have a client who is looking to hold personal information such as Driving Licenc

Question

have a client who is looking to hold personal information such as Driving Licences and Insurance documents in order to verify if a user of the site is who they say they are and lives where they say they live (the site is a sort of brokerage)

We were looking at storing this information in an offsite solution such as amazon S3, obviously it will be encrypted before it is sent from our server and pulled down and decrypted when we need it but is this enough? Are there extra levels of compliance I need to meet?

Forgive me ignorance with this, I'm by no means a security expert and just want to know if this is something we should even be considering.

Explanation / Answer

From a purely technical perspective, if you encrypt it properly before you upload it, and it stays encrypted all the time it is in the cloud, then the data is very safe.

However, there are very probably extra levels of legal compliance you need to meet. This is "Personally Identifiable Information" and there are a lot of laws and regulations that apply to handling it. You need to take legal advice on what you need to do.

Note that you not only need to worry about the jurisdiction where your client is, but also the jurisdictions where the data is, and the jurisdictions where the users are. (That alone might make using S3 more of a challenge, since you'll have no way of controlling whether the data you put in there is in stored in Newark or Tokyo or some other place Amazon hasn't even told us about yet.)

Related Questions

Navigate

• Browse (All)
• Browse H
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.