I am building a website for use in the state of Ohio where users enter their last 4 digits of SSN or their Driver’s License number. This data is submitted to the webserver which generates a PDF with the information included on it. The PDF is then emailed to the user.
Are there security standards that govern how this type of sensitive data is handled, especially concerning email?
Also are there potential legal issues / concerns in building an application like this?