How you collect information online matters!
Collecting, storing, and sending data via a form on your website is a convenient way for your customers or residents to communicate with you. However, collecting, storing, and sending PII as plain text can cause a data breach. It is essential to think about the information collected on your website before you create a form and start sending sensitive information through insecure channels.
Unsecured Data
Collecting a name, email address, and a comment is generally considered safe to do via an unsecured form. Online forms usually submit to an email address when filled out. Email is not secure. So, all of the data entered by the user is stored in plain text on the server and is sent to your email, which sits both on your computer and on a server in plain text. It is relatively easy for an unauthorized individual to gain access to this information.
More Secure Data
A moderately secure server usually encrypts data at rest. However, anyone with access to the server (legitimate access or malicious access) can see the information stored there in plain text. Therefore technicians from the company you rent the form from, like web designers, administrators, have access to the data in plain text. Think of it like locking the door to your house when you leave. If your neighbor has a key, or someone breaks a window, they can still get in and have access to everything in your home.
Encrypted Data
Encrypted information is not stored in plain text. It is stored “scrambled” so if an unauthorized person does gain access to the server on which it is stored, the information cannot be read without a key to decrypt the data. This is like putting information in a sealed envelope in a locked box in your locked house. Even if someone breaks into your home, they will need a key to get into the box to see the information.
While you may not want to encrypt the senders name and email address (so you have a way to contact them), it would be prudent to encrypt as much of the rest of the form information as possible. This way it is always compliant regardless of changing laws and regulations.
What type of data should be encrypted?
PII should certainly be encrypted. There is some information that is universally considered to be PII. There is other information that may not be PII, but it still might be enough to cause harm. Information like account numbers, vehicle registration information, vacation dates, and medical information mixed with other data could be enough for a criminal to exploit an individual. If your business or municipality made this information available to a criminal, the victim may hold you accountable for damages.
The way data is collected goes a step further for government agencies. Local governments are often subject to Right to Know open-records laws. Collecting sensitive information via email, which could be privileged, even within state regulations, may lead to potential liability.
The CourseVector team cares about the security of our customers’ data. While we make solid recommendations based on our experience, we are not lawyers. Clients should check with their attorney or solicitor prior to deciding how data is collected and stored via their website. If instructed, we will post the forms regardless of security or legal requirements; however, the client may be required to provide a written hold harmless statement before posting takes place.
