When Kamala Harris was Attorney General for the State of California, just prior to winning the open Senate seat of Barbra Boxer, she issued a data breach report after personal information on thousands of California firearms instructors was accidentally leaked. The report read in part:
Data breaches, particularly when they involve sensitive information such as Social Security numbers and health records, threaten not only the privacy but also the security and economic wellbeing of consumers.
Now that organizations rely increasingly on the collection and use of personal information and criminals take advantage of security weaknesses to obtain and profit from that same information, it is more important than ever that all of us redouble our efforts to ensure that this data does not end up in the wrong hands.
But many of the breaches reported to us could have been prevented by taking reasonable security measures, and an organization that voluntarily chooses to collect and retain personal information takes on a legal obligation to adopt appropriate security controls. As California’s top cop, I take a “Smart on Crime” approach to public safety – and in the 21st century, that means being “Smart on Tech.”
As Ms. Harris herself stated she was the “top cop”, and she had a legal obligation to adopt the appropriate security controls; but did she?
The actual breach took place in October. A letter was forwarded to every firearms instructor informing them of the breach. This letter was sent from the office of the Attorney General of California and was dated December 28, 2016, approximately 10 weeks after the data report was released.
The private information which was released was technically exposed to fraud for just over two months. Fortunately, the recipient of the information was not intent on using personal information for misdeeds. The documents were provided to a reporter from NPR when he requested background information on firearms certification, utilizing the FoIA. Through a technical “faux pas”, the personal information was “inadvertently” released.
What if the information fell into the wrong hands? Either purposefully, by accident or through negligence; great harm could have come to any one of the instructors.
It isn’t just theft or fraud; but I, myself, as someone who was a partner to an NRA Training Counselor, know a large portion of firearms instructors are active and/or retired police officers. Exposure of their home address and driver’s license to the wrong people makes them especially vulnerable in this day and age. Misinformed and reckless individuals, who feel “blue lives don’t matter”, are a threat to property, but more importantly life.
So how did this happen, when Kamala Harris herself, only months before, stated on the California DOJ website that this was a serious issue of which she was legally obligated to oversee? Wasn’t this part of her oath of office – to ensure the safety, security, and privacy of all citizens of California?
Should she, and can she and the state of California, be held liable for any direct or indirect costs, harm, or damages?
And now as a Senator, how can the country trust her on any security oversight committees, if she has already proven she couldn’t even manage her own staff’s abilities to keep their own technology secure?