Keeping the data that gets shared between APIs private should be a key consideration for every organization. After all, APIs are critical elements of today’s multichannel customer experiences. They enable companies to gather, share and utilize data from third-party services to their advantage and also offer an avenue for monetization.
However, APIs can also allow hackers to exploit customer data, which can be detrimental to the customer and to the business that failed to keep that information secure.
In this article, we’ll explore why API privacy is crucial, some of the current initiatives that help organizations ensure their privacy, and show how they can effectively improve their APIs’ privacy.
Given the wealth of customer information shared via APIs daily, companies must understand the importance of API privacy. APIs are used to connect businesses, allowing them to share data and easily integrate third-party services. However, when these APIs become hacked, they can be responsible for major data breaches which expose sensitive customer data and company information.
APIs drive almost every digital function that customers use today. They allow us to send money via mobile apps, track food orders on the way to our homes, and synchronize data across every device we use daily. This means that APIs are responsible for some of the most sensitive data one can imagine.
Unfortunately, we’ve seen a growing number of public breaches that have specifically targeted APIs that are under-secured and over-permissioned. For example, when the money transfer site Venmo was breached in 2019, over 200 million transactions were harvested, which included tons of sensitive data. The hack occurred due to an unsecured API endpoint that required no user authentication. Another notable hack occurred in 2020 when dating site Bumble was breached, another open API endpoint without authentication enabling access to the data of 100 million users.
But these breaches are only the beginning, as Gartner predicts that APIs will be the most frequent attack vector for hackers by next year. Due to the prevalence of API-related attacks that have already occurred and the likelihood that there could be more destructive attacks in the future, organizations must take steps to ensure the security of their APIs and, subsequently, their customer’s data.
In order to assist companies, privacy regulations have been enacted across several domains. Below are some of the most important and how they relate APIs.
When the European Union passed the General Data Protection Regulation Act (GDPR) in 2018, the aim was to give residents of the EU more control over their personal data. If a business held that data was within the EU, it was inconsequential, as long as that was where their customers resided. Failure to demonstrate compliance could result in fines of 4% of annual turnover or 20 million euros.
For organizations outside of the EU, this meant that as long as they conducted business within the EU or had customers located there, they needed to be compliant. One of the requirements of GDPR is that data be “processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.”
When it comes to guarding their APIs, companies need to take matters into their own hands. Considering there are no specific recommendations regarding APIs, organizations need to ensure that they are at the very minimum following API security best practices such as encryption, authentication, and monitoring.
The California Consumer Privacy Act (CCPA) requires organizations to maintain control over what personally identifiable information is collected as well as how it is used and secured. The CCPA represents the first statute within the US that includes compensation for data breaches, which places added pressure on organizations to keep customer data secure.
Requirements are that customers should be informed via privacy notices, terms of service, and data processing policies about what information is collected, disclosed, or even sold, as well as what the information collected will be used for. Protocols also need to be in place to enable customers to request, view, or delete their data if they so desire. Failure to comply could result in penalties ranging from $100 to $750 per violation, and considering that breaches could include hundreds of millions of users, that could become quite expensive.
Like GDPR, there are no specific requirements related to APIs, yet organizations should conduct regular audits of their APIs and follow API security best practices.
In 1996 when the Health Information Portability and Accountability Act (HIPAA) came into existence, it was essentially the first legislation specifically applied to health-related information.
The rule establishes that organizations must safeguard the electronically protected health information (ePHI) of individuals. Penalties for violating the ruling can result in fines of $100 to $50,000 per violation. HIPAA applies to most workers within the US, health insurance providers, and employers that sponsor employee health insurance plans.
There are three primary regulations for HIPAA. First, the privacy rule defines the standards for protecting ePHI in any format, even speaking. HIPAA establishes the security standards for ePHI at all times, whether that data is sitting in a database or transit. It also indicates the type and format of notifications if a breach occurs.
When it comes to APIs, HIPAA essentially requires organizations to cover everything from how their API encryption keys are distributed to how ePHI is discussed by team members. Again, this requires organizations to follow best practices to keep their APIs secure at all times.
The privacy guidelines outlined by GDPR, CCPA, and HIPAA are great starting points for any organization looking to safeguard its APIs. Unfortunately, many of the standard API best practices steps fail to properly secure APIs from threats that target logic flaws found within the API. As a result, a new approach is required.
Most API security methods only identify potential vulnerabilities and breaches after an application has gone through to production or if a breach is already underway. With APIsec, you can use automated testing to find critical logic flaws in your APIs before it is too late. This continuous testing requires no human involvement and can ensure that your APIs are always up to the standard required by privacy regulations.
Learn more about Best Practices for API Compliance & Privacy by reading our white paper.