement.                                                            
G. Geolocation dataYes                               No
Example: Precise physical location.                                                            
H. Sensory informationNo                               N/A                               
Examples: Audio, electronic, visual, thermal, olfactory, or similar information.                                                            
I. Professional or employment-related informationNo                               N/A
Examples: Job application or resume information, past and current job history, and job performance information.                                                            
J. Non-Public education information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99)No                               N/A                               
Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.                                                            
K. Inferences drawn from personal informationNo                               N/A
Examples: Consumer profiles reflecting a consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.                                                            


Use of personal information

As the new CCPA has now come into force we wanted to clarify that UpdraftPlus meets the criteria necessary to be in accordance with the specific CCPA business and commercial purposes, as detailed below:

  1. Auditing related to a current interaction with you and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards.
  2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
  3. Debugging to identify and repair errors that impair existing intended functionality.
  4. Short-term, transient use.
  5. Contracting with service providers to perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
  6. Undertaking internal research for technological development and demonstration.
  7. Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
  8. Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
  9. For other purposes for which we provide specific notice at the time the information is collected.

UpdraftPlus’ collection and disclosure of personal information

In the last year UpdraftPlus have collected personal information from general sources including you, your use of our services, your devices, our affiliates, our vendors, and our service providers. More specific information about the personal information we collect is laid out in this in our GDPR and  Data Protection and Privacy Centre.

Your California privacy rights

If you are a California resident, the CCPA allows you to exercise the following rights. 

Right to know and access. You may submit a verifiable request for information regarding the: (1) categories of personal information collected or disclosed by us; (2) purposes for which categories of personal information are collected by us; (3) categories of sources from which we collect personal information; and (4) specific pieces of personal information we have collected about you during the past twelve months.

Right to Delete. Subject to certain exceptions, you have the option to delete personal information about you that we have collected from you.

Verification. Requests for access to or deletion of personal information are subject to our ability to reasonably verify your identity in light of the information requested and pursuant to relevant CCPA requirements, limitations, and regulations.

Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations.

Shine the Light. We do not rent, sell, or share your personal information with non affiliated companies for their direct marketing purposes, unless we have your permission.

Submit Requests. To exercise your rights under the CCPA, you can deactivate and purge your account (similar to the GDPR “right to erasure” – “right to be forgotten”) by sending us a customer support request under “This is a GDPR/CCPA-related query” in the “What kind of support request is this?” option. 

If you have any further questions or queries, please leave a comment below and we will get back to you as soon as possible.

The post UpdraftPlus CCPA privacy notice appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Lossy vs Lossless image compression – A guide to the trade-off between image size and quality

With the launch of WP-Optimize’s new smushing image compression feature, many people may be unaware of the advantages and disadvantages of the Lossy and Lossless compression methods. This blog will explain in detail what kind of results and savings you can expect to achieve with each compression format. 

Lossy Compression

 

 

 

 

 

 

The most popular image compression for most users is Lossy, which can be categorized as achieving greater space saving compression (compared to Lossless), but losses some of the data and image quality from the original image in the compression process. While you can save more data with Lossy, the data saving isn’t completely without cost, as with increased compression comes a slight increased degradation in the image quality and the inability to you reverse the compression, which results in the permanent loss of file metadata.

You should choose the Lossy method of compression If you are purely trying to reduce the size of your images and save data. But remember that the advantage of smaller files will be tempered by the small reduction in quality in your images and the permanent loss of metadata.

This isn’t to say that your new compressed image will resemble a digital camera photo from 2002 however. The image will still be very high quality and present as a professional and clear image, but you may start to get some compression artefacts appear with high levels of compression.

With Lossy compression enabled, the below image was compressed from 230.26 KB to 64.92 KB, giving an almost 75% reduction in size.

Original JPEG image

How image looks converted with Lossy compression

Original image zoomed in 300%

Lossy image zoomed in 300% – 230.26 KB to 64.92 KB, a 75% reduction in size

Lossy Summary

Pro – Can reduce the images to small sizes and save lots of file data, making your website load quicker and perform better.
Con – The smaller you make the file size, the lower the quality of your original image. Deletes original image data permanently.

Lossless Compression

Lossless is a term that refers to a class of data compression algorithms that compresses your image, but allows the original data to be restored and reconstructed from the compressed file data should you ever need it. Lossless compression differs to Lossy by maintaining the original image quality, while reducing the image data size by removing unnecessary meta-data from the submitted files (usually JPEG or PNG files). The main benefit of this type of compression is that the user has the ability to keep all the original data and revert to the original image, but can still achieve a smaller file size, without sacrificing image quality.    

As previously mentioned, one of the main benefits of Lossless compression is being able to keep and restore every single bit of data that was within the file after it is uncompressed. This is in contrast to Lossy compression, where metadata is not saved during the compression process and results in data being unable to be restored should you wish to reverse the compression.

As a Lossless image will only temporarily delete the file data, this allows it to be transferred quicker, which results in faster loading speeds for your website. While the amount of space you will save is not as much as if you were to use Lossy compression, it does give you higher quality images and the option to fully restore should you need it.

With Lossless compression enabled, the below image was compressed from 230.26 KB to 172.18 KB, giving just over 25% reduction in size.

Original JPEG image

Converted with Lossless compression. Every pixel is identical to the original image – only the file size is smaller

Original image zoomed in 300%

Lossless image zoomed in 300% – 230.26 KB to 172.18 KB, a 25% reduction in size

Lossless Summary 

Pro – Decreases image file size but maintains original quality of image. Full restoration of data available.
Con – Using Lossless compression results in larger files sizes in comparison to Lossy compression, which can result in slower loading speeds.

Custom

We understand that some users may wish to decide their own balance between maximum compression and best image quality. With the custom option, you can manually choose which settings your prefer for image compression and save them for future use.

Overall Compression Summary

Making a choice between Lossless or Lossy compression depends on what you want to achieve and what works best for your site and users. In general terms, if you have a website that needs to showcase high quality photographs (such as a wedding photography business), you should stick to Lossless compression as it will still display your images in their original highest quality. But if your site is for a local garage for example, where the highest quality images are not so important, Lossy compression could work best as original high quality photos are not essential to the success of your business.

The post Lossy vs Lossless image compression – A guide to the trade-off between image size and quality appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.