MEMORANDUM

TO: Chairman and Members

Georgia Crime Information Center (GCIC) Council

FROM: Terri Fisher

Deputy Director for GCIC

DATE: July 27, 2017

SUBJ.: Request for Approval of Actions Taken to Resolve Security Policy Violations
– FY2017

During fiscal year 2017, security policy violations were identified by the following 27 criminal
justice agencies. Each of these agencies operates a device on the Georgia Criminal Justice
Information System (CJIS) network or accesses the network via a designated CJIS network
terminal agency.

• Alpharetta Department of Public Safety

• Barnesville Police Department
• Burke County Sheriff’s Office
• Clayton County Sheriff’s Office
• Cobb County Department of Public Safety
• DeKalb County Police Department
• Dublin Police Department
• Fannin County Emergency Management Agency
• Fulton County Police Department
• Gwinnett County Police Department
• Habersham County Sheriff’s Office
• Hephzibah Police Department
• Jonesboro Police Department
• Marshallville Police Department
• Newington Police Department
• Polk County 911 Department
• Pooler Police Department
• Richmond County Marshal’s Office
• Richmond County School System
• Richmond County Sheriff’s Office
• Rockdale County Sheriff’s Office
• Smyrna Police Department
• Sylvania Public Safety Department
• Treutlen County Sheriff’s Office
• Union City Police Department
• Upson County Probate Court
• Upson County Sheriff’s Office
1. In May 2016, GCIC conducted an audit of the Fulton County Police Department and
discovered a security violation in which a terminal operator used an incorrect purpose
code when processing an applicant criminal history check. Personnel action taken by
Fulton County Police Department was to implement an action plan to review purpose
code usage and to schedule quarterly refresher training for staff.

2. In July 2016, Cobb County Department of Public Safety notified the GBI regarding a
security policy violation in which an officer queried the GCIC network in order to obtain
vehicle tag information for personal reasons. Personnel action taken by Cobb County
Department of Public Safety was to issue the officer a 40-hour suspension without pay.

3. In August 2016, Gwinnett County Police Department notified the GBI regarding a
security policy violation in which an officer accessed driver and vehicle registration
information for personal use. As a result of an internal investigation, the officer resigned.

4. In August 2016, Gwinnett County Police Department notified the GBI regarding a
security policy violation in which an internal investigation revealed that a 2nd officer
accessed driver and vehicle registration for personal. This officer also resigned.

5. In September 2016, GCIC conducted an audit of the Marshallville Police Department and
discovered two security violations. In one instance, an officer ran a criminal history
report on another employee and used the wrong purpose code; the officer is no longer
employed with the agency. In another instance, an officer ran a background check for a
local church but failed to maintain the consent form; personnel action taken by
Marshallville Police Department was to issue a reprimand and establish a log to which
future inquiries would be maintained.

6. In September 2016, GCIC conducted an audit of the Burke County Sheriff’s Office and
discovered two security violations. One violation was a result a result of an employee
running a criminal history without obtaining a signed consent form and the second
violation was a result of the same employee running a background search using an
incorrect purpose code. Personnel action taken by Burke County Sheriff’s Office was to
remind the operator of the proper handling and storage of consent forms and stressing the
importance of being attentive when selecting purpose codes.

7. In September 2016, GCIC conducted an audit of the Richmond County School System
and discovered three security policy violations that occurred when incorrect purpose
codes were selected to process applicant criminal history checks. In two instances, a
terminal operator failed to log out of her terminal and the relief operator continued to use
the codes that were already populated. In another instance, a background check was run
using a purpose code which resulted in the dissemination of national information.
Personnel action taken by Richmond County School System was to issue a verbal
warning to the operators, require remedial training on the use of the GCIC terminal and
completion of Security Awareness training.
8. In October 2016, GCIC conducted an audit of the Jonesboro Police Department and
discovered a security policy violation in which an operator ran a criminal history query
for an applicant and used an incorrect purpose code. Personnel action taken by Jonesboro
Police Department was to verbally counsel the operator and conduct remedial training
with staff.

9. In October 2016, GCIC conducted an audit of the Hephzibah Police Department and
discovered a security policy violation in which an operator ran her own criminal history
and used both a purpose code and ARN number incorrectly. Personnel action taken by
Hephzibah Police Department was to issue a written Letter of Counseling and remind the
employee of proper purpose code usage.

10. In October 2016, GCIC conducted an audit of the Barnesville Police Department and
discovered a security policy violation in which an operator inappropriately accessed the
system in order to retrieve a criminal history record at the request of a family member.
Personnel action taken by the agency was to place the operator on administrative leave
until her retirement which was effective December 1, 2016.

11. In October 2016, GCIC conducted an audit of the Upson County Sheriff’s Office and
discovered numerous security policy violations in which terminal operators used
incorrect purpose codes when processing criminal histories for employment purposes.
Personnel action taken by Upson County Sheriff’s Office was to retrain operators on the
correct usage of purpose codes.

12. In October 2016, GCIC conducted an audit of the Upson County Probate Court and
discovered two security policy violations in which criminal histories were run but there
was no documentation to substantiate the request. The individual who committed these
infractions was no longer employed by Upson County Probate Court at the time of the
audit.

13. In October 2016, GCIC conducted an audit of the Richmond County Sheriff’s Office and
discovered a security policy violation in which a purpose code was used incorrectly while
processing a criminal history background for a job applicant. Also, no consent form was
located for this request. Personnel action taken by Richmond County Sheriff’s Office was
to issue an oral reprimand to the employee, require review of the Criminal History
section of the GCIC Operating manual, re-signing of a Security Awareness statement,
and re-training regarding dissemination of criminal history requests.

14. In November 2016, GCIC conducted an audit of the Dublin Police Department and
discovered three instances of background checks that were processed incorrectly. In two
of the instances, the operator chose the incorrect purpose code. In another instance, a
background check ran for investigative purposes did not reflect the required ARN number
which would associate it to a case. Personnel action taken by Dublin Police Department
was to provide remedial training related to running criminal history records, purpose code
usage and dissemination of information to the public.
15. In December 2016, Habersham County Sheriff’s Office notified the GBI regarding a
security policy violation in which an operator performed a background check, retrieved
information on the wrong individual and disseminated this information to the requestor.
Personnel action taken by Habersham County Sheriff’s Office was to suspend the
operator for two days and require the operator to review the criminal history section of
the GCIC Operations Manual.

16. In December 2016, Union City Police Department notified the GBI regarding a security
policy violation in which an officer without authorization accessed an individual’s driver
license data on numerous occasions. Personnel action taken by the agency was to present
formal counseling with an emphasis on possible discharge if further inappropriate usage
occurred and ordering the officer to undergo Security Awareness training.

17. In December 2016, Clayton County Sheriff’s Office notified the GBI regarding a security
policy violation that occurred when an employee accessed driver license and criminal
history information for personal reasons. Personnel action taken by Clayton County
Sheriff’s Office was to terminate the employee and arrest and charge the individual with
four counts of violating Computer Invasion of Privacy.

18. In January 2017, GCIC conducted an audit of the Rockdale County Sheriff’s Office and
discovered instances in which criminal histories were run without a proper corresponding
case numbers. GCIC also discovered that a criminal history report run using the incorrect
purpose code. Personnel action taken by the agency was to verbally counsel the employee
and to implement procedures whereby employment histories provided to the public are
reviewed prior to dissemination.

19. In February 2017, Dublin Police Department notified the GBI regarding a security policy
violation that occurred when an employee accessed the system in order to obtain
information regarding a family member. The employee resigned in lieu of termination.

20. In March 2017, Polk County 911 requested an offline search which confirmed that a
terminated employee had ran an unauthorized driver history search on a relative which
was discovered following the employee’s termination.

21. In March 2017, GCIC conducted an audit of the Treutlen County Sheriff’s Office and
discovered numerous instances of non-compliance related to consent forms. In three of
the instances, the employees responsible for accessing criminal history information
without obtaining consent forms were no longer employed by the agency; while in the
remaining four instances it was acknowledged that staff did not obtain signed
authorization forms prior to running criminal history backgrounds. Corrective action
taken by the agency consisted of providing training and the issuance of a directive related
to signed consent forms and criminal history queries.

22. In April 2017, GCIC conducted an audit of the Fannin County Emergency Management
Agency and discovered three instances of non-compliance related to purpose codes when
running background checks. Personnel action taken by the agency were to verbally
 reprimand the dispatchers, require retraining on correct purpose code usage and
implement policy changes.

23. In May 2017, Alpharetta Department of Public Safety notified the GBI regarding a
security violation that occurred when a police officer accessed vehicle registration data
for law enforcement purposes but later misused the information. Personnel action taken
by the agency was to terminate the officer’s employment.

24. In May 2017, the Pooler Police Department notified GBI regarding a security violation
that occurred when a policer officer accessed an individual’s vehicle registration and
driver license information for personal reasons. Personnel action taken by the agency was
to terminate the officer’s employment.

25. In May 2017, the DeKalb County Police Department notified the GBI regarding a
security violation that occurred when an employee accessed the GCIC database to obtain
information for personal use. Personnel action taken by the agency was to suspend the
employee for eight (8) hours and issue a written counseling.

26. In May 2017, GCIC conduced an audit of the Sylvania Public Safety Department and
discovered a security violation that occurred when a terminal operator ran criminal
history inquiries without obtaining required consent forms. The operator was retrained
on correct purpose code usage.

27. In May 2017, GCIC conducted an audit of the Newington Police Department and
discovered security violations related to unauthorized use of the CJIS network in which
an officer ran criminal histories for personal use. Personnel action taken by the agency
was to reprimand the officer, place on a 6-month probationary status, suspend access to
ALEN system and require retaking of the GCIC certification exam.

28. In June 2017, the Richmond County Marshal’s Office notified the GBI regarding a
security violation that occurred when an officer used his mobile data terminal to run car
tag numbers for personal use. Personnel action taken by the agency was to terminate the
officer’s employment.

29. In June 2017, Smyrna Police Department notified the GBI regarding a security violation
that occurred when an employee improperly disseminated GCIC information via a
GroupMe application. Personnel action taken by the agency was to terminate the
employee and secure a state warrant for computer theft.