views:

311

answers:

10

I have been asked to build a web application that will be used to store and manipulate sensitive financial data for a private lending firm. Before I bite off more that I can chew, I am trying to figure out if there is anything I should know about legally hosting and securing this kind of information. I have read much about PCI compliance when working with credit card information but this data is a bit different. There will be no financial transactions done online, just viewing balances, rates, loans, etc. by customers and manipulating this data by administrators. I'd equate the sensitivity of this data to that of a bank.

So my ultimate question is whether or not there are any laws regarding storing and transmitting this data. Obviously, an SSL certificate is in order, but what about the hosting. Should I get a dedicated private server or is shared hosting suitable?

Any other input on this situation would be greatly appreciated. Thanks

+1  A: 

If the client is a public company then some of the provisions of the Sarbanes-Oxley Act may apply in the area of accounting and data protection.

Turnkey
SOX was the biggest waste of time and money ever perpetrated on the world. That doesn't change the value of you answer, I just wanted to vent :-).
paxdiablo
Yes, and thanks to bad actors like Enron and Madoff those kind of regulations are unlikely to ease up.
Turnkey
A: 

I wouldnt worry about the law as much as I would worry about what would happen if the clients find out that their sensitive information has been hacked. I am not saying this will happen, but it may.

You may be held responsible and accountable which may damage your reputation and or cause you bankruptcy via law suits.

So if you have built the web application to be secure then you should be ok.

Some laws may apply depending on your country, state and or company policy.

Jobo
+16  A: 

The only real advice you should accept from programmers on this question is:

Get a lawyer.

Like you, we are coders, not lawyers, and we're not really in a good position to give out legal advice. Perhaps there are lawyers among us, and perhaps they'll give us all some free legal advice on this one, but advice in the world of law doesn't usually flow quite as freely as advice in the world of code, in my experience.

Ian Varley
It's worse than that. In some jurisdictions, you can be held liable if you represent yourself as a legal professional and give bad advice. This is why lawyers have huge malpractice insurance bills.
paxdiablo
Indeed, that's why it's so important to find out which jurisdictions you will be operating under.
ninesided
+1  A: 

Ask a lawyer!! There are very stringent rules when it comes to data protection for banking. If these rules are broken you could end up in Jail!

WolfmanDragon
+1  A: 

There are lots of laws that might apply, depending on the information. For example, there are laws around asking for personally identifiable info, social security numbers, etc.

I hope you're not planning to rely on SO for advice. Best to get a lawyer that actually knows the law.

duffymo
+2  A: 

"Let's put it this way: if you need to ask a lawyer whether what you do is "right" or not, you are morally corrupt. Let's not go there. We don't base our morality on law." -- Linus Torvalds

I have a friend who makes web app that communicates with credit card company that validates Card Security Code. He doesn't store the Card Security Code to his database, his web app just query from credit card company if the credit card is valid.

Just let your convictions guide you and your team what to store and what not. Anyway, asking a lawyer will not hurt either.

Michael Buen
I think it's less about what you can or can't store but what measures you are legally required to put in place to ensure that the data is protected. I'm guessing that a shared MySQL server on a VPS will be sort of frowned upon. In the eyes of the law, ignorance is not a defensible position.
ninesided
"Just let your convictions guide you..." when talking about the law. +1 for unintended humor.
paxdiablo
I trust SOers' wit, that's why I didn't put "pun intended"/"pun unintended" of any sort in my answer. Just got the rationale from this answer: http://stackoverflow.com/questions/51390/where-did-all-the-java-applets-go :-)
Michael Buen
+1 for Linus' quote. Sod the consequences in this case, eh? ;)
mrduclaw
+8  A: 

the short answer: yes

Having worked for banking institutions (in the US) I can say there are lots of laws governing the storage, display and distribution of financial information. If you are hosting the site there are even more regulatory/compliance issues for you to deal with.

the long answer: Get a Lawyer and bill your client for the lawyer. The client should be providing you with all the compliance related specifications up front. If they aren't providing you the appropriate information Run Away.

If you choose to proceed with project make sure you have a liability insurance policy that will cover any losses your client may experience, also make sure to bill them for the policy.

kloucks
A: 

Sarbannes Oxley Comes to mind here re: Data Protection but I concur with the general sentiment here, Get a Laywer

tekiegreg
A: 

Also, you'd need to think about jurisdiction of law. If you're holding financial data for entities from different countries, you need to know which countries laws apply. This might change regardless of the country that the data is hosted in. Again, you'd need to get a lawyer, but when you do, make it known to them if this a criterion that you need to consider.

ninesided
A: 

"Laws" also depends on which countries you're talking about (your profile & the question doesn't explicitly say). Also, since SO is an online forum, the answers you get may vary depending on country (eg I'm in Australia)

Whenever you start talking online and laws, you may need to consider more than just local laws.

Kevin Haines