Attorney General Tom Miller will not investigate Linn County Auditor Joel Miller for alleged consumer fraud, he informed Secretary of State Paul Pate on September 11.
Pate wrote to the attorney general last month, asking him to investigate and prosecute the Linn County auditor for causing "personal information" of Iowa voters "to be acquired without legitimate purpose and transmitted without encryption or redaction." He was referring to the pre-filled absentee ballot request forms Miller's office mailed to more than 140,000 active registered voters. Under a legal interpretation prepared by Pate's staff, providing individuals' voter verification numbers to the vendor that printed the forms constituted a "breach of security."
Pate asserted in his August 25 letter, "Because Auditor Miller did not have a legitimate purpose to access and send the data, the vendor necessarily could not have a legitimate purpose." He said his office was still "gathering facts" about other county auditors who mailed pre-filled absentee ballot request forms. Lynn Hicks, communications director for the Attorney General's office, confirmed on September 11 that Pate has not sent similar letters requesting that civil cases be opened against Johnson County Auditor Travis Weipert or Woodbury County Auditor Pat Gill.
It's hard to imagine how the vendor that printed Linn County's absentee ballot request forms could use voter verification numbers to perpetrate any kind of consumer fraud. Unlike a Social Security number, the voter PINs serve no purpose other than to authenticate the identity of Iowans seeking to cast a ballot.
In a letter to Pate dated September 11, Miller noted,
I understand that there was a disagreement between the Linn County Auditor and the Secretary of State regarding the Auditor’s use of the I-Voter database to send pre-filled absentee ballot request forms to active voters in Linn County. I also understand that, subsequent to your August 25 letter, the Linn County District Court ruled that any returned pre-filled absentee ballot requests were invalid, and the Court further instructed the Auditor to inform the voters who had returned absentee ballot request forms that their requests were invalid, and they must submit a new absentee ballot request in order to receive an absentee ballot for the November election. The Auditor has indicated that he intends to comply with the Court’s order rather than seek appellate review.
Given these facts and my analysis of Iowa Code chapter 715C, I do not believe it is in the best interest of the State of Iowa to pursue this matter further. An investigation and potential prosecution of this matter would not be consistent with the purposes of Chapter 715C, which is to inform Iowa consumers of a breach of their personal information.1 I further believe that an additional notification to voters in Linn County in the form of a security breach notification is likely to lead to alarm and confusion on the part of Linn County voters, while not protecting the interests that the statute was intended to protect: namely, the security and confidentiality of Iowans’ personal financial information.
In a footnote, Miller explained that when his office investigates data breaches, the situation usually involves some kind of deceptive conduct "or an owner or licensor of data whose data security practices are so egregious that they rise to the level of an unfair practice, which would not be supported by the facts in this case."
Following further analysis of the relevant code sections, Miller cited a "safe harbor in the statute, which is directly applicable here."
The safe harbor reads: “notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.” (Iowa Code § 715C.2(6)). In this case, I do not believe there is a reasonable likelihood of financial harm to consumers from the facts presented to me, and therefore consumer notification is not required by the statute.
In a statement posted on his blog along with the attorney general's letter, Auditor Miller said, "I do admit that I am guilty of trying to make voting easier while maintaining the integrity of system. I am not guilty of anything more."
Although the Linn County elections office is complying with the District Court's order regarding the pre-filled absentee ballot request forms, attorneys representing Miller have asked the court to reconsider that decision. The judge has not yet ruled on that motion.
Another conflict between the Secretary of State's office and Linn County elections office was resolved earlier this month. Pate confirmed he will not seek to prevent county auditors from placing drop boxes for absentee ballots immediately outside their offices, and Miller agreed to remove three drop boxes his office had placed outside grocery stores in the Cedar Rapids area.
Appendix 1: September 11 letter from Attorney General Tom Miller to Secretary of State Paul Pate
Appendix 2: August 25 letter from Secretary of State Paul Pate to Attorney General Tom Miller
Appendix 3: Legal analysis prepared by Eric Gookin of the Iowa Secretary of State's office in support of Pate's call for a civil investigation and prosecution
Top image: Official photos of Secretary of State Paul Pate (left) and Linn County Auditor Joel Miller.