I-9/E-Verify

By: Dave Fowler

A recent Minnesota Public Radio (MPR) news story regarding a security breach at an E-Verify Designated Agent's (DA) website highlights the need for the Department of Homeland Security (DHS) to credential all E-Verify DAs. Such credentialing must confirm, among other things, that the DA is a real company, has security practices and technology in place to prevent unauthorized access to personal data, and delivers software and services that comply with the requirements of E-Verify. The story points out that there are more than 13,000 E-Verify DAs registered with DHS.

In addition to the MPR story, there are a number of other employers that could share their stories of security and compliance issues encountered with E-Verify DAs, their software, and services. Since these stories reflect poorly on E-Verify and those DAs providing secure and compliant services, it is up to the DAs to pressure DHS for a comprehensive DA credentialing program.

DHS is working on a credentialing program to verify that companies enrolling in E-Verify are legitimate. However, there needs to be a more rigorous process for DAs since they provide access to E-Verify for multiple employers. Now is the time for DHS to establish a DA credentialing program before E-Verify becomes required for the roughly 50 million employees hired annually in the United States by over 6 million employers.

Employers currently using or considering an electronic I-9/E-Verify service as well as performing E-Verify queries with a DA should carefully evaluate the security practices, procedures, and safeguards of the DA. At a minimum, DAs should be required to complete a security audit for the employer, provide privacy and security statements on their websites, and maintain a SAS 70 Type II certification. Employers should think long and hard about security before deciding to use or continue to use a DA that does not at least meet these minimum requirements or does not comply with the employer's corporate security standards.

NEW INFORMATION POST - December 14, 2009

The subject of the MPR report referred to above has responded by posting information on their website. There is also a follow-up story published on The Minnesota Independent website.

NEW INFORMATION POST - December 15, 2009

The subject of the MPR report filed suit against The State of Minnesota on December 10, 2009, but did not inform The State of Minnesota at the time the lawsuit was filed.

Word has spread and more stories and opinions are being posted such as:

http://maryturck.wordpress.com/2009/12/15/texas-firm-screwed-up-so-it-sues-minnesota/

http://www.zecurion.com/server-software-blog/2009/12/minnesota-employee-data-exposed-by-lookout-services/

http://www.secretsofthecity.com/mnspeak/how-dare-a-journalist-use-website-data

http://www.databreaches.net/?p=8844

http://www.databreaches.net/?p=8855

NEW INFORMATION POST - December 17, 2009

The saga continues. It is interesting that there are 13,649 E-Verify Designated Agents (DAs) and not one of them has been credentialed by DHS. As the number of DAs grows without any DHS credentialing process so does the potential that employee data will be compromised.

http://www.chron.com/disp/story.mpl/business/6774164.html

NEW INFORMATION POST - December 18, 2009

Others in Minnesota continue to weigh in on the importance of making sure an E-Verify Designated Agent has sufficient security safeguards in place to protect employee data. Minnesota State Legislative Auditor Jim Nobles raised 'significant concerns' in a June report about an E-Verify Designated Agent's ability to protect employee data. The company won the contract and now Nobles wants to determine if Minnesota officials were satisfied that the company had addressed those issues before the state signed a deal with the company in July. He also wants to know if state officials adequately responded in October to complaints that employee information -- including names, dates of birth and Social Security numbers -- was still at risk. The full text of the article that was the source of the information above can be found at:

http://minnesota.publicradio.org/display/web/2009/12/17/lookout-folo/

It seems employers would benefit greatly if DHS would credential every E-Verify Designated Agent (DA) to make sure security and privacy are properly addressed before certifying a company as an E-Verify Designated Agent. DHS should also publish the list of certified DAs on the DHS website.