Welcome to WebmasterWorld Guest from 54.147.44.13

Forum Moderators: LifeinAsia & httpwebwitch

Message Too Old, No Replies

Client requests Social Security Number through email form

     
9:09 pm on May 11, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


SO we have this advertiser who we have had difficulty pleasing in the past and so when we approached them lately to advertise on our site they asked if it would be possible to put together a page with a form on it for their ad to click to.. I said sure not a problem.. envisioning the two or three field email form that is pretty much a click-drag away and shot the ad rep a low buck price for the ad on form to their advertisement contract..

The ad rep dropped by here a bit ago with THREE pages of hand drawn form fields for me to program up.. So a little past what I had related to the advertising account rep.. BUT WAIT.. that isn't all!.. The form is for a loan application and contains.. names, home addresses, and (gasp) social security numbers amongst the fields they are wanting to have sent to an email box.

So if it was only because of the scope creep I would want to renegotiate.. but add in the potential disaster that level of information being sent through an unprotected email can cause.. and I better chat with them.. or have them sign something..

Anybody.. what should I tell them?.. I know there are ways to better do a secure email transmission but not within their already over extended scope.. Should I draft a liability waiver and have them sign it?

9:46 pm on May 11, 2009 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5550
votes: 24


What state are you and the client in? I don't know about other states, but California has (had?) a law prohibiting the sending of SSN over an insecure (e.g., e-mail) interface.

Several years back a slimy lawyer was trying to start a class action lawsuit against all sites that asked for a SSN without an SSL page.

9:48 pm on May 11, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


We are in Nebraska
10:25 pm on May 11, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


What is the business doing with that information?
Is it a legitimate request for what they do?
Do you suspect that the company is up to something they should not be?
If there is a problem with legality, then not only don't touch it, but report it.
2:26 am on May 12, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Anybody.. what should I tell them?..

I think you already know . . . the same thing you would tell them if they were asking for credit card info to be emailed.

This does open a good question though, if a client is adamant about an insecure practice and presses a provider to do it the way they want, what is the provider's liability?

So far I've escaped this nut by providing a very convincing argument about the right way to do it.

4:42 am on May 12, 2009 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 20, 2003
posts:526
votes: 0


what is the provider's liability?

I was just following orders, your honor.

12:30 pm on May 12, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


The business is in the financial industry, the form is a loan application. I believe the request to be legitimate for what they do.
4:44 pm on May 12, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


We decided to take it back to the advertiser and have them rework their request down to the bare minimum. Removing specifically the SSN fields.
5:05 pm on May 12, 2009 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:22284
votes: 236


Besides the security aspect, I would have thought they'd want to capture enough information that wouldn't be a chore for the initial enquirer. Especially if it's in response to an ad. There's nothing worse than finding a form that requires all sorts of information recorded in many different places, taking some time to retrieve. I'll just abandon the form.

By all means, make an application form, but make sure the user knows in advance what info they require to have ready.

Sometimes, a simple enquiry form is best.

6:34 pm on May 12, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


Yes exactly.. I related some of that to the rep before she went back for the followup meeting... like they asked for monthly income in the from.. as a text field instead of a multiple choice with a selection of a range.
11:47 am on May 13, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 10, 2003
posts:654
votes: 0


If you give the security as an excuse for telling them that you need to create a secure form and a login area for them so they can retrieve the data securely over SSL... should up the bill quite nicely. ;)
5:38 pm on May 13, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


@Jack_Hughes.. well yeah. but since we have had problems with them in the past and the rep had already quoted them a price. We arent going to present them with an upsell.. we will instead be leading with the security problems (I was able, by the way, to dig up a pdf from our state regarding SSNs and insecure transmission) with the aim of trimming their request.