FTC Settlement Highlights the Importance of Protecting Sensitive I-9 Data in an Electronic World
Yesterday, the Federal Trade Commission (FTC) announced that it had reached an agreement with Electronic I-9 and E-Verify vendor, Lookout Services, Inc., to resolve charges that the company failed to employ reasonable and appropriate security measures to protect the I-9 data of their customers’ employees following the company’s highly publicized data breach in late 2009. Under the terms of the FTC settlement agreement, Lookout must implement a comprehensive information security program and obtain independent, third party security audits every other year for the next 20 years. The FTC will publish more details in the Federal Register soon and provide interested parties an opportunity to comment. Although Lookout’s I-9 data breach is fairly old news, the FTC complaint (published here) sheds new light on the potential hazards of storing sensitive I-9 information in an unprotected manner online as well as the recommended best security practices from the FTC’s standpoint. The FTC administers a wide variety of consumer protection laws which prohibit unfair and deceptive acts or practice, and so their recommendations and comments are quite telling indeed. If you are in the market for an electronic I-9 and E-Verify solution or re-evaluating your current solution, make sure you check out the complaint and read below for an analysis of data security failures which can lead to the dreaded data security breach. Background As previously reported, the State of Minnesota had been using the Lookout system to process their employees’ I-9 and E-Verify records when state officials learned that large amounts of sensitive employee data could be easily accessed on the company’s website without proper authentication. Specifically, in October 2009, and again in December 2009, Lookout’s authentication practices and web application vulnerabilities (described below) enabled an employee of a Lookout customer to gain access to the personal information of over 37,000 individuals. The FTC noted that this was a serious situation indeed, especially since an electronic I-9 solution will routinely collect highly sensitive information, including names, addresses, dates of birth, Social Security numbers, passport numbers, alien registration numbers, driver’s license numbers, and military identification numbers (what I call the “I-9 gold mine”). Following this discovery, the State of Minnesota suspended its agreement with Lookout and directed all agencies to stop using the company’s I-9 and E-Verify system. The Office of the Legislative Auditor (OLA) of Minnesota also issued a detailed report, criticizing the very casual and uninformed manner in which the I-9 and E-Verify vendor was chosen. Since that time, the FTC also reports that Lookout has taken steps to prevent additional unauthorized access and mailed breach notification letters to customers who may have been impacted. The False Promise of Security As a consumer-protection agency, the FTC paid very close attention to the marketing and other sales-related literature that Lookout disseminated concerning the security of their I-9 data. In particular, the FTC focused on two Lookout marketing statements (proved later to be false) which were made at various times during the past few years:
1. Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.
2. Perimeter Defense – Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools.
Now, before I go further, I should note that these statements in of themselves are perfectly fine and quite standard in the industry these days. If you visit the website of any reputable electronic I-9 and E-Verify vendor, you will most likely find the same or similar language. However, proper data security involves much more than catchy buzzwords and attractive metaphors; it consists of a core set of principles and practices encompassing such topics as user authentication, access control, encryption, intrusion detection, and security management in general. Failure to account for these important elements can lead to multiple failures as described below. Specific Security Failures of the Lookout I-9 System as noted by the FTC According to the FTC complaint, Lookout engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the I-9 data stored on its servers. In particular, the FTC noted the following failures:
- Failed to implement reasonable policies and procedures for the security of sensitive consumer information collected and maintained by Lookout;
- Failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess. For example, Lookout did not require its customers or employees to use complex passwords to access the I-9 database. Accordingly, users could select the same word, including common dictionary words, as both the password and user ID, or a close variant of the user ID as the password;
- Failed to require periodic changes of user credentials, such as every 90 days, for customers and employees with access to sensitive personal information;
- Failed to suspend user credentials after a certain number of unsuccessful login attempts;
- Did not adequately assess and address the vulnerability of Lookout’s web application to widely-known security flaws, such as “predictable resource location,” which enables users to easily predict patterns and manipulate the uniform resource locators (“URLs”) to gain access to secure web pages;
- Allowed users to bypass the authentication procedures on Lookout’s website when they typed in a specific URL;
- Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks, such as by employing an intrusion detection system and monitoring system logs; and
- Created an unnecessary risk to personal information by storing passwords used to access the I-9 database in clear text.
Taken together, the above-listed vulnerabilities enabled the following sequence of events to occur:
Data breach #1
An employee obtained a URL for a secure web page during a webinar for the I-9 Solution. She later typed that precise URL into her browser, bypassed the login page, and gained access to a portion of the I-9 database without ever being prompted to provide a valid user credential.
Data breach #2
The employee then made minimal and easy-to-guess changes to the URL and gained access to the entire I-9 database.
Data breach #3
On another occasion, the employee visited Lookout’s public-facing login web page for the I-9 Solution where she guessed and entered several different user IDs and passwords, including the user ID “test” and the password “test.” Because this was a valid user credential for one of Lookout’s customers, entering “test” and “test” gave her access to the personal information of the more than 11,000 consumers employed by that customer.
Data breach #4
Then, by making minimal and easy-to-guess changes to the URL, the employee again gained access to the entire I-9 database, which included the personal information of more than 37,000 consumers.
Because Lookout did not employ an intrusion detection system until October 2009, or adequately monitor system logs until December 2009, it is unknown if other unauthorized persons accessed the personal information in the I-9 database before that time.
Lessons Learned for Employers While it’s tempting to analyze the above-listed failures and develop concrete security advice, the reality is that data security can be complex and we’re not all data security specialists. Yet, as the State of Minnesota learned all too well, it’s absolutely crucial for organizations to assess the security risks of housing their confidential and protected I-9 data with an electronic vendor. Therefore, the first lesson learned is that employers should always involve their IT security specialists at the beginning of the selection process to perform a detailed analysis of the vendor’s systems and processes. IT specialists are generally not impressed with marketing literature either (they’ve seen it all), so they should be able to provide you with a thorough assessment of whether the vendor’s system does what it claims to do. In addition, since many organizations may not have IT specialists on staff, you should always ask whether your vendor has contracted with an independent security expert to perform manual penetration tests which gauge the effectiveness of the vendor’s defenses against hacking attempts. The ideal test will involve a combination of automated and manual penetration testing, web application testing, network configuration analysis, and a social engineering exercise to measure the vendor’s own security practices and policies. The vendor’s successful completion of this evaluation will provide a great baseline for you to judge their overall security and commitment to protect sensitive I-9 data. Lastly, no matter how well the system is designed, good data security revolves around people and practices. As such, employers should always make sure to closely examine their vendor’s own security policies to ensure they are on top of advancements and new directions in the security industry. This education may come from attending security webinars and conferences or through having other demanding security clients (banks, healthcare companies and federal government agencies certainly come to mind). Employers should also strongly consider on-site visits to see how their vendor deals with day-to-day security issues around the office. Completing such a rigorous security investigation will not only ensure you’re making the right decision…it will also keep your organization’s name out of the newspaper…which in the world of I-9, is almost always a good thing!