Lawmakers holding hearing on state's verification problems
At the state Capitol Tuesday, lawmakers will have their first chance to ask questions about the state's employment verification problems and Lookout Services, a Texas contractor hired by the state to check the immigration status of new hires.
MPR News reported last month a Texas contractor, hired by the state to check the immigration status of new hires, may have left the personal data of 500 state employees unsecured on its Web site. The state cancelled the contract with Lookout Services, and the company responded by suing for breach of contract.
The legislative auditor, Jim Nobles, is looking into the state's selection of the company. He'll testify at Tuesday's hearing.
State Sen. Ann Rest, a Democrat from New Hope, said she asked for an update on the Lookout Services E-verify matter before the Committee on State and Local Government Operations and Oversight which she chairs. Rest said she wants to know how the lawsuit is progressing and what additional steps the state has taken to protect employees' data.
Create a More Connected Minnesota
MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.
"We know just across the country, we hear regularly of security info being breached and we want to make sure that to the extent we can, that does not happen in Minnesota and make sure we do really due diligence to make sure vendors and contractors we hire respect the high standard that we set," Rest said.
"[We want] to make sure we do really due diligence to make sure vendors and contractors we hire respect the high standard that we set."
Rest said she had not seen a copy of the lawsuit yet and Curt Yoakum, spokesman with the state's Management and Budget office, said the state has not been served.
Lookout Services CEO Elaine Morley wrote in an email to MPR: "Lookout Services is fully cooperating with the legislative auditor's examination. The lawsuit has been filed in Texas. We continue to gather information relevant to the case and will proceed accordingly in a timely manner. There is a four-year statute of limitations for this type of case."
The complaint posted on the Harris County, Texas court Web site, alleges defendants in Minnesota -- it doesn't say who -- accessed proprietary information on Lookout Services' web site and told others, including the media. Lookout Services demands the state pay damages to the company, compensation for the "pain and suffering and mental anguish of its employees" and cover its attorney fees.
CEO Morley is an attorney and her firm, Morley and Morley brought the lawsuit. The company has 12 employees and reported $900,000 worth of sales in 2008, according to Dun & Bradstreet, a provider of commercial information and insight on businesses. A company representative said it has between 50 and 100 clients.
Minnesota's involvement with Lookout Services began in early 2008 when the state considered bids from four companies to do its verification work. The companies would run information for new hires through the Department of Homeland Security's E-verify system to check their social security numbers and immigration status known by the system.
In a letter to the legislative auditor last year, Laurie Hansen, manager of the state's human resources division, explained Lookout Services stood out among four bidders because it could "deliver both an interactive collection process for I-9 data and also because they had excellent pricing." Hansen can't comment because of the lawsuit.
MPR obtained the bids from the state and showed them to computer security consultant Mark Feferman. He works in computer security and consults for small businesses on computer security issues.
"Lookout Services' bids were incredibly low which leads me to believe that that is a tactic they use in terms of underbidding to capture the work," Feferman said.
Feferman is based in Houston, but has no affiliation with Lookout Services or any of its competitors. He acknowledges having friends who worked for the company in the past.
At MPR's request, Feferman analyzed the bids. Only one company went into any detail about data security and that wasn't Lookout Services.
"Lookout Services had no mention as far as I could see of security in their bid," he said. "I thought that was kind of odd given the sensitivity of the data that they were handling."
State IT employees did have concerns about Lookout Services' ability to transmit and store private data securely. Those problems were flagged in a legislative auditor's report last June and the state signed the contract with Lookout Services in July. In October, the company experienced a breach.
In reviewing the situation, Mark Feferman said it sounds like the failure may have resulted from Lookout Services improperly securing the Web environment around the data.
"You can write the most secure code in the world and use encryption and all of that sort of stuff, but if somebody doesn't configure the Web server that the code is running on properly, then it doesn't matter how secure the software is because I can always circumvent that because the environment that the software is running in was not protected and that sounds exactly like what happened here," he said.
Lookout Services told MPR in December it fixed the problem, and then quickly sued the state. Lookout Services has been involved in a number of lawsuits.
Harris County court files show Lookout Services has filed five civil lawsuits alleging fraud and breach of contract in the past two years, mostly against former employees including a former CFO and its first software developer. MPR News contacted four former employees named in the various suits. None of them would talk, citing renewed fear of litigation.
John Andersen, Lookout's first software developer sued the company in 2006 for $20,000 in back pay. The company responded by suing Andersen for fraud. In its case, Lookout Services lays out its struggle with computer security.
In the lawsuit, the company describes how it installed software behind the firewall of an unnamed major retailer: "...from the moment of installation and for a period of nine months thereafter, the retailer notified Plaintiff Lookout daily of hundreds of software 'bugs.'"
According to the document, an expert hired by Lookout Services said the company's software was little more than a "high school project."
When asked about any connection between the security problems outlined in the suit against Andersen and what happened in Minnesota last fall, Lookout Services CEO Elaine Morley sent a statement via email that the company had "entered into a confidentiality agreement with Mr. Andersen as a condition of the dismissal of the suit and cannot comment further in that regard."
At the state capitol Tuesday, legislators will try to see what options the state has. For the time being, the state is using the Department of Homeland Security's E-verify system, eliminating the need for a middleman like Lookout Services.
All told, the state paid $765 to Lookout Services.