At 5:30 PM -0700 8/11/10, Daevid Vincent wrote:
> -----Original Message-----
2. Were told it was a social security number
(i.e., in the form of 123-45-6789).
Stop.
Why are you even contemplating storing SS# ??
Daevid et al:
Why? Because my client wants to store SS numbers on their online
system to aid them in their collection business.
You see, the client in this case is not asking people for their SS
numbers, but rather trying to collect unpaid debts. Their clients
(i.e., creditors) have provided them debtor data, which may/may not
include SS numbers.
My current thoughts are that the entire process will be behind a
password protected section of a web site where only the people
working for the firm will have access. The point of the system will
be to aid collectors in their collection efforts and to allow them to
conduct business anywhere they can find Internet access.
Of course, this will not stop employees from abusing the data, but
that possibility also exist in the hard-copy only office as well --
that's a criminal act and will be handled accordingly. The difference
here is that the data can be accessed online via password
authorization. Is that too easy?
My effort here with my "Encryption/Decryption Question" is to focus
on the event that the web site may hacked and access to the database
is provided to an intruder. In such case, then the SS numbers
residing there should be encrypted and that was my current quest to
resolve.
Now, if federal law prohibits storing SS numbers in an online
database that's accessible via password authorization then that's
"end-of-story". I'll simply tell the client that federal law
prohibits such practice and that will be the end of it -- it makes no
difference to me.
However, if the practice of storing SS number online is not
prohibited by law, then what are the appropriate "due diligence"
steps necessary to protect such data?
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
