Legislative auditor to investigate use of company at center of security concernsby Sasha Aslanian, Minnesota Public Radio
St. Paul, Minn. — A state auditor wants to know if Minnesota officials adequately addressed whether a Texas firm hired to verify the identities of new employees had sufficient security safeguards.
State Legislative Auditor Jim Nobles said a report by his office in June raised "significant concerns" about the ability of Lookout Services of Bellaire, Texas, to protect employee data. But the company won the contract anyway after Gov. Tim Pawlenty's office ordered state agencies to begin verifying the identifies of new employees.
Nobles wants to determine if Minnesota officials were satisfied that the company had addressed those issues before the state signed a deal with the company in July. He also wants to know if state officials adequately responded in October to complaints that employee information -- including names, dates of birth and Social Security numbers -- was still at risk.
"We want to know whether after entering into a contract the Department of Management and Budget received any alerts from state employees or others concerning security problems at this company and if so, did the department adequately address them," Nobles said.
MPR News reported last week that it was able to access state employee data on the Lookout Services Web site without using a password or encryption software.
The state of Minnesota has directed all of its agencies to stop using Lookout Services to verify that new hires are authorized to work in the United States. Officials also notified some 500 employees that their information may have been easily viewed on the company's Web site.
Lookout Services filed suit late last week against Minnesota officials, claiming breach of contract. The company and state officials both confirm a security breach in October, but that one apparently did not involve state employees' data.
Nearly nine months ago, Nobles' office learned that some state employees were concerned about the security of employees' data before the state finalized its contract with Lookout Services.
In a 51-page report published in June, the Auditor's office looked into the state's slow implementation of E-verify, an online tool created by the federal Department of Homeland Security to confirm employees' Social Security numbers and immigration status.
E-verify is optional in Minnesota, but in January of 2008, Pawlenty signed an executive order requiring the state use E-verify to screen all new hires in the executive branch, and employees of large vendors and contractors doing business with the state.
Minnesota did not have to use a vendor like Lookout Services, one of more than 13,000 designated agents working with the federal department. The state could have entered employees' data directly into the federal government site. But the Office of Management and Budget, which handles human resources work for the state, chose the company to be the middleman for the data.
The state's decision to use a contractor raised concerns among some of the state's information technology professionals.
In March, Deborah Junod, the legislative auditor's lead investigator for the E-verify report, asked management and budget staffers why it was taking so long to get E-verify up and running. She learned security was the sticking point.
"They told us at the time that they had not yet implemented the Governor's executive order and they told us the primary reason for that was they had identified a vendor but still had continuing concerns about whether that vendor's information systems would adequately protect private data of state employees," Junod said. "And I was told that that contract would not move forward until they were sure that the vendor would meet Minnesota standards regarding information security."
Documents show the vendor in question was Lookout Services.
Junod says she was surprised when less than a month after her report was published, the state signed a two-year contract with the company.
"To me the timing was awfully fast between when they told us there were these significant security concerns and when they turned around and signed the contract -- you know after we released the report and the governor was criticized for the delays in implementing," she said.
A call from the governor's office may have pushed things along.
The governor's office confirms that following the auditor's report, it informed management and budget officials that the governor's executive order needed to be followed "immediately." Deputy Chief of Staff Brian McClung declined to say who made the call.
Administrators in the Office of Management and Budget could not comment because Lookout Services has sued the state.
Lookout Services released a statement on Monday saying it "will aggressively seek prosecution of those responsible" for the "illegal disclosure of client information."
When asked for comment on the legislative auditor's inquiry, Lookout Services CEO Elaine Morley replied via email, "We have not been informed of any such inquiry and have no further comment at this time."
Nobles called the potential exposure of employees' personal data a serious matter. Because his office picked up on security concerns early on, he wants to make sure the state fulfilled its responsibilities.
"This potentially is a manifestation, and a realization about what some of the people in state government were concerned about, and they expressed those concerns to us back in March," he said.
Nobles expects to publish a report of his findings early next year.
(MPR's Tom Scheck contributed to this report.)