Coleman campaign may have violated law in database breach
Thursday, March 12, 2009 at 12:44 pm
- 7 Comments
Photo by The Consumerist
The campaign of former Sen. Norm Coleman has alerted donors that a database containing personal data, including credit card numbers, has been circulating on the Internet.
Minnesota has a number of consumer protection laws that govern the use of personal information, which has raised questions about whether the Coleman campaign has violated state law.
Coleman attorney Fritz Knaak told AP yesterday that he’s confident the campaign complied with the law. But concerns have surfaced particularly about when the campaign notified those whose data had been exposed and what credit card information it kept on its database.
According to the Coleman’s campaign’s newly posted FAQ about the database breach, the campaign knew or at least suspected that the data had been exposed in January.
“We had reason to believe that someone had illegally accessed our website in late January,” the FAQ states. “At that time we immediately notified the Secret Service. They conducted an initial forensics review of our server and concluded that there was no evidence that any private or confidential information had been downloaded.”
Minnesota statute says that when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,” it must be disclosed “in the most expedient time possible and without unreasonable delay” to the people whose data was acquired.
Hamline University law professor David Schultz says not alerting the donors in January could have been illegal.
“[Coleman's] campaign potentially violated state law by not promptly notifying card holders of the disclosure of their card info,” Schultz told Talking Points Memo. “Assume the campaign did suffer a breach in security, his campaign faces fines under state law and it is possible a card holder could sue the campaign for any damages. It would be hard for the donors to sue Coleman personally and prevail.”
Coleman’s campaign also retained to the verification codes listed on the backs of donors’ credit cards, according to the databases. The FAQ also notes, “The only information … made public so far [from the leaked version of the database] are the last four digits of individual’s cards and the security code on the card.” Under a law passed in 2007, retaining those numbers is prohibited:
“No person or entity conducting business in Minnesota… shall retain the card security code data, the PIN verification code data, or the full contents of any track of magnetic stripe data,” says state statute 325E.64. “A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction.”
Jay Lim, a spokesman for Wikileaks, told the AP yesterday, “Coleman should not have kept this information” and that “his team should not have released the information out onto the open Internet for anyone to download.”
“[Coleman] should have informed those concerned,” Lim said. “We shouldn’t have had to do it for him.”
Follow Andy Birkey on Twitter7 Comments
Comment posted March 12, 2009 @ 2:33 pm
As well as being a violation of law, isn’t it also a violation of the agreement w/ the credit card company to retain those security codes?
Comment posted March 12, 2009 @ 3:02 pm
I wonder how many other businesses retain the security codes. The codes are totally worthless as an additional layer of security if they are stored right along with the card numbers. Hopefully there are consequences for this.
Comment posted March 12, 2009 @ 3:56 pm
Yes, storing the card security code/CVV number is not only against Minnesota Statutes, it’s also against the Payment Card Industry Data Security Standards, which the Coleman campaign would have to agree to in order to accept cards. They are liable under Minnesota law for any costs associated with the replacement of the cards, and further liable for any civil suits for anyone who had their information published by the Coleman campaign. Any of the four major companies could discontinue their agreements with the campaign and impose fines for what they did.
It’s one thing if there’s encrypted card numbers and expiration dates and it gets out, it’s another thing if they’re unencrypted, but it’s absolutely ridiculous that they even stored the CVV codes, encrypted or not! That is a disgusting violation of the security of donor credit cards, and there’s absolutely no reason the campaign should have done it.
It sounds like Coleman donors are starting to understand that this wasn’t political and it’s not vicious. It’s about their financial security. Coleman failed to notify donors for over a month, and there have been many blog comments from donors that have actually had to cancel their card already due to unauthorized transactions appearing on their accounts. It was only a matter of time before the major card issuers, Visa especially, would connect the dots and realize that all of these unauthorized transactions have something in common: the cardholders all donated to Coleman!
Coleman attorney Fritz Knaak is really confused if he doesn’t understand what his campaign has done and will likely pay for.
Comment posted March 13, 2009 @ 9:36 am
I expect that Friz Knaak will see to it that Coleman spends as much time in jail as the law allows. Maybe Normy can bunk with whoever Knaak says “hacked” into the site.
Pingback posted March 13, 2009 @ 10:17 am
[...] its own promise to donors not to store their credit card numbers; the Coleman campaign probably violated MN law by not notifying donors of the security lapse back in [...]
Comment posted March 13, 2009 @ 11:45 am
Well;…. DUH!!!!! I doubt though it carries the weight of HEPA or SOX compliance though. So maybe the only outcome from this *might* be the termination of the head of IT for his campaign. Big deal. Given all the hyped stories about who done what, when, especially the finger pointing at Coleman saying this was all fabricated, who is working to “forensically” break this down including a time line, so that if there could be a suit, it happens?? No matter who is responsible, posting of names and credit card numbers and such online should be a felony.
Pingback posted March 13, 2009 @ 11:54 pm
[...] funnelling money to his wife’s company. Further, Coleman now faces a possible legal battle over whether his campaign broke the law when they did not inform Coleman donors of the possible breach in online security (due to the [...]
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
