From Eman's superlative rec list diary , Update V:
And The Minnesota Independent has this:
Coleman Web site dropped promise not to store donors’ credit card data
As recently as last year, Norm Coleman promised campaign donors his Web site would not store their credit card numbers. That was then. The Coleman Web site’s "Privacy Policy" now promises only to encrypt contributors’ data "during the transfer process." The old policy — or even a sensible system of encrypting data and storing it away from Internet-accessible areas — would have prevented the breach of private data for thousands of his donors.
This is what the Coleman privacy policy used to say: "We do not retain records of contributors’ credit card numbers." But, as the current policy states: "We reserve the right to change this privacy policy at any time ..."
Coleman's data storage was not merely stupid. It was illegal.
From the January 2008 Coleman campaign privacy statement, we see that it does indeed state
We do not retain records of contributors' credit card numbers.
We now know that statement was a lie. More to the point, the former privacy policy says nothing about whether credit card or debit card security codes were retained. Retaining those numbers violated Minnesota law whether the database was encrypted or not. Furthermore, violating the law has severe financial consequences. No wonder Norm didn't want to fulfill his statutory obligations to deal with the problem. As intelligent people learn and continually relearn, the coverup is what gets you - Norm's current position seems fraught with much greater financial peril that it would have been if the problem had been dealt with on January 28 or 29.
Beyond the statutory penalties for violating Minnesota law, the Coleman campaign can and probably will be sued from now to extinction, both because of the illegal practice and the failure to deal with the fallout in a timely manner. I am not a lawyer, so I don't know to what extent, if any, Coleman himself is personally liable.
Behold 325E.64. (Subdivision 1 is definition of terms.)
2008 Minnesota Statutes
325E.64
ACCESS DEVICES; BREACH OF SECURITY.
...
Subd. 2. Security or identification information; retention prohibited. No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.
Subd. 3. Liability. Whenever there is a breach of the security of the system of a person or entity that has violated this section, or that person's or entity's service provider, that person or entity shall reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders, including but not limited to, any cost incurred in connection with:
(1) the cancellation or reissuance of any access device affected by the breach;
(2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts;
(3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach;
(4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and
(5) the notification of cardholders affected by the breach.
The financial institution is also entitled to recover costs for damages paid by the financial institution to cardholders injured by a breach of the security of the system of a person or entity that has violated this section. Costs do not include any amounts recovered from a credit card company by a financial institution. The remedies under this subdivision are cumulative and do not restrict any other right or remedy otherwise available to the financial institution.
Wowsir! Now we know why the campaign was reluctant to deal with the consequences of their failures. It would have been expensive then. It will be more expensive now.
The current Coleman campaign privacy policy (11:00 p.m. ET) eliminates any mention of whether or not credit card account numbers or security code numbers are saved. Here is the relevant portion:
...
When transacting credit card information, we protect your information during the transfer process by using Secure Sockets Layer (SSL) software, which digitally encrypts information you enter.
Policy
We reserve the right to change this privacy policy at any time but the most current privacy policy will always be posted on the website or you can contact us and request one.
The babble about encryption during transfer is not relevant to the present discussion.
UPDATE: The Coleman campaign Crashgate FAQ is hilarious. Fictional, but hilarious. This is the funniest one:
Q: If I want to contribute, how should I go about it?
A: We would appreciate your contributions being sent to:
Coleman for Senate Recount Fund
680 Transfer Road, Suite A
Saint Paul, MN 55114
Or call 651-645-0766 to make a donation over the phone
But please please don't use the inet.