THOMAS J. MILLER 1305 E. WALNUT ST. DES MOINES, IA 50319 P: 515-281-5164 www.iowaattorneygeneral.gov ATTORNEY GENERAL IOWA DEPARTMENT OF JUSTICE OFFICE OF THE ATTORNEY GENERAL September 11, 2020 Paul D. Pate Secretary of State State Capitol Des Moines, Iowa 50319 Dear Secretary Pate: Thank you for your letter of August 25, and for making my office aware of the issues outlined in the letter and accompanying documents. After carefully reviewing the materials and relevant law, I have decided not to proceed with an investigation of Linn County Auditor Joel Miller at this time for the reasons outlined in this letter. I understand that there was a disagreement between the Linn County Auditor and the Secretary of State regarding the Auditor’s use of the I-Voter database to send pre-filled absentee ballot request forms to active voters in Linn County. I also understand that, subsequent to your August 25 letter, the Linn County District Court ruled that any returned pre-filled absentee ballot requests were invalid, and the Court further instructed the Auditor to inform the voters who had returned absentee ballot request forms that their requests were invalid, and they must submit a new absentee ballot request in order to receive an absentee ballot for the November election. The Auditor has indicated that he intends to comply with the Court’s order rather than seek appellate review. Given these facts and my analysis of Iowa Code chapter 715C, I do not believe it is in the best interest of the State of Iowa to pursue this matter further. An investigation and potential prosecution of this matter would not be consistent with the purposes of Chapter 715C, which is to inform Iowa consumers of a breach of their personal information. 1 I further believe that an additional notification to voters in Linn County in the form of a security breach notification is likely to lead to alarm and confusion on the part of Linn County voters, while not protecting the interests that the statute was intended to protect: namely, the security and confidentiality of Iowans’ personal financial information. 1 Our office does pursue data breaches as a violation under the Iowa Consumer Fraud Act, Iowa Code section 714.16, but in those situations, the investigation typically involves an owner or licensor of data that has engaged in deceptive conduct (e.g., by failing to adhere to promises to keep data safe made to consumers in a privacy policy) or an owner or licensor of data whose data security practices are so egregious that they rise to the level of an unfair practice, which would not be supported by the facts in this case. Specifically, with regard to Chapter 715C, the code has two sections: The first section is the definitions (Iowa Code § 715C.1), which are used to determine if there was a “breach of security,” (the first defined term) and the second section (Iowa Code § 715C.2), which outlines the notification requirements, and exceptions thereto, in the event there was a breach of security. Assuming that a “breach of security” occurred, as that term is defined by the statute, the analysis of whether notice to consumers is required then moves to the notice requirements of section 715C.2. The second section of the statute contains the security breach notification requirement, which is the primary substantive requirement of the statute. See Iowa Code § 715C.2. Pursuant to Iowa Code section 715C.2(1), any “person” — which is defined very broadly and includes governmental subdivisions or agencies (see Iowa Code § 715C.1(10)) — who “owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security” shall give notice to the consumers whose data was breached. The statute further requires notice to the director of the consumer protection division of the Iowa Attorney General’s office in the event of a breach affecting more than 500 Iowans. Iowa Code § 715C.2(8). In this case, you have alleged that the I-Voter database was breached by the Linn County Auditor in order to partially complete the absentee voter request forms before mailing them. For purposes of the breach notification requirements of section 715C.2, this raises the question: Who “owns or licenses” the I-Voter data? In this case, the answer to that question is: the Iowa Secretary of State. Furthermore, the “I-Voters User Security Agreement” that county auditors sign for access to the I-Voter data does not obligate auditors to notify consumers in cases of a data breach. Therefore, if this use of the I-Voter database constituted a “breach of security,” pursuant to Iowa Code section 715C.2(1), the Iowa Secretary of State would be required to notify those consumers whose information was involved in the breach, subject to exceptions to the notification requirement found later in the statute. Finally, there is a safe harbor in the statute, which is directly applicable here. The safe harbor reads: “notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.” (Iowa Code § 715C.2(6)). In this case, I do not believe there is a reasonable likelihood of financial harm to consumers from the facts presented to me, and therefore consumer notification is not required by the statute. While I appreciate the seriousness of the situation and expect that every public official in the State of Iowa follow the law, I do not believe on the facts presented to me that this matter 2 warrants either sending a security breach notification to the voters of Linn County, or further investigation of the actions of the Linn County Auditor by my office. Sincerely, Thomas J. Miller Iowa Attorney General Thomas J. Miller Iowa Attorney General 3