SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Member
    Join Date
    Apr 2010
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    What are the rules for passing a SSN in a form

    I'm trying to find the standards for passing SSN through an online form to be emailed. What are the rules?

    Thanks,
    Paul

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The rule is "don't do it", there's no reason to send a social security number through e-mail.

    If a client has asked you to do it, convince them to let you build a secure system to view the form results on the web instead.

  3. #3
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree with Dan.

    I am not familiar with US legislation, could it be that HIPAA standard applies to SSNs as well?

  4. #4
    SitePoint Enthusiast
    Join Date
    Jul 2007
    Location
    USA
    Posts
    53
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Paul you need to do a search for "Social Security Number Protection Law" and figure out if the US state where your business is located has enacted specific legislation. There has been a lot of activity lately surrounding identity theft, and imposing harsh penalties against companies who fail to protect customer data such as SSN. It is never a good idea to capture SSN and send it via email. All of that is clear text and is basically the same as asking your customers to write everything on a postcard and mail it for everyone to see.

    Consider using encryption along all the pathways between the customer and your business if using the SSN is a requirement. For example: data storage should be encrypted (the database itself and multi-protocol for SQL); connecting to your website should be encrypted (SSL certificates); public/private key pairs to encrypt local network connections; etc. Implement a logging system to track who is trying to access SSN data, no matter if they are authenticated or unauthenticated users.

    Curious to know why you need SSN and how you are using it? Another point is to make sure you do not use it as an identification number for customer records. Thanks. Let us know what you've discovered from your research about the legal usage for SSN.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •