MEMORANDUM

TO: Chairman and Members

Georgia Crime Information Center (GCIC) Council

FROM: Terri Fisher

Deputy Director for GCIC

DATE: August 24, 2018

SUBJ.: Request for Approval of Actions Taken to Resolve Security Policy Violations
– FY’2018

During fiscal year 2018, security policy violations were identified by 21 criminal justice
agencies. Each of these agencies operates a device on the Georgia Criminal Justice Information
System (CJIS) network or accesses the network via a designated CJIS network terminal agency.
In addition, one agency reported a training policy violation.

• Bibb County Sheriff’s Office

• Broxton Police Department
• Catoosa County E911 Emergency Communications
• College Park Police Department
• Cumming Police Department
• DeKalb County Police Department
• Fairburn Police Department
• Fayette County Sheriff’s Office
• Fort Valley Police Department
• Fulton County Emergency 911 (Training Violation)
• Georgia Department of Corrections
• Georgia Department of Public Safety
• Glynn County State Court
• Johnson County Sheriff’s Office
• LaGrange Police Department
• Laurens County Sheriff’s Office
• Rockdale County Sheriff’s Office
• Sandy Springs Municipal Court
• Savannah-Chatham Police Department
• Savannah Police Department
• Stephens County Sheriff’s Office
• Taliaferro County Sheriff’s Office
1. In June 2017, College Park Police Department notified the GBI regarding a security policy
violation in which an employee improperly disseminated GCIC information via a GroupMe
application; sensitive law enforcement information was shared and posted on this unsecured
application. Personnel action taken by College Park Police Department required the
employee to retake Security Awareness training and a training module was created to address
proper sharing of GCIC information for presentation during annual training.

2. In July 2017, Catoosa County 911 Emergency Communications notified the GBI regarding
two security policy violations discovered during an agency audit. One instance dealt with
incorrect purpose code usage and personnel action taken by the agency required operator
retraining. In another instance, a query was performed in which an incorrect purpose code
was used, the search Agency Reference Number (ARN) was associated with a different
police agency and the name searched was not associated with the ARN. The agency indicated
that due to the requestor being on extended medical leave, all investigative leads were
exhausted and no personnel action was taken.

3. In July 2017, Stephens County Sheriff’s Office notified the GBI regarding a security policy
violation in which an employee ran an unauthorized wanted persons query. Personnel action
taken by Stephens County Sheriff’s Office was to terminate the individual’s employment.

4. In July 2017, Fairburn Police Department notified the GBI regarding a security policy
violation in which an officer improperly disseminated GCIC information via a GroupMe
application; sensitive law enforcement information was shared and posted on this unsecured
application. Personnel action taken by Fairburn Police Department required the employee to
retake Security Awareness training, a letter of reprimand was issued and the individual was
demoted.

5. In July 2017, Broxton Police Department notified the GBI regarding a security policy
violation in which an officer responded to a request for law enforcement assistance and
disseminated tag information to an unauthorized recipient. Personnel action taken by Broxton
Police Department required the officer to retake Security Awareness training.

6. In July 2017, Bibb County Sheriff’s Office notified the GBI regarding a security policy
violation discovered during an agency audit for incorrect purpose code usage and
dissemination. Action taken by Bibb County Sheriff’s Office was to require completion of a
training class focused on proper processing of criminal history checks and selection of
purpose codes and appropriate dissemination.

7. In July 2017, Johnson County Sheriff’s Office notified the GBI regarding a security policy
violation discovered during an agency audit for incorrect purpose code and Agency
Reference Number (ARN) usage. Personnel action taken by Johnson County Sheriff’s Office
was to issue a verbal warning to operators regarding the proper entry of ARNs and to provide
individual instruction where warranted.

8. In July 2017, Taliaferro County Sheriff’s Office notified the GBI regarding a security policy
violation discovered during an agency audit for incorrect purpose code usage and
 dissemination as well as improper case number documentation. Personnel action taken by
Taliaferro County Sheriff’s Office was to review guidelines for proper purpose code usage
and dissemination, and procedures for logging and documenting case number information.
Agency advised that employees deemed non-compliant will be disciplined.

9. In July 2017, GCIC was notified by GBI Region 13 that an investigation was being
conducted on a Fort Valley Police Department officer alleged to have used his official
position to obtain motor vehicle registration on a person that was not under criminal
investigation. On July 6, 2018, the officer was arrested by the GBI and charged with
Unlawful Possession of Identification Documents.

