San Diego Comic-Con is breaking California law because it exposed people's personally-identifying information on the Eisner voting site and has not notified the relevant parties about the data breach in accordance with California Civil Code s. 1798.29(a).
All credit to Gary Tyrrell for first breaking down the particulars of the website "anomaly" actually being a data breach under California law. Tyrrell's analysis comes on the heels of several rounds of lackluster reporting that failed to specify that addresses had been leaked, and failed to question whether the data leaks needed to be met with any further action by SDCC.
Chris Arrant's report for GamesRadar opens with the line "Voting on the 2020 Will Eisner Comic Industry Awards has been closed abruptly due to what is being called 'an anomaly with the site hosting the Eisner's voting.'" Notice the "what is being called" language. Called by whom? The report both in content and in tone never moves beyond this "anomaly" language to question exactly what the quality of the website issues were, despite the fact that it acknowledges that "several returning voters from previous years logged into the site and found portions of their personal information changed to unknown, third parties." In other words, people could see other people's personal-identifying information, which many municipalities, from the entire EU to the state of California, now have laws governing.
Joe Grunenwald's report over at The Beat suffers the same issue, if only because it is an arbitrarily jumbled re-report of Arrant's work at GamesRadar.
Multiple accounts have appeared on Twitter of people saying that they were either worried that their addresses were exposed or that they were able to see the address of another user. The word "address" never appears in any of the reporting. The only mention of anything in the realm of the breach of personally-identifying information is the acknowledgement that returning voters had their personal information changed, a fact which receives no further specification.
I reached out to Melchior Thompson & Associates (MT&A)– makers of some legacy comic shop software called Comtrac, their website currently serving broken PHP – who are mentioned in the footer of the voting site as having "developed" the site, but I received no response. I also reached out to Rick Gerlach, who is listed as the contact for issues with using the voting website. Gerlach is the president of R&M Professional Services, the website of which – travelinghelpdesk.com – is also broken. Previous reporting has only mentioned MT&A, but Thompson's company and Gerlach's company by all appearances are different entities and since the former is listed in the footer but the latter is the point of contact for using the voting website, it's unclear which party had what role in the development process.
In the e-mail sent by SDCC for the purposes of a vote redo, SDCC continues not to acknowledge the scope of the data breach; in fact, if you read the e-mail, you'll notice that they do not specify the quality of the breach in any discernible manner: what was formerly an "anomaly" is now a "recently reported issue." The vague reporting up to this point has created a situation that allows SDCC to smoothly de-escalate an issue that actually requires further action, minimally, on behalf of California residents. As Tyrrell points out in their reporting, the EU's GDPR doubtlessly comes to bear on this as well, but my expertise in GDPR is limited to handling requests regarding secure personal data, not breaches thereof.
Section 1 of California Civil Code 1798.29(a) plainly states that the notices regarding data breaches that must be sent to California residents must be sent in a specific format in plain language. If the breach affected more than 500 California residents, a copy of the notice must also be submitted to the California State Atorney General.
The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
Further, Section 2B states that, among the minimum information that should be in the notice, is "A list of the types of personal information that were or are reasonably believed to have been the subject of a breach." The significance of the word "address" never appearing in any reporting or any SDCC interactions with press or voters is thus a significant omission.
I reached out to Jackie Estrada for questions about how SDCC was planning on handling this, who directed me to their PR e-mail, from which I have not received a response. As far as I know at the time of writing this, SDCC has not contacted California residents with a "Notice of Data Breach" as pursuant to 1798.29(a).
I will update this story if any of the involved parties respond.
If you are a California resident and you have received a "Notice of Data Breach" from SDCC, contact me and let me know. If you have not received such a notice, here is the relevant complaint form.