HTTPS vs. HTTP
Many companies still use what's commonly known as HTTP (Hypertext Transfer Protocol) to communicate between different systems and allow for the transfer of data from a web server to a browser, allowing users to view web pages.
Prior to 2014, only companies with e-commerce pages bothered using HTTPS, which stands for Hypertext Transfer Protocol Secure. Then Google recommended websites switch to HTTPS. As an incentive, Google said it would give websites with HTTPS a bump in rankings, effectively punishing sites that did not make the switch.
The most important difference between the two protocols is the SSL certificate. HTTPS is basically an HTTP protocol with additional security. This additional security can be extremely important, especially for websites that take sensitive data from its users, such as credit card information and passwords.
When someone connects to a website with regular HTTP, the browser looks up the IP address that corresponds to the website, connects to that IP address and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider or government intelligence agencies like the NSA can see the web pages that are being visited and the data that’s being transferred.
With HTTPS, the SSL certificate encrypts the information that users supply to the site, which basically translates the data into a code. If someone manages to steal the data being communicated between the sender and the recipient, they would not be able to understand it due to this encryption. In addition to adding that extra layer of security, HTTPS is also secured via Transport Layer Security (TLS) protocol. TLS helps provide data integrity, which helps prevent the transfer of data from being modified or corrupted, and authentication.
While HTTPS is commonly used for secure communication of information over the Internet, it does not mean the information and any NPI within the information is secure. If the NPI itself isn't secured (encrypted, password protected, etc.), then it doesn't matter if it's transmitted via HTTPS or HTTP. A company should make sure NPI is protected for any forms of transmission, transfer or storage.
The third pillar recommends companies adopt and maintain a written privacy and information security program to protect non-public personal information (NPI) as required by local, state and federal law.
Specifically, the procedures for network security of NPI suggest companies:
Maintain and secure access to company information technology
Develop guidelines for the appropriate use of company information technology.
Ensure secure collection and transmission of NPI.