Following is the testimony that I, as Commander of the Lawrence County Sheriff's Auxiliary, delivered to the House Judicial Committee hearings (written on 22 April and orally on 27 April 2014) on HR 923 regarding the unlawful disclosure of CCW data in 2013. As most people know, the three impeachment resolutions before the Missouri House died in Committee prior to reaching the House floor. I am not going to comment on that political issue here. Officially, I am posting this testimony for completeness, because some people were interested, and will let it stand by itself. Personally, you might hear a word or two more out of me at some point...
Testimony for HR No. 923 97th General Assembly
22 April 2014
Major Eric Vought, Commander
Lawrence County Sheriff's Auxiliary (LCSA)
In my official capacity, with aproval of the Lawrence County Sheriff (LCSO)
Note: As I am submiting this testimony officially, I will restrict comments to HR923 which issue has directly affected our organization and operations. The LCSA is in favor of voting DO PASS on HR923.
The Lawrence County Sheriff's Auxiliary is a uniformed civil service providing volunteers to supplement the Sheriff's Office and other local law enforcement in disaster operations as well as providing some routine services (e.g Intelligence Analysis, Communications Support, Law Enforcement Chaplains). We have deployed in the last year to provide livestock theft patrols, to assist the Mount Vernon Police Department (MVPD) with Apple Butter Makin' Days event security, and to assist the MVPD in protecting local businesses during an unusual string of burglaries. Among other required training and credentials, our volunteers must possess a current Missouri CCW. The releases of CCW data referred to in the resolution and its continuing aftermath has directly and negatively impacted our operation and recruitment.
In order to serve under and alongside law enforcement, our volunteers make sigificant sacrifices: sacrifice of time, of money and personally-provided equipment, of training, of being called up and deployed with no notice, of an application and vetting process, and, of course, a background check, the core of which is provided by the Missouri CCW process, which the volunteer pays for. The data required by both the application and the CCW process is confidential and capable of being misused, either by officials or by criminals for identity theft. Volunteers in law enforcement also need to concern themselves with the possibility of reprisals by criminals for their freely-offered service. In return, our volunteers require two things: that our system of law and government, our communities, do everything they can to be *worth serving* and that their confidential data is protected by the system they serve.
As a former IT professional with data security experience, I am more aware than most that digital data cannot be recovered once it is in the wild. Because digital data can be copied endlessly at no cost and there is no way to determine how many times it has been copied or where those copies may have been stored, once confidential information is exposed, the law cannot make a victim whole. Assurances that errant copies have been destroyed are no more reassuring than the statement that the roach we can see has been stepped on. Given this reality of information technology, there are only two ways to protect confidential data belonging to the citizens of Missouri from exposure: process before and penalties after.
The citizens of Missouri believed that they had instituted 'process before' via their elected representatives in RsMO 571.101 in declaring that CCW data shall be considered by law to be "personal protected information" and therefore to be treated with like data under the law. The citizens further instituted 'penalties after' by specifying that violations would be a 'class A misdemeanor'. Clearly, 'process before' was violated, and 'penalties after' must come into play. Given that there is no other way to make citizens whole, failure to fully investigate, and if neccessary, prosecute violations leading to these exposures is equivalent to a complete abroggation of the state's responsibility to protect this data.
Aside from the consequences our volunteers may have suffered (as part of 160,000 Missourians) from exposure of their data, the fiasco which followed had other effects. When the Department of Revenue suddenly changed their policies on the documents required for CCW renewal and began scanning those documents, it raised alarms that data was not being protected in accordance with the law, which alarm was clearly justified. CCW holders due for renewal, knowing that their data could not be protected once it got out, were reluctant to renew their permits. This, in turn, created substantial headaches for the LCSA and the LCSO to find a way to keep requirements current while protecting volunteers. My own CCW was up for renewal on 1 October 2013 and I was due to travel out of state to speak at an emergency management conference several weeks after it expired. The DOR's insistence on obtaining and scanning source documents persisted after Governor Nxon's annoucement that it was not necessary and would be stopped and despite attempted intervention on the part of our Sheriff. The scramble to put a temporary CCW system in place caused significant disruption which only slackened when the new ID printing systems came online in the past month.
The CCW debacle also caused problems with recruitment at a critical time. A number of potentially qualified volunteers backed off from the appication process during that period, expressing uncertainies with how the CCW process violations would be handled. Coming directly on the hee ls of a Connecticut newspaper posting the list of CCW applicants, this issue was already in people's minds. They had been assured that unlike Connecticut, our CCW process makes their data non-public and that it was protected by law. In fact, I was one person who gave exactly those assurances, citing RsMO 571.101 at several public talks and meetings. The Auxiliary has continued to grow and recruit. Some of the lost applicants may come back if they trust the new system under the county Sheriffs. But the bottom line is that our organization works to make a difference and to serve the community; this issue has made our job harder and violated the trust in the system necessary for an effort like this to function. What kind of precedent is being set for other officials who may wish to ignore the safeguards on private data?
Given the assurrances I made about the state of the law in Missouri, encouraging people to apply for permits, my integrity requires me to follow this issue through.
The Governor claims that the breeches occured without his knowledge and consent. Why then, have there been no indictments of those involved in compliance with the plain language of 571.101 making violation a "class A misdemeanor"? Did the Governor implement appropriate policies to prevent the kind of breach which occured without his knowledge? If changes to the DOR's system were not intended to implement Real ID, in violation of state law, why did the Governor receive a letter from Janet Reno thanking him for his participation in the program? Perhaps there are reasonable explanations for these things, but it is the right of the publc to hear them and he responsibility of our legislature to ensure that they are heard. Impeachment by itself is not a guilty verdict but merely the first stage of a process the Missouri House has the duty to initiate.
The Lawrence County Sheriff's Auxiliary recommends DO PASS on HR923.