tags:

views:

311

answers:

10
+3  Q: 

Are there any laws when working with confidential financial data?

I have been asked to build a web application that will be used to store and manipulate sensitive financial data for a private lending firm. Before I bite off more that I can chew, I am trying to figure out if there is anything I should know about legally hosting and securing this kind of information. I have read much about PCI compliance when working with credit card information but this data is a bit different. There will be no financial transactions done online, just viewing balances, rates, loans, etc. by customers and manipulating this data by administrators. I'd equate the sensitivity of this data to that of a bank.

So my ultimate question is whether or not there are any laws regarding storing and transmitting this data. Obviously, an SSL certificate is in order, but what about the hosting. Should I get a dedicated private server or is shared hosting suitable?

Any other input on this situation would be greatly appreciated. Thanks

+1  A: 

If the client is a public company then some of the provisions of the Sarbanes-Oxley Act may apply in the area of accounting and data protection.

Turnkey  2009-01-14 03:14:38
SOX was the biggest waste of time and money ever perpetrated on the world. That doesn't change the value of you answer, I just wanted to vent :-).
paxdiablo  2009-01-14 03:57:54
Yes, and thanks to bad actors like Enron and Madoff those kind of regulations are unlikely to ease up.
Turnkey  2009-01-14 17:57:17
A: 

I wouldnt worry about the law as much as I would worry about what would happen if the clients find out that their sensitive information has been hacked. I am not saying this will happen, but it may.

You may be held responsible and accountable which may damage your reputation and or cause you bankruptcy via law suits.

So if you have built the web application to be secure then you should be ok.

Some laws may apply depending on your country, state and or company policy.

Jobo  2009-01-14 03:15:24
+16  A: 

The only real advice you should accept from programmers on this question is:

Get a lawyer.

Like you, we are coders, not lawyers, and we're not really in a good position to give out legal advice. Perhaps there are lawyers among us, and perhaps they'll give us all some free legal advice on this one, but advice in the world of law doesn't usually flow quite as freely as advice in the world of code, in my experience.

Ian Varley  2009-01-14 03:16:33
It's worse than that. In some jurisdictions, you can be held liable if you represent yourself as a legal professional and give bad advice. This is why lawyers have huge malpractice insurance bills.
paxdiablo  2009-01-14 04:01:46
Indeed, that's why it's so important to find out which jurisdictions you will be operating under.
ninesided  2009-01-14 06:39:43
+1  A: 

Ask a lawyer!! There are very stringent rules when it comes to data protection for banking. If these rules are broken you could end up in Jail!

WolfmanDragon  2009-01-14 03:16:54
+1  A: 

There are lots of laws that might apply, depending on the information. For example, there are laws around asking for personally identifiable info, social security numbers, etc.

I hope you're not planning to rely on SO for advice. Best to get a lawyer that actually knows the law.

duffymo  2009-01-14 03:17:14
+2  A: 

"Let's put it this way: if you need to ask a lawyer whether what you do is "right" or not, you are morally corrupt. Let's not go there. We don't base our morality on law." -- Linus Torvalds

I have a friend who makes web app that communicates with credit card company that validates Card Security Code. He doesn't store the Card Security Code to his database, his web app just query from credit card company if the credit card is valid.

Just let your convictions guide you and your team what to store and what not. Anyway, asking a lawyer will not hurt either.

Michael Buen  2009-01-14 03:17:47
I think it's less about what you can or can't store but what measures you are legally required to put in place to ensure that the data is protected. I'm guessing that a shared MySQL server on a VPS will be sort of frowned upon. In the eyes of the law, ignorance is not a defensible position.
ninesided  2009-01-14 03:47:50
"Just let your convictions guide you..." when talking about the law. +1 for unintended humor.
paxdiablo  2009-01-14 04:00:14
I trust SOers' wit, that's why I didn't put "pun intended"/"pun unintended" of any sort in my answer. Just got the rationale from this answer: http://stackoverflow.com/questions/51390/where-did-all-the-java-applets-go :-)
Michael Buen  2009-01-14 04:45:13
+1 for Linus' quote. Sod the consequences in this case, eh? ;)
mrduclaw  2009-11-26 08:54:50
+8  A: 

the short answer: yes

Having worked for banking institutions (in the US) I can say there are lots of laws governing the storage, display and distribution of financial information. If you are hosting the site there are even more regulatory/compliance issues for you to deal with.

the long answer: Get a Lawyer and bill your client for the lawyer. The client should be providing you with all the compliance related specifications up front. If they aren't providing you the appropriate information Run Away.

If you choose to proceed with project make sure you have a liability insurance policy that will cover any losses your client may experience, also make sure to bill them for the policy.

kloucks  2009-01-14 03:22:26
A: 

Sarbannes Oxley Comes to mind here re: Data Protection but I concur with the general sentiment here, Get a Laywer

tekiegreg  2009-01-14 03:23:41
A: 

Also, you'd need to think about jurisdiction of law. If you're holding financial data for entities from different countries, you need to know which countries laws apply. This might change regardless of the country that the data is hosted in. Again, you'd need to get a lawyer, but when you do, make it known to them if this a criterion that you need to consider.

ninesided  2009-01-14 04:03:29
A: 

"Laws" also depends on which countries you're talking about (your profile & the question doesn't explicitly say). Also, since SO is an online forum, the answers you get may vary depending on country (eg I'm in Australia)

Whenever you start talking online and laws, you may need to consider more than just local laws.

Kevin Haines  2009-01-14 04:39:51

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security