PII data in my REST API

miqui

unread,

Feb 14, 2018, 11:25:46 AM2/14/18

to API Craft

Hi ,

So, one way I am handling PII is to use a POST and include the PII in the request body. Any thoughts?

rgds,

Miguel

Eric Johnson

unread,

Feb 15, 2018, 1:11:12 PM2/15/18

to API Craft

Yes.

Make sure you're using HTTPS!

Set the Strict-Transport-Security header.

Collect as little as you possibly can, and don't keep it any longer than you have to.

Avoid crossing international boundaries with the data (to the extent that is under your control, instead of the user of the site).

Provide the capability to delete the PII as part of the service, even if it is not part of the API.

Eric

miqui

unread,

Feb 15, 2018, 3:06:09 PM2/15/18

to API Craft

.. indeed using https. I'll checkout the header. thanks!

rgds,

Miguel

Hassan Schroeder

unread,

Feb 15, 2018, 5:31:21 PM2/15/18

to api-...@googlegroups.com

On Thu, Feb 15, 2018 at 12:06 PM, miqui <migm...@gmail.com> wrote:
> .. indeed using https. I'll checkout the header. thanks!

Encrypted in transit is good, but what legal standard(s) do you have
to meet? HIPAA, for instance, requires encryption at rest as well.

Make sure you're not leaking PII through third-party services (logging,
analytics, etc.) or potentially exposing it through unencrypted backups.

Make sure anyone with access to a system with PII is using individual
(not shared) revocable keys and, and, and...

Depending on the standards you're trying to meet this can be a pretty
deep rabbit hole 😀

--
Hassan Schroeder ------------------------ hassan.s...@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote

Reply all

Reply to author

Forward