I have been asked to build a web application that will be used to store and manipulate sensitive financial data for a private lending firm. Before I bite off more that I can chew, I am trying to figure out if there is anything I should know about legally hosting and securing this kind of information. I have read much about PCI compliance when working with credit card information but this data is a bit different. There will be no financial transactions done online, just viewing balances, rates, loans, etc. by customers and manipulating this data by administrators. I’d equate the sensitivity of this data to that of a bank.
So my ultimate question is whether or not there are any laws regarding storing and transmitting this data. Obviously, an SSL certificate is in order, but what about the hosting. Should I get a dedicated private server or is shared hosting suitable?
Any other input on this situation would be greatly appreciated. Thanks
the short answer: yes
Having worked for banking institutions (in the US) I can say there are lots of laws governing the storage, display and distribution of financial information. If you are hosting the site there are even more regulatory/compliance issues for you to deal with.
the long answer: Get a Lawyer and bill your client for the lawyer. The client should be providing you with all the compliance related specifications up front. If they aren’t providing you the appropriate information Run Away.
If you choose to proceed with project make sure you have a liability insurance policy that will cover any losses your client may experience, also make sure to bill them for the policy.