Gov. Mike Parson, seen here in May 29, 2019, in Jefferson City, Mo., raised legal and ethical questions about responsible disclosure in October. (Photo by Jacob Moscovitch/Getty Images)

Mike Parson, the Republican governor of Missouri, said Wednesday he believed prosecutors will press criminal charges on a St. Louis Post-Dispatch reporter for what many security experts believe was a responsible disclosure of a data leak on a state website.

In October, reporter Josh Renaud alerted the state that the Department of Elementary and Secondary Education website embedded the social security numbers of 10,000 educators in the HTML source code distributed when users visited a publicly-accessible portion of the site. Parson swiftly accused Renaud of breaking state hacking laws, a move experts in computer security strategy said endangered all websites and left legal experts puzzled over what appeared to be a dangerous overreach.

Parson was asked during a press conference what he would do if the Cole County prosecutor dropped the case against Renaud.

"I don’t think that’ll be the case,” Parson said, as quoted and video-archived by the Post-Dispatch “That’s up to the prosecutor; that’s his job to do.”

Earlier this month, the Post-Dispatch used a public records request to document that the state Education Commissioner Margie Vandeven had initially proposed a statement thanking Renaud ("We are grateful to the member of the media who brought this to the state’s attention," it would have said), and that the FBI had informed a cybersecurity specialist with the state "that after reading the emails from the reporter that this incident is not an actual network intrusion."

Beyond the legal fate of an individual following industry-standard practices to alert an entity to a security issue, several cybersecurity experts worry that Gov. Parson would create a chilling effect for other disclosures in Missouri and beyond.

“We must never shoot the messenger,” Marten Mickos, CEO of HackerOne, said in October. “Prosecuting those that are doing their best to report vulnerabilities responsibly will only discourage proper disclosure in the long-term and render everyone less secure.”

But at the press conference Wednesday, Parson said he felt the disclosure was more akin to a burglary than a boon to security: “If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you.”