Context and types of data.
View this email in your browser

Web Form Security for Regular People

Lesson 3: Data Management


Welcome back. In Lesson 1, we went over data laws and policies, respondent expectations, and types of data. In Lesson 2, we covered different areas of compliance.

Today, we'll talk about how data is processed and stored. It's crucial to review your security practices for encryption, data storage, and data management, and make sure that they're up-to-date and adequate for the types of data that you collect. And sometimes, even with security systems and plans in place, data may get into the wrong hands. With that in mind, we'll discuss the legal and financial consequences of data breaches and non-compliance with data laws.

In this email, you'll find an overview of:
  • encryption,
  • data access,
  • data retention, and
  • liabilities.


Encryption is a cryptographic technique to protect data and restrict access to authorized parties. Encryption can protect stored data in a range of levels, from single files to full disk encryption.

Respondents can look for the green HTTPS symbol in the address bar of a browser to check that data will be transmitted securely and to evaluate whether it's a place they can trust. When present, the HTTPS icon signifies the SSL certificate is valid and working properly, and the data in transit will be encrypted and unreadable by unauthorized people.

There's also more to SSL than it seems, so be sure to stay well-informed and current with the latest issues and vulnerabilities. For instance, two major security bugs (Heartbleed and POODLE) were discovered this year.

Data Access

In Lesson 1, we mentioned how it's important to control and track who accesses your data. Access logs are critical in the event that something goes wrong, so you can see who had access to what. Logs can include security measures such as session timeouts and a maximum number for unsuccessful login attempts, so you can protect your data against unauthorized remote access.

Security measures should also be in place for physical access, such as the server hardware on which the data is stored, and the laptop computer that you use to access the database. Plan for what may happen if your computer gets stolen, and someone else can use the passwords that you've saved.

Even if you don't manage users and permissions, however, you should still follow good security practices if you have access to data:
  • Don't share accounts with other users
  • Don't re-use a password (Choose a unique password)
  • Periodically change passwords

Data Retention

Your organization may have internal policies for data retention, i.e., how long data can be stored and when it will be purged, or permanently deleted.

Depending on the types of data you collect, you might purge or retain data on a more granular level, on a field-by-field basis, or to a partial degree.

For example, an IP anonymization feature for FormAssembly Enterprise can be enabled, so only the first two octets of an IP address are stored. Form responses can still be organized by region or IP range, but cannot be traced to a single individual.


If your data collection and privacy practices aren't compliant with applicable laws, you may be at risk for fines and other legal actions.

In the case of a data breach, your liability depends on the data. For example, if you collect credit and debit card information from your customers, and the information gets stolen, you may need to pay fines and fees to re-issue credit cards, provide free credit reports, and insure customers in case of identity theft. You may also lose customer trust and goodwill towards your brand.

If you're dealing with confidential information, you should plan for the worst-case scenario and be prepared to act. Make sure that your liability insurance covers data breaches, and understand what is and what is not covered by your insurance.

Up Next

Join us tomorrow, October 21 at 2 PM EST for the last lesson — live! We'll show you how to use FormAssembly to improve web form security and build customer trust.

Thanks for reading!

Copyright © 2014 FormAssembly, All rights reserved.

unsubscribe from this list    update subscription preferences