Senator Maggie Hassan (D-N.H.) has been a vocal critic of private companies’ failures to notify customers when data breaches occur, even sponsoring a federal law to force them to do so. However, according to a Daily Caller investigation, it appears she has yet to notify any of her constituents that their personal data was stolen from her Senate computer system by a disgruntled former staffer, who was recently sentenced to four years in prison for his crimes.
The former staffer, Jackson Cosko, committed what prosecutor Demian Ahn called “the largest data breach in Senate history.” With the assistance of a friend who was still on Hassan’s payroll, he stole virtually everything from her computers and used some of the information to “dox” political opponents.
Hassan’s computers also contained information submitted by her constituents when seeking assistance in dealing with federal agencies. Often these requests involve personal matters such as Social Security payments, Medicare claims, and immigration issues. Hassan requires every applicant to provide his Social Security Number.
Cosko was caught red-handed on October 2. Thus far, it seems, Hassan has not informed her constituents of the breach, wrote the Daily Caller’s Luke Rosiak:
Hassan’s office provided no evidence to the Daily Caller News Foundation that it had disclosed its own breach, and several New Hampshire residents who had communicated with Hassan’s office told the DCNF they had not received any notification that their information could be in the hands of bad actors. Records showing Senate offices’ mailings to constituents show none from Hassan.
One of Hassan’s constituents is Tony Woody, a veteran who has blown the whistle on the Manchester Department of Veterans Affairs (VA) hospital. Woody told Rosiak “he provided evidence about VA wrongdoing that, if leaked, could put him at risk of retaliation.”
“That could be me [among those whose data was stolen]. But I don’t know since I’ve never heard anything,” he said. “Maggie got copies of all my evidence. I don’t want that coming out. There was medical stuff in there, personal stuff. She’s going to have to answer some really hard questions.”
Hassan has certainly not been averse to demanding corporations answer “hard questions” when their systems have been hacked.
In a 2017 Senate Commerce Committee hearing on Equifax’s data breach, she said, “There are state-by-state laws requiring private and public entities to notify individuals when there are security breaches of their personal identifying information. These laws represent the lowest amount of communication required. I’m interested in what companies are proactively doing.” She took Equifax to task again in March 2019, five months after her own data breach was uncovered.
Even more brazenly, just eight days after Cosko was nabbed, she chastised Google for failing to notify people of a bug in its Google+ API that could have leaked users’ data. “It is really concerning to me that an incident affecting this many people didn’t have to be disclosed publicly,” she said.
In December, Hassan, along with 14 other senators, introduced a bill to require companies to “promptly inform users of data breaches that involve sensitive information,” according to a press release from cosponsor Amy Klobuchar (D-Minn.)
But the senator who expects private entities to go above and beyond their legal duties when data breaches occur may not even have lived up to her responsibilities under the law, the evidence suggests. New Hampshire has a statute that requires “any person doing business in this state” who experiences a data breach to “notify the affected individuals as soon as possible.” (New Hampshire Associate Attorney General James Boffetti told Rosiak that law doesn’t apply to the federal government, though “he declined to point to the legal reference establishing that.”) Virginia, Maryland, and the District of Columbia, home to many of Hassan’s employees, also have laws mandating disclosure of data breaches, some of which carry hefty fines for violations; Virginia’s specifically states that it applies to government.
“This was an extensive theft of personal data. She should inform the victims of just what information was breached,” Tom Anderson, a government ethics expert with the National Legal and Policy Center, told Rosiak.
After all, as Hassan herself put it, it’s what she should have been “proactively doing” months ago.
Photo of Maggie Hassan: senate.gov