Liability and handling PII

Anybody have experience with handling PII (personally identifiable information) on the web?

I have a web client who hired us to move their current website from one host to another, and, in the process, we discovered that they have a database filled with their customers’ personal information (SSNs, scans of credit cards, banking info, etc.) in the open—no encryption.

We don’t want to touch the site because we’re concerned about being liable if unauthorized access has happened or happens after the hosting move, but the client doesn’t know how to delete the PII or add the necessary security on their own. They want us to guide them through the process, but we are worried that even doing that could leave us open to litigation.

Anybody have advice on how to handle this? Should we just cut and run, or can we help them? I’m worried that, if we don’t help, they’ll just leave the info in the open and their customers will be screwed.

I’d say your concerns are warranted. I can’t say whether the database should be destroyed or if migration to a secure system is possible, but there are plenty of off-the-shelf secure transaction options available.

You and the client will probably have to bring an e-commerce security consultant into it, who might then subsequently enlist legal assistance or protection. The client must be advised that their past practice poses serious liability exposure and their cost-of-doing-business is about to increase as they take on the obligatory security responsibility they’ve neglected to this point.

That’s what I’m thinking too. Thanks for your reply.

Yes, absolutely you need to involve an expert on data security, at the client’s expense.

If they don’t want to pay for that, then cut and run, because yes, you could have liability if you touch the data.

I commend you for being concerned about their customers. But if you explain to your client the potential dire consequences, to them and their customers, and they still don’t do anything, it won’t be on you.

Personally, and this is me being judgmental, I’d be afraid of working with a client like that. If they’re so head-in-the-sand about customer data, they’re probably deliberately ignorant about other things too.

If you do take them on, be sure to cover your butt financially, by getting deposits, stopping work if you don’t get paid, etc. Look out for yourself in this situation.

Thanks for your input. I agree with you.

As for the other part, it’s a client-of-a-client situation (I’m subcontracted to help with web stuff). My client is an ad agency, and their client is the one with the website… so, we’ll see what happens.