FTC Settlement Highlights the Importance of Protecting Sensitive I-9 Data in an Electronic World

by John Fayon May 4, 2011

Yesterday, the Federal Trade Commission (FTC) announced that it had reached an agreement with Electronic I-9 and E-Verify vendor, Lookout Services, Inc., to resolve charges that the company failed to employ reasonable and appropriate security measures to protect the I-9 data of their customers’ employees following the company’s highly publicized data breach in late 2009. Under the terms of the FTC settlement agreement, Lookout must implement a comprehensive information security program and obtain independent, third party security audits every other year for the next 20 years. The FTC will publish more details in the Federal Register soon and provide interested parties an opportunity to comment.

Although Lookout’s I-9 data breach is fairly old news, the FTC complaint (published here) sheds new light on the potential hazards of storing sensitive I-9 information in an unprotected manner online as well as the recommended best security practices from the FTC’s standpoint. The FTC administers a wide variety of consumer protection laws which prohibit unfair and deceptive acts or practice, and so their recommendations and comments are quite telling indeed. If you are in the market for an electronic I-9 and E-Verify solution or re-evaluating your current solution, make sure you check out the complaint and read below for an analysis of data security failures which can lead to the dreaded data security breach.

Background

As previously reported, the State of Minnesota had been using the Lookout system to process their employees’ I-9 and E-Verify records when state officials learned that large amounts of sensitive employee data could be easily accessed on the company’s website without proper authentication. Specifically, in October 2009, and again in December 2009, Lookout’s authentication practices and web application vulnerabilities (described below) enabled an employee of a Lookout customer to gain access to the personal information of over 37,000 individuals.

The FTC noted that this was a serious situation indeed, especially since an electronic I-9 solution will routinely collect highly sensitive information, including names, addresses, dates of birth, Social Security numbers, passport numbers, alien registration numbers, driver’s license numbers, and military identification numbers (what I call the “I-9 gold mineâ€