Did Coleman campaign violate consumer protection law?
If you haven't heard yet, former-Senator Norm Coleman's campaign donor list has been breached, allowing folks to obtain credit card information on thousands of donors. According to The Hill, the Coleman Campaign encouraged donors to cancel all their credit cards on Wednesday. Emily Kaiser has a write-up of the story and a follow-up story addressing the Campaign's lame attempt to spin the news. But as this thing moves along, more fissures appear.
But then emails began to come in from wikileaks.org indicating they had obtained data, including all credit card information of online donors. For proof, they posted one spreadsheet on their site. You can read it here.
Wikileaks has gone on to state in a press release:
B) The Coleman campaign has illegally collected personal financial details of its donors, in the form of unencrypted credit card numbers, without reporting this as required in the Minnesota Government Data Practices Act (under which citizens are entitled to such notification for each significant unit of data stored);
But the problems for Campaign Coleman don't stop with a scary breach of security, or the apparent lack of notification in regard to data.
A simple look at Coleman's list shows that his campaign kept thousands and thousands of credit card security codes. They're those three-digit numbers the pizza delivery guy asks for before he approves your order.
But even the pizza guy knows he's not supposed to keep that code.
That's due to a subdivision in Minnesota law H.F. 1758:
Subd. 2. Security or identification information; retention prohibited. No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.So did Campaign Coleman violate the law?
"Certainly the attempt [of the law] is to prevent the storing of such data," says University of Minnesota consumer protection law professor Stephen Meili. "But this one isn't crystal clear. There are two questions. One: is a campaign donation a transaction? Two: And this is a trickier question, is a campaign conducting business? There may be more definitive answers in the statute... Or not."
City Pages has calls out to various legal scholars to update this post.
Meanwhile, Coleman Campaign manager, Cullen Sheehan, did not return our calls to his cell. And another phone line was busy-busy-busy all afternoon.
We assume he's in demand.
Minnesota statute H.F. 1758