Personally-identifiable information (PII) storage in database

Question

Im reading a lot of information regarding a law in Mass. about personally identifiable information storage in databases. From what I'm seeing, you should be encrypting major stuff like: a) SSN b) Financial info c) Debit/Credit d) Drivers License #

If I have simple contact forms where users fill out their name, company, address, phone, email, etc and this info gets stored in a database - do I have to worry about encryption?

It seems like these laws just spell out common-sense encryption which we all should have been doing for a while (for real, actual sensitive info).

Answer 1

This is partly a legal question (which in turn depends on where you are based) and partly a question about whether it would be good practice to use ecnryption regardless of the legal obligation to do so.

The data you are handling would be treated as personal data for the purposes of European data protection laws. If you're trading with EU citizens, you will need to comply with those laws. The thing about EU data protection law is that it says more about objectives and less about how you achieve those objectives. So, you will have an obligation to protect the data, but it doesn't tell you how to do so. Having said that, if you decide not to adopt the 'normal' ways of ensuring the protection, you increase the chance that someone will say you're in breach. So, encryption isn't a legal requirement if you can protect the data in some other way. I would doubt that you can.

If you're outside thereach of European data protection laws, then you need to look at whether your jurisdiction has specific laws about this sort of thing. I've not heard of any legal requirement for encryption, so I would be a bit surprised.

I thin the real question you need to ask is this: do I want to offer protection for this data and, if I do, what's the most sensible way to do it? Answer Yes to the first part of that question, and come up with a reasoned answer to the seond part and I doubt you will go wrong in any legal regime.

Answer 2

I know that in Europe at the very least, there are various Data Protection Acts, and even a few ISO standards that require this data to be protected.

Protected is defined has having a reasonable level of protection on the data itself - ie, ACL's to restrict access to the database, as well as having a response procedure if that data is breached. Remember even this sort of "basic" information is very desirable for scams, telemarketing, etc.

Also note that the second you add SSN, credit card or financial info to your database you're opening up a huge can of worms in terms of compliance for various standards, HIPAA, PCI DSS, etc.

Always store as little information as possible on a person.