Audit critical of state's handling of private data

Minnesota's legislative auditor is recommending changes to the way the state selects and manages outside vendors who handle sensitive data for the state.

Auditor Jim Nobles' recommendations stem from his examination of a data security breach at a Texas company hired to verify that new hires are authorized to work in Minnesota.

Nobles spent almost four months picking through the state's troubled history with Bellaire, Texas-based Lookout Services, which was hired by state officials in July, 2009. The state was under pressure to comply with Gov. Tim Pawlenty's 2008 executive order to verify all new hires.

On Wednesday, Nobles published a chronology showing how the state picked a vendor one staffer described as "too good to be true" when it came to price, and signed a contract absolving the vendor of all security risk:

"The selection of the vendor, the management with the vendor, the agreement with the vendor just never was on solid ground and I think the principle reason is the people doing it just didn't take into consideration data security issues that were involved," he said.

In the rush to implement the federal Department of Homeland Security's E-Verify program, state internet technology staff consistently were not adequately involved at the outset or as problems popped up along the way, Nobles found.

Last Oct. 29, a Minnesota State University employee in Mankato attended a Lookout Services training session and alerted her supervisor that she could see names, birth dates and social security numbers for employees at other companies. The employee reported the problem to supervisors and ultimately to Minnesota's Management and Budget Office, which held the contract with Lookout Services.

Lookout Services officials convinced the office that the problem was corrected and breach had not included state of Minnesota data. On Dec. 2, the same employee told her supervisor the problem was not fixed. A few days later, Minnesota Public Radio found state employees' personal data was visible online without a password. That led the state to cancel the contract with Lookout Services.

Chris Buse, the state's chief information security officer, told Nobles he didn't learn about the problems with Lookout Services until well after the fact.

"The thing that surprised me was that I didn't learn about it from within the organization," Buse said. "I learned about it from the legislative auditor's office. And that was the thing that bothered me about this particular situation is that we need to have better ways to engage the central security office and that's what our 'enterprise incident management standard' really does."

Buse said agencies are now required to notify his office -- the Office of Enterprise Technology -- when such an incident occurs. He supports the auditor's recommendation to involve state technology staff when signing agreements with outside vendors handling sensitive data and to actively monitor them. Buse said those improvements are already underway:

"We always thought the oversight and management of third-party vendors was something that we needed to get a better handle on," he said. "If the report has done anything, it's probably elevated the priority of that in relation to all the other security problems that we have on our plate today."

Nobles' recommendations were also embraced by staff members at the Office of Management and Budget who are eager to move on from the Lookout Services debacle, but it's not so easily swept away. Lookout Services has sued the state for breach of contract.

From Nobles' reading of the contract, the state didn't protect itself very well.

"Somebody that's out there running a business, offering the kind of services that Lookout was offering, should have provided better security but frankly, they told state up front in their service agreement, in black and white they would not be responsible for state data," Nobles explained. "Even the data that was encrypted. The data that was not public data. They told state in their service agreement that they would not take any responsibility for it, and the state signed the agreement anyway."

The report is silent on what happened to the state employee who first alerted state authorities to the security problems with Lookout Services. Her employer, Minnesota State University-Mankato, declined to comment.

An individual with knowledge of the situation but who asked not to be named, said the employee, "received serious discipline for involvement in the matter."