I don’t think this is the correct site to post this, but I wasn’t sure where else I could.
Anyway, my question is simple. Are there any federal regulations or state (Colorado) regulations for storing sensative user information such as SSN, billing and contact information? More specifically, the company I am currently doing a database audit for is a local college.
They have a lot of this information as plain text in the database and I would like to tell them not only is this a bad idea, but it could cause them legal issues if discovered.
To the extent that this would create regulatory issues, it would do so under the Family Educational Rights and Privacy Act (FERPA) assuming that the system does not process credit card transactions. If it did process credit card transactions, it would fall under the auspices of PCI compliance. I’m not an expert in FERPA compliance but I don’t believe that it requires that data be encrypted within the database.
That being said, you can certainly point out that FERPA would likely come into play if there was a breach (say, a backup tape was lost in transit) and the underlying data was not encrypted. Not encrypting the data could force an embarrassing public disclosure that a breach had occurred. If the data was all encrypted (and assuming that the encryption key was not also lost), you can generally avoid the public disclosure.