Legal/compliance requirements for SSN database storage

Posted on 2007-10-09
Last Modified: 2008-01-09
Seeking useful info on legal or regulatory compliance requirements for storage of US SSNs (in a SQL Server/ColdFusion payroll-related application). HIPAA and GLBA don't seem to apply, as this is outside both the healthcare space and the financial institution space, but if they did apply, that's along the lines of what I'm looking for. Or if SB1386 mandated how to handle private data, rather than just what to do with it after it's been *mis*handled, then I'd also want to know that.

This is not a tech question; am not seeking advice on encryption schemes or products, etc. I want to figure out what's required; there's time later to worry about how to implement it. Lastly, I'm not stingy with points or grades, but rush-rush posts consisting of not-super-relevant Googled URLs will earn neither. Thanks very much!
Question by:Sapphireblue
    LVL 16

    Expert Comment

    LVL 27

    Expert Comment

    If your industry and organization is outside of the regulatory statutes, then compliance requirements are based on the company's guidelines and standards. Every state has different regulations -

    are the state laws that relate to internet privacy. If your state has a laws that specifically relate to how you handle the data then you must comply. Not every state has those laws.

    You should contact your company's legal department. They are the experts.

    If this is a payroll-related system, then you must be audited. What are the practices and controls required for the audit?

    LVL 1

    Author Comment

    Heh. I'm a sub-sub-subcontractor. So far out of the loop, I couldn't find it with a flashlight and a map. At this point I'm just trying to develop enough general domain knowledge that I can conduct an intelligent conversation, and ask the right questions.
    LVL 27

    Accepted Solution


    There is no set industry-standard for user privacy. I have worked in healthcare (HIPAA) and with SOX and they are, like the SB1386 you mentioned, for the most part reactive. That is a good thing, because most legislators are not IT-knowledgeable.

    For example, one of the requirements of SOX, as it was interpreted by our lawyers, was that no one could see everything in the database. I had to explain speaking slowly and with Microsoft documents and pictures that the sysadmin on the database sees everything. The lawyers finally decided that that was OK, as long as I didn't actively look everywhere. Doh.

    I am happy with encryption, but I prefer that the application encrypts the data (using standard encryption algorithms and symmetric keys) outside of the database and then send me the data. Encrypting within the database is better with SQL 2005, but that is not what transact-sql was designed to do.

    Also remember, that an encrypted column must be decrypted to be useful. This will slow down any transactions (usually just a little) that require that column.

    If your company does not require encryption, then do not. Usually restricting access to the table satisfies the requirements.  

    Here, for example, are the policies of the University of Buffalo:
    LVL 1

    Author Comment

    I am a terrible person.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
    Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now