Data Security Law Blog

Online Trust Alliance Audit Hands Feds Rare Honor

The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.

But last week, the Internet Society’s Online Trust Alliance or OTA – self-described as an entity that “identifies and promotes security and privacy best practices … [to] build consumer confidence in the Internet” – handed the feds a significant victory in giving it top billing in its 2018 Online Trust Audit & Honor Roll.

The trust audit, which involved an evaluation of more than 1,200 websites, is described by the OTA as “the de facto standard for recognizing excellence in online consumer protection, data security and responsible privacy practices.”

An OTA audit involves an evaluation of websites across three categories – consumer protection, website security, and responsible privacy practices. For consumer protection, the report looks at whether, and to what extent, sites across different sectors have implemented a number of best practices including email authentication, the use of Domain-based Message Authentication, Report & Conformance (DMARC) used to defend against “spoofed and forged email used in spearphishing and business email … attacks,” message encryption between mail servers, and the adoption of Internet Protocol version 6 (IPv6), which “expands the number of unique IP addresses, thereby supporting the growth of the Internet.”

For website security, the OTA looks at IP reputation, software patching, implementation of HTTP Strict Transport Security (HSTS), used to help ensure data exchanged between sites and devices is encrypted, and “vulnerability disclosure mechanisms/programs,” among other factors.

And with regard to privacy practices the OTA evaluates the extent to which sites offer privacy statements and their level of transparency, including with regard to data retention and sharing, the use of third-party trackers which share data, often in connection with third-party advertisement and targeting of site-users, and incidents of data loss and breaches, among other factors.

Sites that score at least 80 percent overall, without failing in any category, qualify for the Honor Roll.

While only 52 percent of the websites analyzed qualified in 2017, this year’s number has risen to 70 percent, an 18 percent increase.

In leaping to the top of the OTA’s list, 91 percent of the federal government’s websites made the 2018 Honor Roll, as compared to just 39 percent in 2017. Likely responsible for this rise is the federal sector’s jump to the front in of the line in a few key areas. The report reflects that federal sector had the top site security score, with “no failure in site security;” the highest DMARC adoption and policy enforcement; and the most prevalent adoption of IPv6. With regard to email authentication and DMARC adoption, the report attributed the “significant jump” in this area for federal sites to DHS Directive 18-01, which is a binding directive concerning enhanced email and web security. Additionally, the report indicates that the federal sector “led the way” in privacy, alongside the consumer sector. Based upon these factors, the federal government sites were deemed “most improved.”

Additionally, the report indicates that the federal sector “led the way” in privacy, alongside the consumer sector. Based upon these factors, the federal government sites were deemed “most improved.”

While the report did not discuss data breaches in the federal sector, it did indicate that the consumer sector had the highest level of data security incidents, followed by the healthcare sector.

While the audit reflects a near complete adoption of best practices in certain areas and progress in the adoption of data security practices across sectors, with some making significant strides, it also reflects that others, which consumers rely on to protect sensitive information, still have much room for improvement, and remain vulnerable to data breaches.