I can’t remember the last time I went into the bank. It’s not that I don’t like bankers; I just choose to use my bank’s excellent online services. I also do my grocery shopping, buy presents, car parts and other things online. When I think about it, I do quite a few everyday tasks from the comfort of my couch. I’m not a hermit – I’ve just embraced it to save time, money and to avoid early closing hours.
Buying and transacting online so often means I’m sharing sensitive information over the internet. Banking details, addresses, phone numbers and a range of other information is all communicated in this way. The amount and frequency of my sharing is increasing.
From a legal perspective, electronic communication introduces risk, both from the perspective of a consumer and that of a business. When sharing sensitive information you should consider the following points:
Knowing who you are dealing with is the main issue. As you can’t walk into the branch of the online bank, the bank’s website security certificate is the next best thing. Issued by an independent third party, the certificate confirms the identity of the website that you are dealing with. The same security certificate is pre-loaded into your browser. When you navigate to a website, the website sends a copy of the certificate to your device, and your browser matches it against the copy that it has (provided these features are enabled). If they match, a green address bar is displayed together with ‘https’, and communication between the website and your device will become encrypted (indicated by a padlock being displayed). Encryption is when the data communicated between devices is scrambled and unscrambled based on a temporary unique key that the browser and website has. Nobody else has access to the unique key, so they can’t decipher the communication.
So what does it really mean when your browser address bar goes red and you receive a prompt that there’s an error with the website’s security certificate? Or your antivirus software blocks your access to a site saying that it’s ‘untrusted’? Effectively the website’s security certificate doesn’t match that held by the browser, or it has been identified as fraudulent or harmful. Clicking ‘continue’ means that you don’t know who is at the other end.
It also means that your communication may not be encrypted. If this is the case, your data is being sent through the internet like a postcard – your information can easily be intercepted, read and used by others. While such interception is illegal, practicalities of tracking perpetrators and getting them before the New Zealand courts is difficult.
The security certificates stored by your browser and anti-virus software are regularly updated. So making sure that your browser has all updates installed will minimise risk. If you operate a website, making sure that your website’s security certificates are current will reduce the risk that your users are put off by security warnings.
From a business perspective, if you are dealing with personal information, then you are subject to the Privacy Act. This sets out a range of principles in relation to the collection, retention, storage and use of personal information. Having a website that doesn’t use encryption could be putting personal information at risk while it’s being communicated across the internet. Arguably, this could mean that you have failed to keep the data secure, and have breached the Privacy Act.
Although the points above may seem daunting, provided you remain diligent with online activity, you should enjoy the benefits of transacting and using online services, with risk minimised to an acceptable level.
Chris Steenstra is an Associate at Norris Ward McKinnon. With offices in Hamilton and Huntly, we have friendly, expert legal advisors ready to help you with your business and personal legal matters. Find out more about us here.