On Thu, Aug 12, 2010 at 10:30 AM, tedd <tedd@xxxxxxxxxxxx> wrote: > At 2:51 PM +0100 8/12/10, Ashley Sheridan wrote: >> >> If you are storing the data in a DB, then I'd consider using different >> levels of access to that via different DB users, which should offer an extra >> layer of security in protecting the data. > > Of course, the routines I'm writing provide several levels of access for > different functions/job-duties. However, at some point there will be people > who will have access to SS# data. > > The real questions here are: > > 1. Is it lawful in the USA to store US SS# in an online database? > > 2. If it is lawful, then what security provisions are required? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > The worst part of that is that is varies by state (check the MA and NY laws as the most restrictive), there are no federal guidelines as yet. However, the data must be stored in an encrypted format and it must be transmitted via SSL. We do it that way (taking both a hash for searching for the ssn and the encrypted form) and haven't had any issues as yet. Some clients are simply refusing to store SSNs for any person in the system where the address is in MA. The other thing to consider is that more and more states are looking to encrypt PII data (name, dob, ssn etc) for more security. You could consider storing just the encrypted ssn and link data in a separate database, that would require a different logon to access when the data is required. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
