homepage Welcome to WebmasterWorld Guest from 54.242.231.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Professional Webmaster Business Issues
Forum Library, Charter, Moderators: LifeinAsia & httpwebwitch

Professional Webmaster Business Issues Forum

    
Client requests Social Security Number through email form
The_Hat




msg:3911333
 9:09 pm on May 11, 2009 (gmt 0)

SO we have this advertiser who we have had difficulty pleasing in the past and so when we approached them lately to advertise on our site they asked if it would be possible to put together a page with a form on it for their ad to click to.. I said sure not a problem.. envisioning the two or three field email form that is pretty much a click-drag away and shot the ad rep a low buck price for the ad on form to their advertisement contract..

The ad rep dropped by here a bit ago with THREE pages of hand drawn form fields for me to program up.. So a little past what I had related to the advertising account rep.. BUT WAIT.. that isn't all!.. The form is for a loan application and contains.. names, home addresses, and (gasp) social security numbers amongst the fields they are wanting to have sent to an email box.

So if it was only because of the scope creep I would want to renegotiate.. but add in the potential disaster that level of information being sent through an unprotected email can cause.. and I better chat with them.. or have them sign something..

Anybody.. what should I tell them?.. I know there are ways to better do a secure email transmission but not within their already over extended scope.. Should I draft a liability waiver and have them sign it?

 

LifeinAsia




msg:3911368
 9:46 pm on May 11, 2009 (gmt 0)

What state are you and the client in? I don't know about other states, but California has (had?) a law prohibiting the sending of SSN over an insecure (e.g., e-mail) interface.

Several years back a slimy lawyer was trying to start a class action lawsuit against all sites that asked for a SSN without an SSL page.

The_Hat




msg:3911369
 9:48 pm on May 11, 2009 (gmt 0)

We are in Nebraska

g1smd




msg:3911384
 10:25 pm on May 11, 2009 (gmt 0)

What is the business doing with that information?
Is it a legitimate request for what they do?
Do you suspect that the company is up to something they should not be?
If there is a problem with legality, then not only don't touch it, but report it.

rocknbil




msg:3911516
 2:26 am on May 12, 2009 (gmt 0)

Anybody.. what should I tell them?..

I think you already know . . . the same thing you would tell them if they were asking for credit card info to be emailed.

This does open a good question though, if a client is adamant about an insecure practice and presses a provider to do it the way they want, what is the provider's liability?

So far I've escaped this nut by providing a very convincing argument about the right way to do it.

gpilling




msg:3911584
 4:42 am on May 12, 2009 (gmt 0)

what is the provider's liability?

I was just following orders, your honor.

The_Hat




msg:3911770
 12:30 pm on May 12, 2009 (gmt 0)

The business is in the financial industry, the form is a loan application. I believe the request to be legitimate for what they do.

The_Hat




msg:3911946
 4:44 pm on May 12, 2009 (gmt 0)

We decided to take it back to the advertiser and have them rework their request down to the bare minimum. Removing specifically the SSN fields.

engine




msg:3911961
 5:05 pm on May 12, 2009 (gmt 0)

Besides the security aspect, I would have thought they'd want to capture enough information that wouldn't be a chore for the initial enquirer. Especially if it's in response to an ad. There's nothing worse than finding a form that requires all sorts of information recorded in many different places, taking some time to retrieve. I'll just abandon the form.

By all means, make an application form, but make sure the user knows in advance what info they require to have ready.

Sometimes, a simple enquiry form is best.

The_Hat




msg:3912000
 6:34 pm on May 12, 2009 (gmt 0)

Yes exactly.. I related some of that to the rep before she went back for the followup meeting... like they asked for monthly income in the from.. as a text field instead of a multiple choice with a selection of a range.

Jack_Hughes




msg:3912513
 11:47 am on May 13, 2009 (gmt 0)

If you give the security as an excuse for telling them that you need to create a secure form and a login area for them so they can retrieve the data securely over SSL... should up the bill quite nicely. ;)

The_Hat




msg:3912749
 5:38 pm on May 13, 2009 (gmt 0)

@Jack_Hughes.. well yeah. but since we have had problems with them in the past and the rep had already quoted them a price. We arent going to present them with an upsell.. we will instead be leading with the security problems (I was able, by the way, to dig up a pdf from our state regarding SSNs and insecure transmission) with the aim of trimming their request.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Professional Webmaster Business Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved