PDA

View Full Version : Protecting individually identifiable data



lionize
01-01-2013, 09:19 PM
Can someone clear up what personal data would be considered sensitive enough to require encryption level security during collection, transfer and storage? I can not seem to find a clear answer to this. I plan on requiring new clients to provide basic information like name, email, address and phone. I will not collect confidential types of info like credit card or drivers license numbers.
It is important to me that my clients data is safe, but I don't want to implement excessive security measures when they are not necessary.

Steve B
01-02-2013, 07:05 AM
I would consider all of these confidential "name, email, address and phone".

I'm very sensitive about this topic. I boycotted Radio Shack for 30 years because they used to require your name and address when you made any purchase there. I recently started going back to them because I found out they stopped that practice. Then, just this past week I needed to return a $3 cash purchase and they wanted my name and phone number. I guess I'll give them another try in 30 years if I'm still alive.

nealrm
01-02-2013, 10:58 AM
All those items fall into the very low end of the data security pool. Nothing there is worth stealing, I would not encrypt it. Just follow standard database security.

billbenson
01-02-2013, 05:41 PM
Not only that, stores like that information from a theft standpoint. If someone steals something and then tries to return it they want their name etc to look for patterns. This is true for both receipt and non receipt returns. Some shoplifters will buy something and then steal another one and try to return it with the receipt. They may even try to return it at a different store. In the late 70's I worked security for Sears. We collected that information and shared it not only with other Sears stores but with other major department stores such as JC Penny's.

lionize
01-03-2013, 12:07 PM
All those items fall into the very low end of the data security pool. Nothing there is worth stealing, I would not encrypt it. Just follow standard database security.

Do you know of any official organizations which would confirm this? The Canadian government website Office of the Privacy Commissioner of Canada (http://www.priv.gc.ca/index_e.asp) is not that useful and I was hoping there might be some US websites with more clarification on this subject.

nealrm
01-03-2013, 04:11 PM
I don't believe that the US has a national standard for PII. Some stated like CA do have standards, but it does not include names, phone number, emails and address in with PII. In general all the information but the email address you are collecting is available via public documents. Include a statement or a link to a statement stating why you are collecting the information and what you will be doing with that data.

jim.sklansky
02-02-2013, 02:57 PM
please go to the below link. I think this will help you a lot.

http://www.ipswitchft.com/resources/pdf/compliance/SecureFileTransferInEraOfCompliance.pdf

MyITGuy
02-02-2013, 07:45 PM
Can someone clear up what personal data would be considered sensitive enough to require encryption level security during collection, transfer and storage? I can not seem to find a clear answer to this. I plan on requiring new clients to provide basic information like name, email, address and phone. I will not collect confidential types of info like credit card or drivers license numbers.
It is important to me that my clients data is safe, but I don't want to implement excessive security measures when they are not necessary.

Ideally, any information that is collected should be done via a secure method because there are people/companies that instruct their users not to fill out web forms unless they see the lock/security icon in their browser (We due this to KISS and do not differentiate between names, email, CC info and etc...). Otherwise the person submitting the information could be vulnerable to a attack. SSL Certificates are cheap enough now so this is no longer an excuse to not be secure.

You mentioned that you aren't collecting drivers license #'s or credit cards so you don't need to worry about encryption at rest...but if you collect any information that meets the Sarbanes/Oxley rules (Financial data) or HIPAA (Patient/Health information) then you will need security/encryption there.