Link to home
Start Free TrialLog in
Avatar of MonCapitan
MonCapitan

asked on

Security implications of storing passport documents online

Hi all,

I have been asked to look into the implications of storing photocopied identification documents online on our dedicated server (around 10,000 to start but will grow each year). These id documents will be of passports, driving licenses etc.

What would the security implications be for this?

My feeling is...
1. If it is not essential part of your business process, don't do it. Keep them remaining in the locked draws on paper at work.
2. If we do, I feel we are opening ourselves to attack for identity theft. By the documents not being there, we are leaving much less of a reason for attack.
3. If we do keep them online and online security is compromised, we could be sued (maybe, I don't know)

Basically, I feel like we will be making ourselves attractive for targeted attacks because the identity information has value.

Your help and opinion is greatly appreciated.
SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
it all depends on the laws of the country you do that
for example in most countries in europe you'll be sued just by putting the (personal) data into public
Avatar of noci
noci

I agree with ahoffman....
additional: how about your clients, what is their opinion on having their Social security numbers "published", also for some services it suffices to [e-]mail a photocopy of some identifying documents... This would/might assist in fraud using such stored documents.

For me personally,  if a became aware of having this much disregard for the privacy of others, this would mean i would stop being a customer period.

Besides this I know that for dutch law: you may only record the BSN (dutch for Social security Number) if you are ordered to do so by law, otherwise you may not record the BSN.
And you are required to have this as a confidential part of your administration.

As the BSN is on all identifying documents you first need to process the images to remove all parts of the documents you may not be in the "public" domain.
(With respect to employers, anything outside of the HR department is considered public).
Avatar of MonCapitan

ASKER

Thanks for your replies.

We are looking at storing this information for our business use on our online backend system. We would never intentionally show publically these files. The only way this would get exposed is by an external attack.

By storing these documents online (as securely as our Web Developers know how) what are the risks/consequences of doing so?

Is it generally regarded as bad practice?
Is it, in the IT world, a bad thing to do?
Is it maybe normal for a company to store this information?
Have we just magnified the risk of attack 10 fold/20 fold?
Does there have to be a darn good reason to store documents like this online, risk vs reward. etc.

Thanks for any further advice.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
> > Is it maybe normal for a company to store this information?
you're talking about "passport documents", I'm not aware of any country where such data is supposed to be controlled by private companies
this fact solely should answer this question: no go, without any exception!