LifeinAsia
msg:3911368 | 9:46 pm on May 11, 2009 (gmt 0) |
What state are you and the client in? I don't know about other states, but California has (had?) a law prohibiting the sending of SSN over an insecure (e.g., e-mail) interface. Several years back a slimy lawyer was trying to start a class action lawsuit against all sites that asked for a SSN without an SSL page.
|
The_Hat
msg:3911369 | 9:48 pm on May 11, 2009 (gmt 0) |
We are in Nebraska
|
g1smd
msg:3911384 | 10:25 pm on May 11, 2009 (gmt 0) |
What is the business doing with that information?
Is it a legitimate request for what they do?
Do you suspect that the company is up to something they should not be?
If there is a problem with legality, then not only don't touch it, but report it.
|
rocknbil
msg:3911516 | 2:26 am on May 12, 2009 (gmt 0) |
| Anybody.. what should I tell them?.. |
|
I think you already know . . . the same thing you would tell them if they were asking for credit card info to be emailed. This does open a good question though, if a client is adamant about an insecure practice and presses a provider to do it the way they want, what is the provider's liability? So far I've escaped this nut by providing a very convincing argument about the right way to do it.
|
gpilling
msg:3911584 | 4:42 am on May 12, 2009 (gmt 0) |
| what is the provider's liability? |
|
I was just following orders, your honor.
|
The_Hat
msg:3911770 | 12:30 pm on May 12, 2009 (gmt 0) |
The business is in the financial industry, the form is a loan application. I believe the request to be legitimate for what they do.
|
The_Hat
msg:3911946 | 4:44 pm on May 12, 2009 (gmt 0) |
We decided to take it back to the advertiser and have them rework their request down to the bare minimum. Removing specifically the SSN fields.
|
engine
msg:3911961 | 5:05 pm on May 12, 2009 (gmt 0) |
Besides the security aspect, I would have thought they'd want to capture enough information that wouldn't be a chore for the initial enquirer. Especially if it's in response to an ad. There's nothing worse than finding a form that requires all sorts of information recorded in many different places, taking some time to retrieve. I'll just abandon the form. By all means, make an application form, but make sure the user knows in advance what info they require to have ready. Sometimes, a simple enquiry form is best.
|
The_Hat
msg:3912000 | 6:34 pm on May 12, 2009 (gmt 0) |
Yes exactly.. I related some of that to the rep before she went back for the followup meeting... like they asked for monthly income in the from.. as a text field instead of a multiple choice with a selection of a range.
|
Jack_Hughes
msg:3912513 | 11:47 am on May 13, 2009 (gmt 0) |
If you give the security as an excuse for telling them that you need to create a secure form and a login area for them so they can retrieve the data securely over SSL... should up the bill quite nicely. ;)
|
The_Hat
msg:3912749 | 5:38 pm on May 13, 2009 (gmt 0) |
@Jack_Hughes.. well yeah. but since we have had problems with them in the past and the rep had already quoted them a price. We arent going to present them with an upsell.. we will instead be leading with the security problems (I was able, by the way, to dig up a pdf from our state regarding SSNs and insecure transmission) with the aim of trimming their request.
|
|
