According to testimony before the House Committee on Science, Space, and Technology and warnings from IT security experts, individuals using the federal government’s website to obtain health coverage through the Exchange are likely putting the security of their sensitive personal information at significant risk. Reports about the cost of the federal website vary, but based on those reports, it is safe to say that the cost to date is tens of millions of dollars, and growing.
Politics aside, most companies spend far less on their websites, whether those sites are directed at customers, the public generally, employees and applicants, and all of the above. These companies might be asking, if the United States government spends tens of millions of dollars on a website that may wind up being inadequate to secure sensitive personal information, have we done enough to secure our sites. Many of these same companies use third party vendors to provide web-based services to their employees and customers, and may be wondering whether those vendors have appropriate security measures in place.
These are important questions that relate not only to the technical data security measures in place for a site, but what is stated on the site in website privacy policies and terms of use about the security of the data collected on the site. The appropriate level of security will vary, for sure, company to company, industry to industry, function to function, and so on. But, the level of website security, what is said about the level of security, and addressing releated exposures should be a priority for any company’s risk management team, and not left solely to the IT department.