Context and types of data.
View this email in your browser

Web Form Security for Regular People

Lesson 2: Compliance


In the first lesson, we discussed which factors affect data laws and guidelines, respondent expectations, access control, and types of data. (Catch up here if you missed the first email.)

When you collect certain types of data, you're required to comply with the applicable data laws and policies to ensure that data is adequately protected and that personal information is kept private. Compliance lowers liability risks and keeps your audience informed of your data collection and privacy practices.

Today, we'll talk about different areas of compliance:
  • electronic signatures,
  • payments,
  • personal health information, and
  • privacy certification.

Electronic Signatures

When you collect electronic signatures for documents, keep in mind: the signature itself is just one part of the equation.

The tools you're using should handle the compliance to satisfy legal requirements, such as the encryption and the audit trails. You'll be able to collect e-signatures with FormAssembly soon, but you can also use a service such as 

However, as the form creator, it's most important for you to collect the personal information that ties the respondent to the signature. For example, you might collect the respondent's full name, email address, and IP address. The information serves to authenticate the content of the document. You need to prove that a particular individual has signed the document, and the more fields that can provide evidence, the better.


To collect credit card payments, you must be a PCI-certified merchant or use a third-party payment processor with certified PCI compliance, such as PayPal or Authorize.Net.

PCI stands for Payment Card Industry, and PCI Data Security Standards are managed by the card vendors, such as American Express and Visa International. Compliance with PCI Security Standards ensures the security of cardholder data through several requirements. For example, merchants must track and monitor access to cardholder data and all network resources.

You should also make sure that credit card information is left in the PCI-compliant service. Never export, print, or e-mail cardholder data.

Personal Health Information

If you collect personal health data, you must comply with the Health Insurance Portability and Accountability Act (HIPAA), which sets administrative, physical, and security standards to protect the privacy of personal health information. For example, not only must there be data backup and disaster recovery plans in place, but staff who access personal health information at any point must be properly screened, trained, and authorized.

Apps and services that collect personal health information,
such as the Fitbit and Apple Watch, may also fall under the governance of HIPAA.

Privacy Certification

Privacy certification, such as TRUSTed Websites privacy certificationgives a qualified endorsement of your privacy policy. The assessor, such as TRUSTe, will review your privacy practices to ensure that your privacy policy accurately reflects your data collection practices.

Privacy certification can be beneficial because it shows your audience that you're concerned with data privacy and that you've taken adequate steps towards transparency and compliance. TRUSTe can also serve as an arbitrator in the case of a data privacy dispute. Certification can also increase your customers' trust and confidence in you and your brand, and
 help identify some basic problems with your website.

However, certification is not the same thing as a comprehensive security audit. It will not solve any security issues or fix any problems. You'll need to address those on your own.

Up Next

In the next email, we'll cover encryption, data retention, and liabilities.

We'll end on October 21 at 2 PM EST with an online lesson on how you can put security practices into action with FormAssembly.

Have a great week!

Copyright © 2014 FormAssembly, All rights reserved.

unsubscribe from this list    update subscription preferences