Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Point/Counterpoint: Outsourcing to India - Secure or Not Secure? | Main | Non-Technical Privacy Breach Example: 700 Mail Items Stolen from USPS Truck »

Another Privacy Breach Caused By a Mistake: Republican Party Donor PII Exposed

Here is another privacy breach caused by the weakest information security and privacy link; people. 

Yesterday the New york Sun reported that a Republican National Committee staff member accidentally:

"...emailed a list that contained the names, races, and Social Security numbers of dozens of top Republican donors — and that identified two of the contributors as Muslim — to this reporter.  In the course of preparing for a Washington fund-raiser on Friday headlined by President Bush, an RNC staffer, Dee Dee Lancaster, intended to e-mail a security list of confirmed guests to other event planners and the Secret Service. But Ms. Lancaster mistyped one of the addresses, and the e-mail wound up in the Gmail account of this reporter."

It is so easy to make this type of mistake!  All the more reason to require that when sensitive data such as this must be sent in emails that it is encrypted.  Email mistakes are made all the time; I discussed this in a recent blog.

It struck me as odd that event planners and the Secret Service would require the races and SSNs of the donors.  This should dissuade many people from donating to candidates, knowing that such sensitive information is being carelessly handled.  Even if this email mistake was not made, it is very bad security to send SSNs and other types of sensitive PII in clear text email messages.

And I'm also wondering...why would someone who donates money to a campaign need to provide his/her SSN?  I vote at every election, but I've never proclaimed a political party (partly to avoid constant requests for donations), so I don't know what the typical process is for making campaign or party donations.  However, if someone asked me for a donation, and I said okay, I'd immediately withdraw that offer if they made my donation contingent upon my providing my SSN.  Of course, it may have to do with claiming it on income taxes...so now I'm definitely staying away from making donations to any political parties.  I would guess that it would be very scary to see what kind of information security and privacy practices they have within the RNC, or the Democratic National Party...or any other organized political group.

In fact, my curiosity is now piqued; I need to check their websites to see if they have posted privacy policies, or any mention of having an information security officer, privacy officer, or any type of security validation, such as a TruSecure certification or similar.  Let's see...

The Republican National Committee

  • Posted privacy policy?  Yes.  They include a section on how they secure their information.  An okay, but lacking policy.
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The Democratic National Committee

  • Posted privacy policy?  Yes.  They include a section on how they secure their information.  Their privacy policy is actually better than the GOP's privacy policy, but still lacking.
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The National Libertarian Party

  • Posted privacy policy?  Yes.  A very poorly constructed policy.  Particularly this statement within it: "From time to time, we may use customer information for new, unanticipated uses not previously disclosed in our privacy notice. If our information practices change at some time in the future we will post the policy changes to our Web site to notify you of these changes and provide you with the ability to opt out of these new uses. If you are concerned about how your information is used, you should check back at our Web site periodically."
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The Reform Party

  • Posted privacy policy?  No
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

No warm fuzzies with information security found at any of these.

Organizations of all kinds, and all sizes, not just for-profits, need to implement information security and privacy programs to safeguard the PII they collect. 

I wonder...in the case of the RNC...shouldn't they be subject to FTC Act violation actions?  They state in their posted privacy policy, "Strict security measures are in place to protect the loss, misuse and alteration of any and all information pertaining to GOP.com."  After all, Eli Lilly was handed a consent order that will impact them significantly for 20 years from the time of their incident in 2002 that was the result of an email mistake.

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 12, 2006 8:43 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/203

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.