[UPHPU] store sensitive data in mysql + php web application
dcrookston at gmail.com
Tue Jun 30 13:30:05 MDT 2009
On Tue, Jun 30, 2009 at 11:00 AM, CarSign<utahphp at forsalesticker.com> wrote:
> Hi -
> I am needing to store sensitive data like a Social Security Number in our database that will be used by our web application.
Before you decide to go this route, there are two things you should know.
One is that it is illegal for you as a private business to require
anyone to use their SSN as a unique identifier in your database. If
they choose to give it to you, that's fine, but if they don't want to
then you are required to generate a unique ID which is not their SSN,
and use that instead. This law is rarely invoked and almost no-one
knows about it because people throw their SSNs around like candy these
days, but there's a small chance that someone might bring it up.
Second, you may want to look at http://datalossdb.org/ - this is a
collection of incidents where companies have lost their customers'
personal information to "third parties" - usually crackers, but
sometimes it's things like lost laptops that had information on them
or filing cabinets that were sold when an office closed, but still had
documents in them. Anyway, you should probably read through some of
those to get an idea of what happens to companies that lose their
customers' information - what they have to deal with, what they should
have done differently, etc. That way when you guys get your server
broken into and all your customer information gets stolen, you'll know
how to deal with it. (Yes I said when, not if.)
More information about the UPHPU