The Federal Trade Commission (FTC) has reached an agreement with Electronic I-9 and E-Verify vendor, Lookout Services, Inc., to resolve charges that the company failed to employ reasonable and appropriate security measures to protect the I-9 data of their customers’ employees following the company’s highly publicized data breach in late 2009. Under the agreement, Lookout must implement a comprehensive information security program and obtain independent, third party security audits every other year for the next 20 years. The settlement sheds light on the potential hazards of storing sensitive I-9 information in an unprotected manner online. Proper data security involves a core set of principles and practices encompassing such topics as user authentication, access control, encryption, intrusion detection, and security management in general. Employers should always involve their IT security specialists at the beginning of the selection process to perform a detailed analysis of the vendor’s systems and processes, as well as manual and automated penetration tests which gauge the effectiveness of the vendor’s defenses against hacking attempts.