Anybody have experience with handling PII (personally identifiable information) on the web?
I have a web client who hired us to move their current website from one host to another, and, in the process, we discovered that they have a database filled with their customers’ personal information (SSNs, scans of credit cards, banking info, etc.) in the open—no encryption.
We don’t want to touch the site because we’re concerned about being liable if unauthorized access has happened or happens after the hosting move, but the client doesn’t know how to delete the PII or add the necessary security on their own. They want us to guide them through the process, but we are worried that even doing that could leave us open to litigation.
Anybody have advice on how to handle this? Should we just cut and run, or can we help them? I’m worried that, if we don’t help, they’ll just leave the info in the open and their customers will be screwed.