Update: Linn County voter data mistakenly released

The following is an update on a story in The Gazette by James Lynch titled Linn auditor investigating voter data release. Mr. Lynch’s story is accurate.

I sincerely apologize to you, the citizens of Linn County, for the unintentional and unauthorized release of your voter data!

Here’s a recap of the events:

At about 9:02am on 4 August 2017, a Linn County Elections employee made a clerical error resulting in a significant release of voters’ personal information. There was no intent for this error to occur; however, I have placed the employee on paid administrative leave until further notice.

Under Iowa law, voters may request voter data. Information from voter registration records can only be used:

·To request a registrant’s vote at an election (not how they voted, but if they voted);

·For a genuine political purpose;

·For bona fide political research; or

·For a bona fide official purpose by an elected official

My office keeps records of all voter list customers. This list is open to the public and is available at: http://www.linncounty.org/DocumentCenter/View/3967

As required by Iowa law, my office routinely fills these requests. In this instance, records were requested for four members of the Linn County Republican Party (LCRP). To my knowledge, the LCRP has been requesting voter data from the Auditor’s Office for years, if not decades.

One of my professional and experienced team members exported the requested information which legally includes name, address, date of birth, and political affiliation from I-Voters, Iowa’s statewide voter registration database. In the course of exporting that data, the employee accidentally clicked on the box allowing for the last four digits of individuals’ social security numbers.

At about 9:05am, Deputy Commissioner of Elections Rebecca Stonawski became aware of the issue and with the employee, contacted the owners of the email addresses via phone and email with instructions to delete the email containing the voter data. Three of the recipients were located and they immediately deleted the emails. Note: Early next week, I will ask each of those three individuals to sign a statement indicating they deleted the voter data.

One of the email recipients could not find the email containing the voter data in her inbox. It was then that my staff discovered that the individual’s email did not match what was given to the elections office by the LCRP. I do not believe that this was done with any intent. Instead, I believe a clerical error created the issue.

At about 11:45am, Deputy Stonawski alerted me after thoroughly confirming the LCRP’s intended email recipient did not receive the email containing the voter data and did not have access to the email account the voter data was mailed to. The employee was placed on paid administrative leave.

Over the course of the next few hours, my office contacted the Linn County Attorney, outside security vendors, the Iowa Secretary of State’s office, and members of the Linn County Board of Supervisors and its various department heads. My staff continued attempts to contact the owner of the email account in question and Google, the provider of Gmail. They also tried recalling the email – a feature available in Microsoft’s Outlook product – and they tried to confirm whether the email account was active, dormant, or otherwise..

At 4:25, I attempted to contact Deputy Secretary of State Carol Olson because I wanted to talk with Iowa Secretary of State Paul Pate.

At 4:26pm, I called Gazette reporter James Lynch and informed him of voter data release – see story link above.

At 4:28pm, I talked to Deputy SOS Olson and Dawn Williams, SOS Director of Elections, who indicated Secretary Pate was unavailable, but a message had been sent to him. In the course of my conversation with Olson and Williams, we discussed my recommendation that the “check box” for including the last four of SSNs be removed from the process used to fulfill voter data requests.

At 4:58pm, I attempted to contact the newsroom at WMT Radio.

At 5:04pm, I called KGAN reporter Nick Weig and informed him of the voter data release – see his story at http://cbs2iowa.com/news/local/breaking-linn-county-auditor-reports-accidental-data-breach

At 5:33pm, KCRG reporter Josh Scheinblum returned my call and I informed him of the voter data release – see his story at http://www.kcrg.com/content/news/Linn-County-social-security-numbers-accidently-sent-to-GOP-438621083.html

At 6:16pm, Linn County Supervisor and Board Chairman Brent Oleson called me to get an update.

At 6:37pm, LCRP Chairman Justin Wasson returned my call and I confirmed the facts surrounding the email account he had provided to my office. He advised that he had been sending emails to that account for a long time and never had any indication it was not owned by a member of his organization.

At 8:43pm – Deputy Stonawski and I concluded our final conversation of the evening.

Saturday, 5 August 2017

At 8:53am – I returned a call to Linn County Supervisor John Harris and gave him an update.

Starting at about 8am and throughout the day, Deputy Stonawski and I continued our efforts to find a live person at Google who could help us. After receiving direction from Linn County Sheriff Brian Gardner and one of his lieutenants, we successfully reached the appropriate authorities within Google who provided the prerequisites we needed to proceed with our investigation.

Steps going forward include:

·Linn County Elections is investigating identity theft protection options. We will follow the advice of the Linn County Attorney’s office on what is appropriate in this type of situation.

·Linn County Elections will place a temporary moratorium on fulfilling any further voter information requests until sufficient safeguards are in place which also comply with Iowa law.

·Linn County Elections will encourage and work with the Iowa Secretary of State’s office to delete the database option which allows Social Security digits to be exported per a voter data request. Since it’s against Iowa law to provide SSNs, driver license operator numbers, and non-operator ID numbers to any member of the public except for law enforcement, I see no reason for the “check box” to include the last four of digits of SSNs in the process used to produce voter data lists.

·Linn County Elections will continue to work with the Linn County County Attorney’s Office in regard to the unidentified email address and the unauthorized receipt of voter data from the Linn County Elections.

Linn County Elections, as well as, the entire Linn County Auditor’s Office will actively verify email addresses provided by requestors’ prior to fulfilling public records requests.

Again, I sincerely apologize to you, the citizens of Linn County, for the unintentional and unauthorized release of your voter data! – Joel D. Miller – Linn County Auditor

One Response to “Update: Linn County voter data mistakenly released”

  1. Communicating to the Board re voter data mistakenly released | JoelMiller.us Says:

    […] Update: Linn County voter data mistakenly released […]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: