Late in December, CPR News discovered that the Boulder County jail had inadvertently published hundreds of inmates’ personal information, including Social Security numbers, in a spreadsheet on its website.
Within hours, the jail fixed the problem and issued a press release. But it took a month or longer for affected inmates to receive direct notification of the breach, in some cases exceeding the 30-day notification period described in state law.
The Boulder County Sheriff’s Office sent letters to hundreds of current and former inmates informing them of the lapse and offering a year of access to the Experian IdentityWorks protection service.
“We understand how upsetting this incident has been for the individuals whose data was leaked, and we are committed to helping individuals who were impacted to avoid any negative outcomes from the incident,” the sheriff’s office said in a written statement to CPR News.
The sheriff’s office also provided Spanish-language notices and telephone numbers for inmates to call for help. The county will pay $15.99 for each individual who enrolls in the identity-protection service.
There is no sign that the information was misused by anyone, the sheriff’s office said.
Some inmates learned about the leak past the deadline for data breach notifications
Colorado companies and governments must notify individuals about data breaches within 30 days, according to the Attorney General’s office. For some inmates, the Boulder response took about a week beyond that deadline.
In its statement, the sheriff’s office noted that it issued a media release and published information about data security on its website within days, and the office defended the longer timeline for sending letters to some individuals.
The sheriff’s office said it was a long process to purchase the identity protection service for affected inmates. That delay was caused by several factors — including, ironically, a data breach at one of the protection services that was under consideration. The county also was delayed as it waited for a response from its cybersecurity insurance company, the statement said.
The cybersecurity service was finally set up on Jan. 17, a couple of days before the 30-day mark. But the delivery of the letters was again put off by severe weather and the difficulties of tracking down people at different facilities, as well as making technical changes so that inmates could make calls from jail facilities to the credit bureaus.
“Thus, while many of the letters were delivered by January 19, unfortunately others were not,” the sheriff’s office said in its statement.
Some went out as late as about Jan. 25, according to public records requested by CPR News.
The state Attorney General’s office can choose whether to pursue punishments — usually fines — for organizations that fail to report data breaches to individuals within 30 days.
What caused the breach?
The Social Security numbers were published in downloadable spreadsheets that were meant to show basic information about the jail’s current inmates. The sheets had recently been reconfigured, and a staffer accidentally set up the system so that it included Social Security numbers in the documents.
Public records show that the department moved quickly after CPR News notified them of the error. The information had only been online for a few days, according to the sheriff’s office, and it was taken down within hours of its discovery. County employees continued to work on their response to the breach over the next several weeks, records show.
“Our investigation did not find any indication that the information was misused, and we have not received any reports of identity theft that occurred as a result of the incident,” the sheriff’s office said.
