To employers who keep asking us whether to use electronic I-9s, I continue to say: NOT YET (even though I look forward to no paper in the future). While many vendors offer electronic I-9s, and many employers are interested in reducing their I-9 headaches, there is still no "gold standard" that is safe to use. To support my point, today, May 5, 2011, Federal Trade Commission announced settlements with two major providers of electronic I-9s, Ceridian Corporation and Lookout Services while using some very harsh words describing the alleged federal violations such as failure by these providers to safeguard privacy of thousands of workers. FTC said that sensive information on nearly 65,000 emplyees was compromised. FTS said that both comanies failed to employe reasonable and appropriate security measires to protect the date, in violation of federal law. "According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed, among other things, that it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” However, the complaint alleges that Ceridian’s security was inadequate. Among other things, the company did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.
The other company, Lookout Services, Inc., markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint against Lookout, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.
The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years." FTC Press Release, May 5, 2011
Related stories: we have covered ICE imposing a $1 million dollar fine on Abercrombie and Fitch before, for imperfect electronic I-9, and electronic I-9 regulation promulgated by ICE in 2010.
Mira Mdivani Corporate Immigration Attorney President, Corporate Immigration Compliance Institute 913.317.6200