Know who is Managing Electronic I-9 Data

Know Who is Managing Your I-9 Data
Choosing a vendor for electronic processing of your I-9 data can be a daunting task but it is important that your due diligence include a significant investigation of the vendor’s security, stability and accountability. Clearly, in the wake of the Lookout Services data breach*, the landscape for security risks in this arena has fundamentally changed. In that case, unsophisticated investigators were able to penetrate and view client’s Personally Identifiable Information (PII) in the system of a nationally visible/ prominent vendor. This information has now become a gold mine for sophisticated hackers seeking data to perpetrate identity theft or sell stolen data on the black market.

Your data security is paramount and we believe that important information can be derived from a review of our recommended security questions to pose to Electronic I-9 vendors. To be sure, this is neither an exhaustive list, nor a substitute for a thorough diligence review, however we do believe it is an effective initial screen. Additionally, we recommend that companies and their advisors should take care to evaluate whether the promised security features align with the listed price point for a given product—if the price seems too good to be true (and insufficient to provide for coverage of costs related to best practices), then it probably is, in fact, too good to be true. After successfully completing more than 100 security reviews and multiple on site privacy assessments by Fortune 500 companies and Government entities a pattern of very sophisticated questions has emerged.
On the following pages we have gathered the best and most commonly asked questions that we suggest you ask your vendor when completing your security due diligence.

1. Does Your Vendor Have Sufficient Encryption Capabilities?
Effective encryption is difficult to deploy without creating substantial behind the scenes costs and usability issues – and for these reasons many vendors describe “partial” encryption incorrectly as general “encryption.” In transit or partial encryption is a basic standard, typically the “HTTPS” SSL protocol, but encryption in the intermediate (in database) storage and wholesale transport (back-ups, shared files) of any critical/sensitive data is essential. Specifically, “at rest” encryption of PII data and the strict use of encrypted transport protocols (such as encrypted FTP uploads and down-loads for PII) are critical. *In December of 2009 The State of Minnesota, an electronic I-9 verification client of Lookout services of Bellaire, Texas experienced a data breach of more than 500 employees PII data, which included names, dates of birth and Social Security Numbers.

2. Is There Comprehensive Production Environment Security?
The location and handling of the primary servers holding relevant data is a critical piece of the security for any vendor. The vendor’s production systems and critical data should be completely housed within a Tier 1 co-location facility that has received SAS70 Type II certification. Effective and demonstrable data isolation for each client within a database is standard. Most importantly, a vendor must be able to demonstrate that only the correct authorized individuals, regardless of whether they are using secure virtualization and separation fail-safes or a combination of unique keys, encryption, and fail-safes, can access client data.

3. Are There Sophisticated Password/Login Management and User Pattern Logging?
The “average” exposure event does not usually involve sophisticated hackers or outsiders. In fact, the most common sources of a breach are compromised passwords and abuses perpetrated by internal “authorized” users. The ability to set sophisticated parameters for passwords (to require “strong” passwords, changes to passwords, abuse detection, etc) and to analyze user logs is an essential component of any secure system. Advanced systems should also include options to provide secondary login steps or two-step authentication that reduce the risk of phishing and other known security problems for end users.

4. Does Your Vendor Participate in Recurring Penetration andVulnerability Testing?
Daily, automated, penetration testing by a third-party firm to test vulnerabilities that emerge on a daily basis is essential. The vendor should have a policy to affirmatively notify partners and clients should a persistent material vulnerability be detected and unresolved within a reasonable cure period. Additionally, periodic “aggressive” manual penetration testing by a firm specializing in Software as a Service (SaaS) organizations- -those that store “high value” data–should be performed and certified by third parties. This testing should include “social engineering” penetration that evaluates whether vendor customer service representatives or other employees can be “tricked” into revealing information or providing unauthorized access.

5. Are There Physical (Non-Technical) Security Policies for Handling of Data?
When conducting work on behalf of clients as in the case of a manual migration of paper I-9s, the vendor should be able to demonstrate the implementation and enforcement of appropriate physical controls for sensitive data including: full background screening for all employees, “clean room” and lockdown compliant facilities for scanning/handling areas, isolation (no internet, inactive USB ports, etc) of computer systems used in the process, and auditable and logged employee activity related to the handling of sensitive data.

6. Is There Deployment of Secure Data Feeds for Active Data Sharing?
For those vendors that offer sophisticated HRIS system integration or active data sharing with a third party system
(as in the case of LawLogix Guardian integration with Oracle, SAP, or Legacy PeopleSoft systems), the methods implemented should not utilize vulnerable unencrypted data feeds. Vendors should be able to certify that they have successfully deployed data sharing systems that use a protocol (such as SOAP with encryption) that is secure and uses appropriate encryption processes. Many companies experience implementation problems even when this security is theoretically available and so proof of successful deployment of Secure Web Services is essential.

7. Is There Business Continuity Capability and “Hardened” Systems in Place?
A vendor should have a comprehensive business continuity plan in case of natural or human created disasters. Best practices include system redundancy and sophisticated defenses against Denial of Services (DoS) and Distributed Denial of Service (DDoS) attacks that can prevent congestion or interrupt access to the service. A review of the DNS routing plans and level of router sophistication is often needed to assess compliance with best practices. The difference of internal cost for vendors that deploy “best” versus “standard” practices to address this risk can number in the millions of dollars, so ask for a physical description of router types, co-location facility capabilities, and level of staff and equipment redundancy.

8. Does the Vendor Carry Insurance Coverage to Mitigate and Compensate?
Vendors that follow best practices are more likely to secure effective insurance coverage for E&O exposure and, most importantly, Cyber liabilty related exposures. A vendor should have sufficient coverage to provide evidence that contractual provisions including any indemnification for confidentiality breaches are meaningful–coverage for each of the various exposure areas should be in the millions. Importantly, LawLogix appears to be the only vendor with specific cyber liability type coverage (with combined policy values in the millions) that provides substantial resources in the case of potential emergent damage or exposures in such a way that resources can be used to interrupt or stop problems in process.

9. Is There a Formal Affidavit Attesting to the Company’s Data Security History?
Historically, non-disclosure is one of the single biggest challenges in this market space. A potential vendor should be required to clearly attest to the fact that they have not had any breach (direct or indirect, whether or not resulting in known damages) of client data and that they are not aware of any alleged or possible but unproven breaches related to their data (across all products and in all subsidiaries and affiliates). Though it is perhaps reasonable for a vendor to request that the language of the affidavit include the nuance of “material” breach, a firm should require a full written description of the event(s) (not considered “material”) at issue that prompted the request to restrict the affidavit to historical “material” breaches. Best practices consider any breach (material or not) of critical importance (and likely disqualifying). LawLogix is able to provide the broadest possible and most reassuring version of this affidavit.

Shortly after the Lookout Systems incident, LawLogix conducted a comprehensive review of current security practices and evaluated the various sources of exposure for our clients, the law firms with which we partner, and various parties involved in providing services related to I-9 completion/ compliance/ storage and E-Verify submission. The process was sobering in that it highlights the expanded scope of complex issues and liability surrounding this area of compliance and data record keeping. It is also encouraging because it reconfirms that correct strategies and investment in best practices are, we believe, a very effective way to address and manage these issues. LawLogix excels at deploying, with discipline and consistency, these best practices and has invested in the correct technologies and protocols to radically reduce the risks inherent in this process and we believe we are the clear industry leader in these matters with demonstrable deployment and security success for hundreds of clients.

To learn more about how LawLogix electronic I-9 software tools can influence your organization’s compliance efforts.

Download PDF