Comprehensive Security for ID Protection

Our reputation for advanced security is largely why we’ve been trusted by millions of customers for nearly 40 years, have an A+ rating from Better Business Bureau, and are a preferred partner for the U.S. government and healthcare agencies.

We utilize two-factor authentication, requiring members to provide a verification code when you first log in. IdentityForce sends you that code via text, email, or phone, making it much harder for hackers to access your account. Learn more about two-factor authentication here.

“TopTenReviews explicitly highlighted that IdentityForce uses “the best data system protection that an ID monitoring service can use for its networks.”

We operate a risk-based information systems security management program that implements industry-standard best practices for protecting member data.

• Administrative & technical controls include those outlined in PCI DSS v3.2 requirements and ISO 27002 security techniques.
• Sensitive PII is encrypted with the AES symmetric encryption algorithm using 256-bit sized keys.
• Custom master keys are created for all encrypted volumes and any snapshots created from them

A member’s personal information remains in our system after the account cancellation to facilitate account reactivation. If a user requests to be removed from the system, their information is purged from the database after 180 days.

Our responsibility is to protect member data from unauthorized access, and we take that responsibility seriously. Here are some of the regulations, standards, and/or laws with which IdentityForce is required to comply:

• Payment Card Industry Data Security Standards (PCI DSS): Industry requirements put forth by the card brands & acquirer banks to safeguard cardholder data. We completed an independent audit for PCI Level 1 in July 2017.
• Sarbanes-Oxley Act (SOX): Security of information supporting internal control structures for financial reporting. Although primarily for public companies, several provisions of the Act also apply to privately held companies; for example, the willful destruction of evidence to impede a Federal investigation.
• Statement on Standards for Attestation Engagements (SSAE) 16: An auditing standard for service organizations, superseding SAS 70. The latter’s “service auditor’s examination” is replaced by a “Service Organization Controls” (SOC) report. We completed an independent audit for SOC2 Level 2 in July 2017.
• State Data Privacy/Breach Notification Laws: Legislation requiring organizations to notify individuals or entities when there are breaches involving personal information. A current list of state laws is maintained here. We are based in Massachusetts, where the appropriate regulation is 201 Code of Massachusetts Regulations 17.00 et seq: “Standards for The Protection of Personal Information of Residents of the Commonwealth.” Additionally, we are required to conform to state laws wherever we have members.