I-9/E-Verify

By: Dave Fowler

One of the key lessons to be learned from the State of Minnesota's experience with a Bellaire, Texas-based electronic I-9/E-Verify service provider is that the primary factor is selecting a supplier is data security and not price. Price is a consideration, but data security is the first priority when selecting a supplier to house sensitive data for you and your employees. When it comes to price, the sky is not the limit. The price must be fair for both parties and the vendor needs to be willing to accept responsiblity for their actions, should those actions result in a breach. A low price doesn't mean much if your data is not secure.

The other key lesson is that corporate security should be involved in the selection of any supplier that will house sensitive data. Make sure your supplier has a proven track record as well as technology, processes, and procedures in place to secure your data. Your corporate security department should discuss this with your supplier and sign off on the supplier before you sign a contract.

Sensitive personal data is required to complete a Form I-9 and an E-Verify case. The value of the security your supplier provides should not be compromised for a low price.

To support this position here are some excerpts from the April 21, 2010 article by Sasha Aslanian of Minnesota Public Radio "Audit critical of state's handling of private data". (In the excerpts below the supplier's name is removed and clarifications in () are added.)

• On Wednesday, Nobles (Minnesota's legislative auditor Jim Nobles) published a chronology showing how the state picked a vendor one staffer described as "too good to be true" when it came to price, and signed a contract absolving the vendor of all security risk:

  "The selection of the vendor, the management with the vendor, the agreement with the vendor just never was on solid ground and I think the principle reason is the people doing it just didn't take into consideration data security issues that were involved," he said.

• In the rush to implement the federal Department of Homeland Security's E-Verify program, state internet technology staff consistently were not adequately involved at the outset or as problems popped up along the way, Nobles found.

• Chris Buse, the state's chief information security officer, told Nobles he didn't learn about the problems with (the supplier) until well after the fact.

  "The thing that surprised me was that I didn't learn about it from within the organization," Buse said. "I learned about it from the legislative auditor's office. And that was the thing that bothered me about this particular situation is that we need to have better ways to engage the central security office and that's what our 'enterprise incident management standard' really does."

• From Nobles' reading of the contract, the state didn't protect itself very well.

  "Somebody that's out there running a business, offering the kind of services that (the supplier) was offering, should have provided better security but frankly, they told state up front in their service agreement, in black and white they would not be responsible for state data," Nobles explained. "Even the data that was encrypted. The data that was not public data. They told state in their service agreement that they would not take any responsibility for it, and the state signed the agreement anyway."

We all have an obligation to protect our data and the data of our employees. Your supplier must provide the level of data security your corporate security department requires. A rush to judgement based on price can increase your security risks and may result in a very bad day for you, your company, your employees, and your customers. Look at data security as proactive insurance. Insurance protects you if something bad happens. Data security bad things from happening. Like I tell my kids, don't take unnecessary risks because sooner or later something bad will happen. The same is true when it comes to data security. Don't give up security for a few bucks! In the end, it's just not worth it!