Whether the campaign violated state law may depend on whether the security breach occurred in January or this week, expert said.
Norm Coleman campaign officials didn't notify contributors after their database was briefly opened in January because no significant information had been downloaded and they didn't want to unnecessarily chill fundraising efforts, a Coleman lawyer said Thursday.
But the campaign may have broken a state law that requires prompt disclosure of a security breach, a law professor said.
Coleman attorney Fritz Knaak said campaign officials knew personal information for thousands of Coleman supporters had been exposed, but the campaign had "a high degree of confidence" that nothing important had been lost after a thorough investigation by the U.S. Secret Service.
As a result, he said, the campaign didn't want to play into the hands of hackers who might have sought to discourage donations to Coleman.
But Hamline University law Prof. David Schultz said if the breach happened in January, Coleman had "an affirmative duty to ... notify the donors." The database contained credit card numbers and security codes for 4,700 donors, also potentially putting the campaign in violation of a state law that bars businesses from hanging on to such information after a transaction, Schultz said.
Coleman officials said Wednesday the Secret Service is investigating the posting this week of campaign databases by Wikileaks, a website that specializes in disclosing confidential government information. Efforts to reach someone there failed.
Coleman and his lawyers have accused political foes of breaking into the website, while others have said the breach was the campaign's fault for sloppy website maintenance.
One of the first to discover the exposed database was Adria Richards, a Minneapolis freelance technical consultant. Richards checked the Coleman site on the night of Jan. 28 after getting reports that heavy traffic had crashed it; less than two minutes of poking with her browser put her into the database, she said. "A third-grader could have done it," she said.
Richards, who voted for Al Franken but disavowed political motives, said someone had corrected the problem by midnight. By then she had forwarded screen shots of the exposed site to liberal political blogs MNPublius and Minnesota Independent, but the story remained in the blogosphere until Wikileaks posted the data this week.
Whoever was handling the Coleman site that night (Knaak said it was a contractor) made "a bad mistake," said Seth Peter, chief technology officer for Minneapolis information security firm NetSPI.
Taking payments over the Internet is "an activity that shouldn't be taken lightly," Peter said. "The same rigor that a financial institution or big box retailer puts into their credit card collection needs to be replicated on a smaller scale."
Army veteran Kenneth Warner, who lives in Arizona, was "disappointed" to learn his $50 donation had been revealed. He said he would have to cancel his card. But he didn't blame Coleman. "Regardless of whether or not the information was accessible, it shouldn't have been posted and we can be pretty damn sure that whoever posted it doesn't like Norm Coleman," he said.
Kevin Duchschere • 651-292-0164