Data Security in Immigration Case Management: Facts and Myths

The start of a new year is an opportunity to be leaner, fitter, healthier and more positive-thinking for many individuals.  There is no reason the same could not also be  applied in the business setting.  When evaluating immigration case management software solutions, data security is a good starting point for many organizations. Data security for most immigration professionals and HR professionals probably ranks towards the bottom of the list when it comes to their many competing priorities.

However,  because so much data is being passed back and forth between various stakeholders using different media, such sensitive, personally identifiable information (aka PII) data should and must be protected, particularly in light of tough new data security laws which are being proposed around the world. Privacy organizations have a running tally of ongoing breaches that occur in the U.S. and breaches are on the rise.  A Ponemon Institute’s 2010 report on data breaches reveal the cost to organizations exceed $7.2 million per year, an increase of 5% from $6.8 million in 2009, with the average per record cost at $214 for each compromised record.

The majority of U.S. states and territories have passed some form of privacy legislation requiring entities to publicly notify clients of data breaches.  If the threat of regulatory fines, lawsuits, injury to reputation, damage to hardware and software and the cost of recovering data are not enough reasons to compel most companies and attorneys to take steps to protect their clients’ data, perhaps potential discipline from a state bar association may.  IT departments are a good starting point to understand the data security climate in your organization. Talking to your existing or potential immigration case management software vendors about these important myth-busting concerns are a good next step.

1)  TRUE or FALSE:  All immigration case management software vendors are insured, so I don’t have to worry.

FALSE:  Insurance comes in many different forms.  Most immigration case management software providers will have standard liability insurance for general damages (physical theft and damage to premise and tangible property) but cyber-attacks to client data by hackers most likely will NOT be covered.  Check to see if your vendor has also taken out a cyber-insurance policy to specifically cover cyber-attacks and how much that coverage is.  Cyber-insurance usually covers technology-based infrastructures and activities arising from the internet.  Recent high-profile cyber-attacks of companies resulted in insurance companies disclaiming coverage in situations where cyber-insurance was not previously purchased.

2)  TRUE or FALSE:  It is relatively easy for my immigration case management software vendor to obtain cyber-insurance, so there is no need to worry.

FALSE: Cyber-Insurance Providers require vendors to undergo strict levels of security as a precondition to receiving coverage and as a method of dispersing overall risk amongst larger groups of insured.  For this reason, and because of the high risks involved, cyber-insurance is also very costly, up to $40,000 per million dollars of loss, according to a recent Computerworldarticle.  Where does your immigration case management software vendor or your organization stand on cyber-insurance?  Are their security practices at or above industry norms to receive such coverage?  Are they financially able to assume the high cost of such coverage?

3) TRUE or FALSE: Having multiple data servers in safe and secure facilities helps to protect my information from unauthorized access.

TRUE: Having multiple data servers helps to physically protect the hardware (the data servers) from being all damaged in one natural disaster or unfortunate accident.  However, finding out who is actually accessing the data servers is also very important.  Costs for physically storing electronic data are very high. They include a) the cost of the physical equipment (the infrastructure), b) the cost of the physical space to house the infrastructure, c) the cost of securing the physical location, and d) the long-term cost of maintaining that protection.  Does your immigration software vendor own their physical infrastructure and manage the data protection internally or do they outsource it?  If they outsource that important process, what recovery/disaster procedures have been implemented to ultimately alert you of a breach?  How many individuals would potentially have access to your client’s PII data besides your immigration software vendor?

4)  TRUE or FALSE:  The security certifications my immigration case management software vendor has attained is enough to protect me.

FALSE: Security certifications are a great way to maintain consistency with industry standards. However, on its own, security certifications cannot be enough to truly provide you with peace of mind in protecting PII client data.  Security certifications, in conjunction with a clear and continued physical control of data servers, along with a well-balanced cyber-insurance coverage, is the best way, in today’s market, to be protected. For 2012, resolve to reduce risk.  By carefully reviewing your data security environment and asking current or potential vendors tough questions, you discover which electronic case management solutions are right for your practice or organization.  By trimming unnecessary risks, you can operate with much more protection and be on the road to healthier operations.