- Always On SSL (AOSSL)
- Domain Name System Security Extension (DNSSEC)
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
- Email authentication (SPF and DKIM)
- Extended Validation SSL Certificates (EV SSL)
- FTC settlements since April 2010
- privacy practices and data tracking by third parties
- Site SSL implementation and server configurations
- Site vulnerabilities and data breach loss incidents since April 2010
- Private domain registration as reported to ICANN
Nearly 30% of the sites reviewed earned the Honor Roll designation, with social media sites making the biggest gains: 52% of social media sites made the Honor Roll in 2012, compared with only 12% in 2011. Members of the social media Honor Roll include a who's who of social media sites, including Facebook, Google Plus, LinkedIn, Twitter and Zynga.
Spiezel believes social media sites have made big gains because their infrastructure tends to be newer and thus they sidestep much of the complexity that sites using older, legacy infrastructure have to deal with. He adds that these sites have recognized that countering online abuse and fraud is essential to their business.
"Twitter and so many other social sites, to their credit, have adopted best practices," he says. "They recognize that their infrastructure is not nearly as complex as some of the older sites or businesses that have been around, and they take advantage of that."
Federal Sites Are Lagging in Best Practices Implementation
Federal government sites made gains according to OTA's criteria but still found themselves trailing other sectors. OTA found that only 58% of the top 50 federal sites had implemented email authentication (SPF or DKIM), up from 38% in 2011. The federal sites averaged a score of 68 in their implementation of SSL on a 1 to 100 scale; 26% have implemented EVSSL and 70% have implemented DNSSEC.
FDIC sites did somewhat better. OTA found 69% of the top 100 FDIC sites had implemented email authentication. The FDIC sites averaged 76 in their implementation of SSL on a 1 to 100 scale; 55% had implemented EVSSL. The sites averaged a privacy score of 58.52 on a 1 to 100 scale.
Meanwhile, 97% of the top 100 ecommerce sites have implemented email authentication, and their average SSL implementation scored 75.88 on a scale of 1 to 100. They averaged a privacy score of 61.16 on a scale of 1 to 100.
Holistic View of Data Protection Needed