On Thu, 2010-08-12 at 09:45 -0400, tedd wrote: > At 5:30 PM -0700 8/11/10, Daevid Vincent wrote: > > > -----Original Message----- > >> 2. Were told it was a social security number > >> (i.e., in the form of 123-45-6789). > > > >Stop. > > > >Why are you even contemplating storing SS# ?? > > Daevid et al: > > Why? Because my client wants to store SS numbers on their online > system to aid them in their collection business. > > You see, the client in this case is not asking people for their SS > numbers, but rather trying to collect unpaid debts. Their clients > (i.e., creditors) have provided them debtor data, which may/may not > include SS numbers. > > My current thoughts are that the entire process will be behind a > password protected section of a web site where only the people > working for the firm will have access. The point of the system will > be to aid collectors in their collection efforts and to allow them to > conduct business anywhere they can find Internet access. > > Of course, this will not stop employees from abusing the data, but > that possibility also exist in the hard-copy only office as well -- > that's a criminal act and will be handled accordingly. The difference > here is that the data can be accessed online via password > authorization. Is that too easy? > > My effort here with my "Encryption/Decryption Question" is to focus > on the event that the web site may hacked and access to the database > is provided to an intruder. In such case, then the SS numbers > residing there should be encrypted and that was my current quest to > resolve. > > Now, if federal law prohibits storing SS numbers in an online > database that's accessible via password authorization then that's > "end-of-story". I'll simply tell the client that federal law > prohibits such practice and that will be the end of it -- it makes no > difference to me. > > However, if the practice of storing SS number online is not > prohibited by law, then what are the appropriate "due diligence" > steps necessary to protect such data? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > If you are storing the data in a DB, then I'd consider using different levels of access to that via different DB users, which should offer an extra layer of security in protecting the data. In the UK, I believe you are allowed to store details such as these in an online system, but the whole server itself has to pass a PCI check, which ensures that various server modules are up-to-date, etc, which should hopefully block another hole or two. Thanks, Ash http://www.ashleysheridan.co.uk
