Playing With Fire

The KS Secretary of State's office runs Crosscheck, a simple database comparison of voter records from multiple states (28 in 2017) to check for duplicate registrations. Kansas has been running the program for over a decade at no cost to member states.

If the private voter data send by member states to Kansas were to be mishandled or hacked either in transit to or from Kansas or while in the database, Kansas would be legally liable.

Since April 2017, I have been asking #ksleg to consider the risk this represents to our state.  (This is in addition to other issues including dreadful data security pre-2018 and a record of mostly inaccurate results.)

Remediating a data security breach is *expensive*. The state of Utah spent $9 million on security audits, upgrades & credit monitoring for victims for a breach of 780,000 Utahns. That is fairly modest cost per person ($12) compared to other breaches.

Florida is spending up to $113,000 ($120/pp) to provide LifeLock identity theft to the 945 Kansans' whose private data was emailed from Kansas to Florida, after which Florida inadvertently released it via FOIA.

The Kansas Secretary of State's office has not obtained data liability insurance policy for Crosscheck. In response to lawmaker questions, Elections Director Bryan Caskey testified that a mishandling or breach would be covered by the Kansas Torts Claims Fund.

In testimony in the Kansas Judiciary Committee today, it was reported that the ending balance of the Tort Claims Fund for fiscal year 2017 was $216,704. (Projected balances are FY18: $296,705 and FY19: $376,706.) 

Kansas accepted 98 million records into Crosscheck and returned 7.2 million records as results. If the smallest output file (Idaho at approximately 28,000 records) were breached and the cost were the $12 per person paid by Utah, that would cost Kansas $336,000.

If the smallest input file (South Dakota at 588,214) at $12 per person would be $7,058,568 If the full 98 million records were compromised, even at only $12 per person, the cost runs into the billions.

Kansas has $216,704 available.

No liability insurance.

A bill which would have required the Secretary of State to obtain data liability insurance was killed in committee by House Elections Chair Keith Esau.

We are playing with fire, and we don't have money to burn.