encrypt fill in .pdf form
-
@Dashrender said:
Google will sign a BAA for HIPAA for example, just like MS will.
https://support.google.com/a/answer/3407054?hl=enThat implies that they do certain things, but only so much. The question here was about protecting the data which goes farther than HIPAA would go. Google wouldn't be able to be sued usefully in a breach as long as they were HIPAA compliant.
-
That link does list other ISO certifications they have.
None the less, I don't consider them an insecure platform - if you do, why do you?
-
@scottalanmiller said:
That implies that they do certain things, but only so much. The question here was about protecting the data which goes farther than HIPAA would go. Google wouldn't be able to be sued usefully in a breach as long as they were HIPAA compliant.
Right.
The second you use a weak password, or someone else has access to the data, it may not be compliant.
-
The common consensus for level 1 data (SSNs etc). It not to store them on Google Cloud, DropBox etc. Don't store them on laptops, desktops or any mobile device.
They should be encrypted at rest and in transit, and usually need a password to open at the file level.
Going against this and storing them in files online rather than a specific service meant for this is asking to be held liable if something happens.
-
At the very least, you'd want them in a database that has no "download as a complete set" function. Anything stored in a file system like Google Docs is going to have a lot of exposure to "any breach is a full breach."
-
@scottalanmiller said:
At the very least, you'd want them in a database that has no "download as a complete set" function. Anything stored in a file system like Google Docs is going to have a lot of exposure to "any breach is a full breach."
And encrypted in the databases. this is the way it would be done if you got it from some kind of service.
A file is how all those people who left there laptops on plans got records of employees stolen years ago.
-
@Jason said:
And encrypted in the databases. this is the way it would be done if you got it from some kind of service.
This is a benefit of systems like MS SQL Server. Database encryption. You can encrypt the storage that the database is on instead, but you want encryption in the database ideally if you are on a shared service.
-
So if the form is submitted and then the receiver prints it out and deletes it, the information moves across the internet and is protected by SSL, but the data isn't sitting in a google account that can get hacked. (forcing 2 factor would be even better)
-
@Mike-Davis said:
So if the form is submitted and then the receiver prints it out and deletes it, the information moves across the internet and is protected by SSL, but the data isn't sitting in a google account that can get hacked. (forcing 2 factor would be even better)
it's still in Google until you delete it though. Granted that may be a small window, but it's still a window.
-
@Mike-Davis said:
So if the form is submitted and then the receiver prints it out and deletes it, the information moves across the internet and is protected by SSL, but the data isn't sitting in a google account that can get hacked. (forcing 2 factor would be even better)
You really just need an online HR service provider to handle this.
