OTA Announces Methodology for Ninth Annual Online Trust Audit

Jan. 31, 2017 – Bellevue, Wash. & Washington DC – The Online Trust Alliance today released the methodology for the forthcoming 2017 Online Trust Audit and Honor Roll. This marks the ninth consecutive year OTA has conducted its Online Trust Audit report to drive awareness of responsible online privacy and data security practices, and recognize leaders in the public and private sectors who have embraced them.

As the only comprehensive, independent online trust benchmark study, the OTA Online Trust Audit evaluates sites in three categories: consumer protection, responsible privacy practices and security. Based on a composite weighted analysis, sites that score 80 percent or better overall, without failing in any one category, will be recognized in the Honor Roll. This study will analyze up to 1,000 consumer-facing websites including the Internet Retailer 500, top 100 FDIC 100 banks, top 100 consumer service sites, government agencies and top 100 news and media companies. In addition, the 2017 Audit includes a new category focused on Internet Service Providers, mobile carriers and email box providers.

The 2017 methodology incorporates input from leading companies, consumer groups, security professionals and associations who responded to OTA’s call for public comment issued last September as well as generally accepted and deployed security standards. Data collection and evaluations will commence in late April running through mid-May, with the report being published in mid-June.

“As online trust continues to be undermined by criminal activities and increasingly common cyber incidents like ransomware, DDoS attacks and email compromise, now more than ever businesses need to adopt data security and privacy enhancing best practices,” said Craig Spiezle, Executive Director and President of the Online Trust Alliance. “The Online Trust Audit and Honor Roll recognizes those organizations that show exemplary commitment to consumer and data protection, underscoring the importance of meaningful self-regulation.”

The Online Trust Audit focuses on the three key pillars:

• Consumer Protection – Email authentication, domain security and anti-phishing technologies.
• Privacy – Policies and practices including data retention, disclosures, user anonymity, third-party data sharing, opt-out mechanisms and observing sensitive data barriers.
• Security & Resiliency – Site configuration, Secure Socket Layer (SSL) infrastructure, presence of site vulnerabilities, observed malware, and related security and data protection enhancing controls.

The Online Trust Audit has historically recognized those organizations that “walk the talk”.  Announced in June 2016, across all sectors the 2016 top 10 scoring sites who qualified for Honor Roll included:

1. Twitter (twitter.com)
2. HealthCare.gov (healthcare.gov)
3. Pinterest (pinterest.com)
4. The White House (whitehouse.gov)
5. Dropbox (dropbox.com)
6.  FileYourTaxes (fileyourtaxes.com)
7. LifeLock (lifelock.com)
8. Instagram (instagram.com)
9. 1040.com (1040.com)
10. The Gap (gap.com)

As the privacy and data security landscape continues to evolve, so does the methodology, criteria and scoring of the Online Trust Audit. Key changes in the 2017 methodology include more stringent scoring for server and Secure Sockets Layer (SSL) configurations, increased weighting of Domain Message Authentication Reporting & Conformance (DMARC) records, and privacy policy transparency including Do Not Track (DNT) disclosures and revision tracking. Additional enhancements include evaluating sites’ capabilities to counter Domain Name System (DNS), Distributed Denial of Service (DDoS) and botnet attacks, and sites having a discoverable vulnerability reporting mechanism and adopting multi-factor authentication to help counter unauthorized account takeover and password resets. The 2017 Audit methodology is posted at https://otalliance.org/2017Methodology.