Auditor: Minnesota DPS stonewalled investigators over data breach, prompting subpoena

The state Department of Public Safety refused to turn over information to investigators related to a 2018 data breach, prompting a subpoena, Minnesota’s legislative auditor revealed Thursday.

Legislative Auditor Jim Nobles said it was the first subpoena he’s had to issue to a state agency in his 35 years as auditor. The breach happened in DPS’s troubled Minnesota Licensing and Registration System, or MNLARS, which inappropriately transferred some Minnesotans’ data to private companies, Nobles said. MNLARS has been plagued over the past year by delays related to vehicle title transfers and the rollout of the REAL ID drivers’ license program.

The dispute wasn’t resolved until then-Gov. Mark Dayton’s office intervened in December, Nobles said. He talked about the dispute publicly for the first time during a meeting of the Legislative Audit Committee on Thursday.

“(DPS) did not comply with the law,” Nobles told reporters. “They did not report what occurred to me, which they were required to under the law. I learned about it from a source. And then when I inquired, I didn’t get a response that I should’ve gotten.”

Bruce Gordon, a DPS spokesman, denied any stonewalling and said the agency was still compiling the information involving its bulk motor vehicle file when the subpoena arrived.

DPS accidentally sent the information of 1,500 Minnesotans who requested their data remain private to three companies, Gordon said. There is no indication that the companies used the information unlawfully, he said.

The department has made changes to the motor vehicle file to ensure that the people’s private information remains that way, Gordon said.

Gordon provided Fox 9 with a copy of a notification letter dated Dec. 28 sent to people affected by the incident. Nobles said it took DPS several weeks after the breach before sending the letters.

“It took a little while, frankly, for the department to acknowledge that it was in fact a data breach and they needed to report and notify the people,” Nobles said.

In an interview, new DPS Commissioner John Harrington said he was unaware of the subpoena until Fox 9 told him about it. Harrington became the commissioner Jan. 7, so both the data breach and subpoena pre-dated his time in the office.

“I want to get some more information on the data breach and what that may or may not have been, and also what the difficulty was in communicating with my office,” Harrington said. “I don’t expect that [a refusal to respond to the legislative auditor] will be repeated under my watch.”

Republicans slammed the MNLARS program after the revelation became public.

“The fact that they’re not giving public information to the legislative auditor should be considered a violation of the public trust,” said state Sen. Michelle Benson, R-Ham Lake. “The employees who are standing in the way of this audit should be more responsive to the legislative auditor, and if they’re not, they should be disciplined.”

Against this backdrop, Nobles said his office will release an unrelated special review of MNLARS as early as late this month. It will outline why the title transfer and drivers’ license delays happened and who was responsible, Nobles said. Asked if people will be troubled by the report’s findings, Nobles said simply, “Yes.”