Another Privacy Breach Caused By a Mistake: Republican Party Donor PII Exposed

Here is another privacy breach caused by the weakest information security and privacy link; people. 

Yesterday the New york Sun reported that a Republican National Committee staff member accidentally:

"…emailed a list that contained the names, races, and Social Security numbers of dozens of top Republican donors ‚Äî and that identified two of the contributors as Muslim ‚Äî to this reporter.  In the course of preparing for a Washington fund-raiser on Friday headlined by President Bush, an RNC staffer, Dee Dee Lancaster, intended to e-mail a security list of confirmed guests to other event planners and the Secret Service. But Ms. Lancaster mistyped one of the addresses, and the e-mail wound up in the Gmail account of this reporter."

It is so easy to make this type of mistake!  All the more reason to require that when sensitive data such as this must be sent in emails that it is encrypted.  Email mistakes are made all the time; I discussed this in a recent blog.

It struck me as odd that event planners and the Secret Service would require the races and SSNs of the donors.  This should dissuade many people from donating to candidates, knowing that such sensitive information is being carelessly handled.  Even if this email mistake was not made, it is very bad security to send SSNs and other types of sensitive PII in clear text email messages.

And I’m also wondering…why would someone who donates money to a campaign need to provide his/her SSN?  I vote at every election, but I’ve never proclaimed a political party (partly to avoid constant requests for donations), so I don’t know what the typical process is for making campaign or party donations.  However, if someone asked me for a donation, and I said okay, I’d immediately withdraw that offer if they made my donation contingent upon my providing my SSN.  Of course, it may have to do with claiming it on income taxes…so now I’m definitely staying away from making donations to any political parties.  I would guess that it would be very scary to see what kind of information security and privacy practices they have within the RNC, or the Democratic National Party…or any other organized political group.

In fact, my curiosity is now piqued; I need to check their websites to see if they have posted privacy policies, or any mention of having an information security officer, privacy officer, or any type of security validation, such as a TruSecure certification or similar.  Let’s see…

The Republican National Committee

  • Posted privacy policy?  Yes.  They include a section on how they secure their information.  An okay, but lacking policy.
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The Democratic National Committee

  • Posted privacy policy?  Yes.  They include a section on how they secure their information.  Their privacy policy is actually better than the GOP’s privacy policy, but still lacking.
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The National Libertarian Party

  • Posted privacy policy?  Yes.  A very poorly constructed policy.  Particularly this statement within it: "From time to time, we may use customer information for new, unanticipated uses not previously disclosed in our privacy notice. If our information practices change at some time in the future we will post the policy changes to our Web site to notify you of these changes and provide you with the ability to opt out of these new uses. If you are concerned about how your information is used, you should check back at our Web site periodically."
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The Reform Party

  • Posted privacy policy?  No
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

No warm fuzzies with information security found at any of these.

Organizations of all kinds, and all sizes, not just for-profits, need to implement information security and privacy programs to safeguard the PII they collect. 

I wonder…in the case of the RNC…shouldn’t they be subject to FTC Act violation actions?  They state in their posted privacy policy, "Strict security measures are in place to protect the loss, misuse and alteration of any and all information pertaining to GOP.com."  After all, Eli Lilly was handed a consent order that will impact them significantly for 20 years from the time of their incident in 2002 that was the result of an email mistake.

Technorati Tags







Leave a Reply