A Closer Look at the Minnesota I-9 Security Breach

The Office of the Legislative Auditor (OLA) of Minnesota recently issued a scathing report of data security concerns related to the State’s use of a private I-9/E-Verify vendor, Lookout Services, Inc., following last year’s highly publicized I-9 data breach. While the review was mostly critical of the Minnesota officials in charge of choosing Lookout Services, it does highlight some very important considerations that all employers should heed before choosing an electronic I-9 and E-Verify vendor.

A Brief Recap of Events

In October 2009, an employee of the Minnesota State Colleges and Universities system noticed what appeared to be real (and confidential) data during a training session of the Lookout I-9 system. The employee reported what had occurred to her supervisor, and it was escalated up the chain. A program manager contacted the I-9 vendor and was assured that it was simply test data. No further assessment was made. In November 2009, the same employee who witnessed the data, performed a standard Google search of Lookout Services, and discovered a web link which seemingly allowed her to view unprotected (and real) I-9 data. Again, this was escalated within the department, but officials merely noted that the revealed data did not appear to belong to Minnesota State employees. Shortly thereafter, a reporter from Minnesota Public Radio contacted the department about the data security hole and was able to provide them with confidential I-9 data on an employee in the Governor’s office. On that same day, the department directed Lookout Services to delete all State of Minnesota government data and directed state agencies to stop using Lookout Services. In response, Lookout Services filed a lawsuit against the State of Minnesota, citing eight causes of action, including breach of contract and various violations of federal laws involving unauthorized intrusions (“hacking”) into electronic data systems.

Auditor’s Findings

As part of the investigation, OLA requested that the Office of Enterprise Technology conduct a forensic examination, which revealed that the I-9 data on Lookout Services’ Web site had been accessed from the state computer using a normal Web browser. In other words, contrary to Lookout Services’ allegations, there was no evidence of “hacking” into the system. OLA deemed this a significant data security breach, which was exacerbated by the State’s lack of a formal and sufficient I-9 vendor review process. What follows are three major areas of concern in choosing an electronic I-9 vendor and general recommendations to avoid a potentially serious data breach.

1. Pricing

According to state officials interviewed by OLA, price was the deciding factor in the Department’s  choice of Lookout Services, primarily because there was no established budget for E-Verify services. According to the report, Lookout Services proposed a price which was four to five times lower than other vendors, and also was willing to waive its “set-up fee.” When asked why Lookout Services was willing to price its services so much lower than other vendors, one of the department program managers mentioned it was because E-Verify was just a “sideline” business of the owners’ immigration law firm. Recommendation: Given the highly confidential nature of I-9 data and the need for robust security, employers should consider the old adage that “you get what you pay for” and be sure to weigh the costs of a system versus the potential costs of a breach.

2. Minimal Security Review

The auditors found that the department did not conduct a formal assessment of the data security risks involved in using an E-Verify vendor and did not conduct an independent security review of Lookout Services. In fact, evidence shows that the information technology staff was “swamped” with other projects and thus was involved only in reviewing security related documents. Moreover, these documents were basically “advertising” materials, which tend to be heavy on promises and light on details. Later in the process, department officials focused on obtaining more information about Adhost, the data storage company, but this only consisted of an audit report which lacked specificity regarding whether any security controls were in place. Recommendation: employers should always assess the security risks of housing their confidential and protected I-9 data with an electronic vendor and ascertain how those risks will be addressed. To the extent possible, information security specialists should be fully involved in the process of identifying, selecting, contracting and monitoring the performance of the vendor.

3. Lack of Data Security Provisions

To make matters worse, the State signed Lookout Services’ “Standard Service Agreement,” without any security-related additions, amendments, or restrictions regarding the role of the data storage company and how security breaches would be handled. Later, the agreement was amended to require Lookout Services to protect Minnesota’s “confidential information” but there was no mention of an obligation to protect encrypted data provided by the State of Minnesota. Recommendation: Once you have decided to proceed with a particular I-9 vendor, it’s important to carefully review the sofware license agreement to ensure it addresses all of your security concerns identified above.