Comprehensive Security for Identity Protection

Our solution utilizes two-factor authentication to protect member accounts. Members must provide a one-time verification code when logging in, which is sent to them via text, email or phone. This additional verification step makes it harder for would-be attackers to access a member’s account. Learn more about two-factor authentication here.

We operate a risk-based information systems security management program that uses industry standards and best practices to protect member data, such as:

• Administrative and technical controls include those outlined in PCI DSS v3.2 requirements and ISO 27002 security techniques. 

• Sensitive personally identifiable information (PII) is encrypted using the AES 256-bit encryption algorithm.

Your personal information remains in our system after the account cancellation to facilitate fast, easy account reactivation if needed (e.g. you receive a breach notification or are the victim of a scam). 

Details of the related privacy policies are available at this page for Sontiq, a TransUnion company, which manages our identity protection solutions. 

Our responsibility is to protect member data from unauthorized access, and we take that responsibility seriously. Here are some of the regulations, standards, and/or laws with which IdentityForce is required to comply:

• Payment Card Industry Data Security Standards (PCI DSS): Industry requirements put forth by the card brands & acquirer banks to safeguard cardholder data. We completed an independent audit for PCI Level 1 in July 2018.
• Sarbanes-Oxley Act (SOX): Security of information supporting internal control structures for financial reporting. Although primarily for public companies, several provisions of the Act also apply to privately held companies; for example, the willful destruction of evidence to impede a Federal investigation.
• Statement on Standards for Attestation Engagements (SSAE) 16: An auditing standard for service organizations, superseding SAS 70. The latter’s “service auditor’s examination” is replaced by a “Service Organization Controls” (SOC) report. We completed an independent audit for SOC2 Level 2 in July 2018.
• State Data Privacy/Breach Notification Laws: Legislation requiring organizations to notify individuals or entities when there are breaches involving personal information. A current list of state laws is maintained here. We are based in Massachusetts, where the appropriate regulation is 201 Code of Massachusetts Regulations 17.00 et seq: “Standards for The Protection of Personal Information of Residents of the Commonwealth.” Additionally, we are required to conform to state laws wherever we have members.