Lessons From a Presidential Campaign Data Breach

It was perhaps the first major allegation of a cyber breach in a presidential campaign when the Democratic National Committee (DNC) claimed that staff members from the campaign of Bernie Sanders accessed unauthorized information from a voter database maintained by DNC. The DNC leases this database to various campaigns and the campaigns supplement it with their own information. However, campaigns are blocked via firewalls from viewing information supplied by rival campaigns. In this case, members of the Sanders campaign are alleged to have accessed information supplied by Hillary Clinton’s campaign due to a software glitch within the database’s firewall.

The exact facts surrounding this access are highly disputed by all parties, including the motivation of Sanders campaign, whether the retrieved information was downloaded, and how many times the Clinton information was accessed. What is not in dispute, however, is that the DNC suspended the Sanders campaign’s access to the database as a consequence of the unauthorized access. Given the importance of the information in the database to the campaign, the Sanders campaign filed a lawsuit alleging that the suspension violated a contract between the Sanders campaign and the DNC that required formal written notice if one of the parties believed the other had violated the contract. The suit further alleged that the parties had 10 days following any alleged breach of contract to address any concerns. This situation was exacerbated by the highly political nature of overall situation and the Sanders campaign dropped the suit relatively quickly after the DNC agreed to restore the campaign’s access. Despite this resolution, both sides still maintain a different version of events.

Data breaches are no longer a question of if, but when. Given this inevitability, organizations should take the time to prepare an appropriate response plan and then not significantly deviate from it unless advised to do so by appropriate professionals. This plan should include, among other things, a plan for evaluating the extent of the breach, addressing security vulnerabilities, and meeting any necessary legal requirements. In addition to being able to timely respond to a breach, this plan also ensures that decisions are not based on emotion. A data breach, especially a big one or one with potentially significant consequences, can trigger desire to retaliate. Retaliation can only lead to more problems. In addition to facing potential private causes of action like a breach of contract action described above, various state and federal laws, e.g. the Computer Fraud and Abuse Act, make it illegal to hack back. Having a pre-determined plan in place can prevent the problems and liability that may arise from a more spontaneous response.