Welcome to WebmasterWorld Guest from 50.19.34.234

Forum Moderators: LifeinAsia & httpwebwitch

Message Too Old, No Replies

Client requests Social Security Number through email form

     

The_Hat

9:09 pm on May 11, 2009 (gmt 0)

10+ Year Member



SO we have this advertiser who we have had difficulty pleasing in the past and so when we approached them lately to advertise on our site they asked if it would be possible to put together a page with a form on it for their ad to click to.. I said sure not a problem.. envisioning the two or three field email form that is pretty much a click-drag away and shot the ad rep a low buck price for the ad on form to their advertisement contract..

The ad rep dropped by here a bit ago with THREE pages of hand drawn form fields for me to program up.. So a little past what I had related to the advertising account rep.. BUT WAIT.. that isn't all!.. The form is for a loan application and contains.. names, home addresses, and (gasp) social security numbers amongst the fields they are wanting to have sent to an email box.

So if it was only because of the scope creep I would want to renegotiate.. but add in the potential disaster that level of information being sent through an unprotected email can cause.. and I better chat with them.. or have them sign something..

Anybody.. what should I tell them?.. I know there are ways to better do a secure email transmission but not within their already over extended scope.. Should I draft a liability waiver and have them sign it?

LifeinAsia

9:46 pm on May 11, 2009 (gmt 0)

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



What state are you and the client in? I don't know about other states, but California has (had?) a law prohibiting the sending of SSN over an insecure (e.g., e-mail) interface.

Several years back a slimy lawyer was trying to start a class action lawsuit against all sites that asked for a SSN without an SSL page.

The_Hat

9:48 pm on May 11, 2009 (gmt 0)

10+ Year Member



We are in Nebraska

g1smd

10:25 pm on May 11, 2009 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



What is the business doing with that information?
Is it a legitimate request for what they do?
Do you suspect that the company is up to something they should not be?
If there is a problem with legality, then not only don't touch it, but report it.

rocknbil

2:26 am on May 12, 2009 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Anybody.. what should I tell them?..

I think you already know . . . the same thing you would tell them if they were asking for credit card info to be emailed.

This does open a good question though, if a client is adamant about an insecure practice and presses a provider to do it the way they want, what is the provider's liability?

So far I've escaped this nut by providing a very convincing argument about the right way to do it.

gpilling

4:42 am on May 12, 2009 (gmt 0)

10+ Year Member



what is the provider's liability?

I was just following orders, your honor.

The_Hat

12:30 pm on May 12, 2009 (gmt 0)

10+ Year Member



The business is in the financial industry, the form is a loan application. I believe the request to be legitimate for what they do.

The_Hat

4:44 pm on May 12, 2009 (gmt 0)

10+ Year Member



We decided to take it back to the advertiser and have them rework their request down to the bare minimum. Removing specifically the SSN fields.

engine

5:05 pm on May 12, 2009 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Besides the security aspect, I would have thought they'd want to capture enough information that wouldn't be a chore for the initial enquirer. Especially if it's in response to an ad. There's nothing worse than finding a form that requires all sorts of information recorded in many different places, taking some time to retrieve. I'll just abandon the form.

By all means, make an application form, but make sure the user knows in advance what info they require to have ready.

Sometimes, a simple enquiry form is best.

The_Hat

6:34 pm on May 12, 2009 (gmt 0)

10+ Year Member



Yes exactly.. I related some of that to the rep before she went back for the followup meeting... like they asked for monthly income in the from.. as a text field instead of a multiple choice with a selection of a range.

Jack_Hughes

11:47 am on May 13, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



If you give the security as an excuse for telling them that you need to create a secure form and a login area for them so they can retrieve the data securely over SSL... should up the bill quite nicely. ;)

The_Hat

5:38 pm on May 13, 2009 (gmt 0)

10+ Year Member



@Jack_Hughes.. well yeah. but since we have had problems with them in the past and the rep had already quoted them a price. We arent going to present them with an upsell.. we will instead be leading with the security problems (I was able, by the way, to dig up a pdf from our state regarding SSNs and insecure transmission) with the aim of trimming their request.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month