Coleman Web site dropped promise not to store donors’ credit card data
Thursday, March 12, 2009 at 4:54 pm
- 7 Comments
As recently as last year, Norm Coleman promised campaign donors his Web site would not store their credit card numbers. That was then. The Coleman Web site’s “Privacy Policy” now promises only to encrypt contributors’ data “during the transfer process.” The old policy — or even a sensible system of encrypting data and storing it away from Internet-accessible areas — would have prevented the recent breach of private data for thousands of his donors.
UPDATE after the jump.
This is what the Coleman privacy policy used to say: “We do not retain records of contributors’ credit card numbers.” But, as the current policy states: “We reserve the right to change this privacy policy at any time …”
UPDATE: The change in Coleman’s policy regarding the storage of donors’ credit card data appears to have occurred sometime between January 23, 2008 and (thanks to a tipster for this) February 11, 2008. DataBreaches.net notes that the earliest entry in Coleman’s leaked donor database is from March 19, 2008. So the leaked database apparently includes entries made only after Coleman dropped the no-data-saving policy.
Here is the full text from the Coleman for Senate privacy policy from January 23, 2008:
Security
The servers that house ColemanForSenate.com are maintained in a manner that safeguards the information in our databases effectively.Contributions
In particular, when you contribute online at ColemanForSenate.com, the transaction is processed using encrypted code on a secure donation site, on a secure and dedicated web server. The personal information that is requested is the same that we would request for donating through the mail. We do not retain records of contributors’ credit card numbers.Personal Information
Unless you voluntarily provide us with any personal information, such as your e-mail address, this site does not collect personal information about you without your knowledge.When you visit our site, we collect the following information: The name of the domain from which you access the Internet (for example, aol.com, if you are connecting from an America Online account). The date and time you access our site. The Internet address of the web site from which you linked directly to our site or the Internet address of the computer used to link to our site. This information is used for Site Management purposes only.
NOTICE: Unless you choose to provide such information, we do not collect or maintain personal information about you when you visit our site. If you send us an e-mail message or complete a web form containing personal information, we collect and store the personal information which you choose to provide, such as your mailing address, e-mail address and the content of any request for information or any comments you may have.
Use of Information
If you choose to provide any personal information, such as your mailing address or phone number, we may use that information to contact you.
Here’s the full text from the current Coleman for Senate Web site “Privacy Policy” page:
Privacy Policy
We at ColemanforSenate.com are committed to protecting your privacy and personal information. Below you will find our online privacy policy. If you have questions about this policy, please let us know.Personal Information
This website does not collect any personal or identifiable information about you, such as an e-mail address, unless you voluntarily provide us with that information.When you visit ColemanforSenate.com, we collect generic information that allows us to improve the value of this website. The website collects information such as which website linked you directly to this website, the date and time visits occur, the name of the domain from which you accessed this website (such as Comcast.com, or Aol.com if you use those services), and which web pages visitors view. This information is used for site management only.
If you voluntarily chose to provide personal information through this website (such as a mailing address, e-mail address, name, or phone number), this information will be safeguarded as outlined below and may be used to contact you.
The Federal Election Commission requires us to collect particular information from every donor who gives us money. For this reason, we collect information that can be directly tied to a particular person. The information required includes Names, addresses, telephone numbers, and e-mail addresses and any changes that may occur to the law. This information is only given to those who require this information.
Newsletter
The ColemanforSenate.com website provides an e-mail newsletter to those interested in staying updated on the campaign. This newsletter is only sent to those who voluntarily signup to receive it. People who receive the newsletter may opt-out of the newsletter at any time via the website.Text Messaging
The ColemanforSenate.com website provides update via text messages to those interested in staying updated on the campaign. The text messages are only sent to those who voluntarily signup to receive them. People who receive these text messages may opt-out of the service at any time via the website.External Sites
ColemanforSenate.com may link to other websites and blogs that we do not control and you will have to review their own privacy policies as we are not responsible for them.Use of Cookies
Cookies are used to personalize the site and enhance your experience with it. A cookie is very small text file placed on your computer. Cookies do not contain any personal information about you. You can opt-out of our use of cookies by disabling cookies in your browser settings.Security
In order to protect information collected by this website, we use commercially reasonable tools and techniques to safeguard against unauthorized intrusions.Our servers are located in secure locations where a very limited number of people have access to them. The data stored on the servers is restricted to only those who have a reasonable need to have the data.
When transacting credit card information, we protect your information during the transfer process by using Secure Sockets Layer (SSL) software, which digitally encrypts information you enter.
Policy
We reserve the right to change this privacy policy at any time but the most current privacy policy will always be posted on the website or you can contact us and request one.
7 Comments
Comment posted March 12, 2009 @ 6:11 pm
What good is a policy if it’s not followed? Reminds me of the “we don’t torture” Bush administration.
Comment posted March 12, 2009 @ 6:27 pm
The FTC might want to have a word with Normie. He appears to have been engaged in unfair and deceptive marketing practices per Title V of the FTC Act.
Comment posted March 12, 2009 @ 8:57 pm
The only way to get the FTC involved is for someone to step up and file a complaint.
Comment posted March 12, 2009 @ 10:03 pm
Looks like someone got started with just that: http://file.sunshinepress.org:54445/coleman-webster-ag-2009.pdf
Pingback posted March 13, 2009 @ 10:15 am
[...] card numbers and security codes out on the internet for anyone to scoop up; the Coleman campaign violated its own promise to donors not to store their credit card numbers; the Coleman campaign probably violated MN law by not [...]
Comment posted March 14, 2009 @ 1:42 pm
Let’s ignore the Coleman instance for a second and consider the potentially bigger problem.
There are some important questions that need to be asked :
What company did Coleman hire to collect his donations ?
Did that company perform similar work for others ?
If so, does that company maintain “illegal” information on their databases ?
According to WikiLeak, the information that was contained on Coleman’s files included : Unique ID number, first name, last name, city, state, zip, phone, e-mail, employer, title, type of credit card used, name on card, last four of credit card, CVV2 value of the card, donation amount, authorization code from credit card processor, AVS (address verification) match, and a timestamp.
There is a violation of Minnesota Statute 325E.64 by retaining the card security code data.
If the company maintained this information for the Coleman campaign, was the same information maintained by other campaigns ?
The Coleman incident may have exposed a problem that every political campaign needs to address. Proactively, every campaign that collected monies through credit cards needs to perform an internal investigation and issue a press release if illegal information was maintained.
There is no reason for waiting for the FBI, Secret Service, FEC or MN Attorney General to investigate … campaigns need to be forthright and transparent.
Comment posted March 15, 2009 @ 10:02 am
It would seem to me that the bigger story a lot of folks are missing is the fact that the Coleman campaign was in violation of Payment Card Industry (PCI) Data Security Standards (DSS) which specifically require any Web site collecting credit card data engage in specific practices to protect cardholder information.
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