10. In August 2017, DeKalb County Police Department notified the GBI regarding a security
policy violation involving improper access of a private citizen’s vehicle information for non-
law enforcement purposes. Personnel action taken by DeKalb County Police Department was
to present the officer with a 40-hour suspension and written counseling.

11. In August 2017, LaGrange Police Department notified the GBI regarding a security policy
violation in which an officer accessed and disseminated tag and driver information for
personal reasons. The officer resigned in lieu of termination.

12. In September 2017, Fayette County Sheriff’s Office notified the GBI regarding a security
policy violation in which an employee posted a screen shot of a wanted person hit to an
application that was not secure and was used for non-law enforcement purposes. Personnel
action taken by Fayette County Sheriff’s Office was to issue the employee a verbal
reprimand and require completion of Security Awareness training.

13. In September 2017, Laurens County Sheriff’s Office notified the GBI regarding a security
policy violation in which a terminal operator used another operator’s ID and password to
access the system. Personnel action taken by Laurens County Sheriff’s Office was to issue a
written reprimand, conduct additional training and a new Awareness Statement was signed
by the employee.

14. In October 2017, Savannah-Chatham Police Department notified the GBI regarding a
security policy violation in which a Savannah Chatham 911 dispatch employee improperly
ran and disseminated vehicle tag number at the request of another individual. The employee
resigned in lieu of termination.

15. In October 2017, Georgia Department of Corrections notified the GBI regarding a security
policy violation in which a superintendent improperly ran criminal history backgrounds.
Personnel action taken by Georgia Department of Corrections was to terminate the
individual’s employment.

16. In November 2017, Georgia Department of Public Safety notified the GBI regarding a
security policy violation in which an officer improperly disseminated GCIC information via a
GroupMe application; sensitive law enforcement information was shared and posted on this
 unsecured application. Personnel action taken by Georgia Department of Public Safety was
to provide the officer with a Letter of Concern regarding the incident.

17. In November 2017, College Park Police Department notified the GBI regarding a security
policy violation in which an officer asked other officers to run tag information on a vehicle
for personal reasons. Personnel action taken by College Park Police Department was to
counsel the officers on the importance of determining the purpose for requests before running
queries. The officer that made the requests resigned in lieu of termination.

18. In December 2017, Georgia Department of Public Safety notified the GBI regarding a
security policy violation in which an individual’s personal information was improperly
accessed through GCIC. The trooper resigned in lieu of disciplinary action.

19. In January 2018, Cumming Police Department notified the GBI regarding a security policy
violation in which a city employee ran criminal history inquiries without obtaining or
retaining the proper consent forms. Personnel action taken by the Cumming Police
Department was to terminate employment.

20. In March 2018, Rockdale County Sheriff’s Office notified the GBI regarding a security
policy violation in which a deputy ran a vehicle tag through GCIC and used the information
for personal use. Personnel action taken by Rockdale County Sheriff’s Office was to
terminate employment.

21. In April 2018, Sandy Springs Municipal Court notified the GBI regarding a security policy
violation in which a contract employee forwarded GCIC links, usernames and passwords to a
personal email for tracking purposes. Personnel action taken by Sandy Springs Municipal
Court was to issue the individual a verbal reprimand and the individual was transferred to
another job location.

22. In May 2018, Fulton County Emergency 911 notified the GBI regarding a training policy
violation in which a supervisor solicited the assistance of two subordinates in answering
questions on a recertification exam with one employee finishing the exam on the supervisor’s
behalf. Personnel action taken by Fulton County Emergency 911 was to issue a written
warning to one employee and three-day suspension to the other employee and requiring both
employees to recertify in Security Awareness training. The supervisor resigned in lieu of
termination.

23. In June 2018, Savannah Police Department notified the GBI regarding a security policy
violation in which a police officer ran information for personal use. Personnel action taken
by Savannah Police Department was to issue the individual a written reprimand, a 10-day
suspension was given and Security Awareness training had to be completed.

24. In June 2018, Glynn County State Court notified the GBI regarding a security policy
violation in which there was improper dissemination of driver’s history information.
Personnel action taken by Glynn County State Court was to permanently remove the terminal
operator’s access to GCIC information, require completion of Security Awareness training
and signing a new Awareness Statement.