On Tue, Jun 30, 2009 at 11:00 AM, CarSign<[email protected]> wrote: > Hi - > > I am needing to store sensitive data like a Social Security Number in our > database that will be used by our web application.
Before you decide to go this route, there are two things you should know. One is that it is illegal for you as a private business to require anyone to use their SSN as a unique identifier in your database. If they choose to give it to you, that's fine, but if they don't want to then you are required to generate a unique ID which is not their SSN, and use that instead. This law is rarely invoked and almost no-one knows about it because people throw their SSNs around like candy these days, but there's a small chance that someone might bring it up. Second, you may want to look at http://datalossdb.org/ - this is a collection of incidents where companies have lost their customers' personal information to "third parties" - usually crackers, but sometimes it's things like lost laptops that had information on them or filing cabinets that were sold when an office closed, but still had documents in them. Anyway, you should probably read through some of those to get an idea of what happens to companies that lose their customers' information - what they have to deal with, what they should have done differently, etc. That way when you guys get your server broken into and all your customer information gets stolen, you'll know how to deal with it. (Yes I said when, not if.) -Dan _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
