What is Protected Personally Identifiable Information? Do I really have to hash users' passwords?

{% render_partial _includes/series/encryption.md %}

The Short Answer

The legal answer depends on which Federal, State, and local laws apply to your company. And I am not a lawyer. However, for companies whose nexus is in Georgia, where my company is located, the Georgia General Assembly has given some guidance in the data breach law.

And yes, you really do have to hash your users’ passwords or you risk having to do a full blown Data Breach Notification if the user’s table is ever compromised!

The Details

The exact definition of personal information varies among states.

However, since my company is located in the State of Georgia, and so are many of our clients, I will use the Georgia State Data Breach Notification Law as an example.

OCGA 10-1-911 (Official Georgia State Law) defines it as:

“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

The term “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

In general, the Georgia General Assembly has expressed concern over the threat of identity theft.

My understanding is that if you do not hash the passwords in your database and it is leaked then you have to do a full formal data breach notification. People tend to use the same passwords are multiple places. Secure hash algorithms with salting are your friends here.

Other Potentially Applicable Laws

In general, security standards are either required for all entities that handle certain information (law mandates) or by contractual agreements with a private party or a government agency.

U.S. Laws

Contractual Agreements

Comments

Christian Kotscher

Great info Frank your the best.

John Grints

I agree. This is also the same with big companies. Passwords and other data should be safe and secured. Important files should be encrypted to ensure its safety and security. A company should also need to hire an excellent developer that knows how to do ethical hacking.