Security and Not Price Should Drive Vendor Decisions
By: Dave Fowler
One of the key lessons to be learned from the State of Minnesota’s
experience with a Bellaire, Texas-based electronic I-9/E-Verify service provider is
that the primary factor is selecting a supplier is data security and not price. Price
is a consideration, but data security is the first priority when selecting a
supplier to house sensitive data for you and your employees. When it comes to price,
the sky is not the limit. The price must be fair for both parties and the vendor needs
to be willing to accept responsiblity for their actions, should those actions result
in a breach. A low price doesn’t mean much if your data is not secure.
The other key lesson is that corporate security should be involved
in the selection of any supplier that will house sensitive data. Make sure your supplier
has a proven track record as well as technology, processes, and procedures in
place to secure your data. Your corporate security department should discuss this
with your supplier and sign off on the supplier before you sign a contract.
Sensitive personal data is required to complete a Form I-9 and
an E-Verify case. The value of the security your supplier provides should not be compromised
for a low price.
To support this position here are some excerpts from the April
21, 2010 article by Sasha
Aslanian of Minnesota Public Radio “Audit
critical of state’s handling of private data“. (In the excerpts below the supplier’s
name is removed and clarifications in () are added.)
On Wednesday, Nobles (Minnesota’s legislative auditor Jim Nobles) published a
chronology showing how the state picked a vendor one staffer described as “too good
to be true” when it came to price, and signed a contract absolving the vendor of all
“The selection of the vendor, the management with the vendor, the agreement with the
vendor just never was on solid ground and I think the principle reason is the people
doing it just didn’t take into consideration data security issues that were involved,”
In the rush to implement the federal Department of Homeland Security’s E-Verify program,
state internet technology staff consistently were not adequately involved at the outset
or as problems popped up along the way, Nobles found.
Chris Buse, the state’s chief information security officer, told Nobles he didn’t
learn about the problems with (the supplier) until well after the fact.
“The thing that surprised me was that I didn’t learn about it from within the organization,”
Buse said. “I learned about it from the legislative auditor’s office. And that was
the thing that bothered me about this particular situation is that we need to have
better ways to engage the central security office and that’s what our ‘enterprise
incident management standard’ really does.”
From Nobles’ reading of the contract, the state didn’t protect itself very well.
“Somebody that’s out there running a business, offering the kind of services that
(the supplier) was offering, should have provided better security but frankly, they
told state up front in their service agreement, in black and white they would not
be responsible for state data,” Nobles explained. “Even the data that was encrypted.
The data that was not public data. They told state in their service agreement that
they would not take any responsibility for it, and the state signed the agreement
We all have an obligation to protect our data and the data of our employees. Your
supplier must provide the level of data security your corporate security
department requires. A rush to judgement based on price can increase your security
risks and may result in a very bad day for you, your company, your employees, and
your customers. Look at data security as proactive insurance. Insurance protects you
if something bad happens. Data security bad things from happening. Like I tell my
kids, don’t take unnecessary risks because sooner or later something bad will happen.
The same is true when it comes to data security. Don’t give up security
for a few bucks! In the end, it’s just not worth it!>
This weblog is sponsored by TALX.
Recommended For You
ICE Worksite Investigation Leads to Raid of Texas Company On April 3, 2019 federal immigration authorities arrested more than 280 […]
Off-Site I-9s Present Unique Challenges for HR Firstly, what is an off-site Form I-9? It is an I-9 for an […]
U.S. Immigration and Customers Enforcement (ICE) has dramatically increased its audits and investigations of Form I-9s. And ICE is not […]
This is the final post in our four-part series for HR professionals, called “I-9 Audit and Remediation Best Practices.” In […]