Legislative auditor plans follow-up investigation on data breach

At the capitol Tuesday, legislative auditor Jim Nobles testified about a special review he's begun into the state's dealings with a Texas company hired to do employment verification.

The legislative auditor has been tracking this topic since last year, when his office released a report on why the state was taking so long to comply with Gov. Pawlenty's executive order to check the immigration status and social security numbers of all new hires at state agencies.

After the auditor's report came out in June 2009, the Pawlenty administration finalized a contract with Lookout Services of Bellaire, Texas to do the verification work. But there were problems.

In December 2009, the state had to notify 500 new hires that their personal data -- including social security numbers -- may have been exposed on the company's Web site. The state canceled the service and Lookout Services sued for breach of contract.

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

Nobles told a joint meeting of the State Government Budget Division and the Committee on State and Local Government Operations and Oversight that he is investigating what state employees knew about Lookout Services' security issues both before and after the contract was signed.

Nobles offered the most precise information to date that Minnesota Management and Budget (MMB), the office which handled the Lookout Services contract, was aware of serious security concerns with the company's data handling practices even after the contract was signed.

"In late October 2009, a state employee being trained on Lookout Services software alleged to a supervisor that Lookout Services' software had a serious security weakness that allowed the employee and potentially others access to private data that they should not be able to see," Nobles said. "MMB was immediately notified of the alleged vulnerability at Lookout Services."

Nobles will investigate what the state did with that information.

Nobles described one of the motivations for doing the follow-up evaluation is to establish standards for hiring private companies, particularly those handling private data.

The auditor's final report is expected this spring.