What is Protected Personally Identifiable Information? Do I really have to hash users' passwords?
{% render_partial _includes/series/encryption.md %}
The Short Answer
The legal answer depends on which Federal, State, and local laws apply to your company. And I am not a lawyer. However, for companies whose nexus is in Georgia, where my company is located, the Georgia General Assembly has given some guidance in the data breach law.
And yes, you really do have to hash your users' passwords or you risk having to do a full blown Data Breach Notification if the user’s table is ever compromised!
The Details
The exact definition of personal information varies among states.
However, since my company is located in the State of Georgia, and so are many of our clients, I will use the Georgia State Data Breach Notification Law as an example.
OCGA 10-1-911 (Official Georgia State Law) defines it as:
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social security number;
- Driver’s license number or state identification card number;
- Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
- Account passwords or personal identification numbers or other access codes; or
The term “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
In general, the Georgia General Assembly has expressed concern over the threat of identity theft.
My understanding is that if you do not hash the passwords in your database and it is leaked then you have to do a full formal data breach notification. People tend to use the same passwords are multiple places. Secure hash algorithms with salting are your friends here.
Other Potentially Applicable Laws
In general, security standards are either required for all entities that handle certain information (law mandates) or by contractual agreements with a private party or a government agency.
U.S. Laws
- State Data Breach Laws
- Health Insurance Portability and Accountability Act
- Gramm-Leach-Bliley Act
- Sarbanes–Oxley Act of 2002 (SOX)
- Family Educational Rights and Privacy Act (FERPA)
Contractual Agreements
- Payment Card Industry Digital Security Standards (PCI-DSS)
- Federal Data Security Standards
- NIST SP 800-53, Recommended Security Controls for Federal Information Systems
Comments
Christian Kotscher
Great info Frank your the best.
John Grints
I agree. This is also the same with big companies. Passwords and other data should be safe and secured. Important files should be encrypted to ensure its safety and security. A company should also need to hire an excellent developer that knows how to do ethical hacking.