Incident Response, Vulnerability Management, Data Security

Missouri gov believes reporter will still be prosecuted for disclosing data leak

Gov. Mike Parson, seen here in May 29, 2019 in Jefferson City, Mo, raised legal and ethical questions about responsible disclosure in October. (Photo by Jacob Moscovitch/Getty Images)

Mike Parson, the Republican governor of Missouri, said Wednesday he believed prosecutors will press criminal charges on a St. Louis Post-Dispatch reporter for what many security experts believe was a responsible disclosure of a data leak on a state website.

In October, reporter Josh Renaud alerted the state that the Department of Elementary and Secondary Education website embedded the social security numbers of 10,000 educators in the HTML source code distributed when users visited a publicly-accessible portion of the site. Parson swiftly accused Renaud of breaking state hacking laws, a move experts in computer security strategy said endangered all websites and left legal experts puzzled over what appeared to be a dangerous overreach.

Parson was asked during a press conference what he would do if the Cole County prosecutor dropped the case against Renaud.

"I don’t think that’ll be the case,” Parson said, as quoted and video-archived by the Post-Dispatch “That’s up to the prosecutor; that’s his job to do.”

Earlier this month, the Post-Dispatch used a public records request to document that the state Education Commissioner Margie Vandeven had initially proposed a statement thanking Renaud ("We are grateful to the member of the media who brought this to the state’s attention," it would have said), and that the FBI had informed a cybersecurity specialist with the state "that after reading the emails from the reporter that this incident is not an actual network intrusion."

Beyond the legal fate of an individual following industry-standard practices to alert an entity to a security issue, several cybersecurity experts worry that Gov. Parson would create a chilling effect for other disclosures in Missouri and beyond.

“We must never shoot the messenger,” Marten Mickos, CEO of HackerOne, said in October. “Prosecuting those that are doing their best to report vulnerabilities responsibly will only discourage proper disclosure in the long-term and render everyone less secure.”

But at the press conference Wednesday, Parson said he felt the disclosure was more akin to a burglary than a boon to security: “If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you.”

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.