E-Verify Vendor Data Security
Financial Audit Division Report 10-15
Released April 21, 2010
In January 2008, Governor Pawlenty ordered the state to use E-Verify, a federal Web-based system that allows employers to verify whether newly hired employees are eligible to work in the United States. Use of the system requires the transmission of data—such as social security numbers—classified by law as not public.
The Office of the Legislative Auditor (OLA) conducted a special review of data security concerns related to state government’s use of a private vendor, Lookout Services, Inc., to facilitate implementation of E-Verify. Our review focused on the actions of officials and staff in the Department of Employee Relations, which was initially responsible for implementation of
E-Verify, and the Department of Management and Budget, which assumed responsibility for
E-Verify after the departments of Employee Relations and Finance merged.
- The Department of Employee Relations conducted a limited assessment of Lookout Services before signing an agreement with the company to be the state’s E-Verify vendor, and the agreement did not adequately address data security.
- After becoming responsible for implementing E-Verify and the state’s agreement with Lookout Services in June 2008, the Department of Management and Budget left the data security issues unresolved and E-Verify unimplemented for over a year.
- The Department of Management and Budget renewed efforts to implement E-Verify after OLA issued an evaluation report in June 2009, but the department continued to make only limited efforts to obtain additional information about Lookout Services’ ability and willingness to protect Minnesota’s not public E-Verify data.
- The Department of Management and Budget made a limited response when alerted in November 2009 to possible data security problems at Lookout Services.
- The Department of Management and Budget suspended the state’s use of Lookout Services after receiving a second notice in December 2009 that not public data on the company’s web site was not adequately secured. However, the department did not have state information technology staff assess the nature of the problem or the extent of its impact, and its notification letter to people potentially affected by the problem was based on information from Lookout Services.