In order to provide extra protection of PII leaving CompactConnect to a state system, we should add a second authentication factor, such as requiring a client HMAC request signature with public/private keys, or mutual TLS. Some sort of factor that would require an attacker to compromise a second independent secret from the state system, before they can successfully extract private data. We should work with state stakeholders to agree on a single mechanism that is suitable for all states that wish to sync private data to their systems.