Ask Arvada

Data Exposure Event

Ask Arvada logo

These Frequently Asked Questions should provide the information you may need.  If after reviewing these you still have questions, please contact our call center at 855-770-0004 between 8 a.m. and 5 p.m. MST.  When calling, if you received a notification letter, please have it with you and use the reference number provided in the letter.  If you did not receive a notification letter, please use the following reference number: 2490041112

Q.  When did the exposure occur?

We discovered the exposure of personal information on July 8, 2011.  The documents had been accessible at various times since January 1, 2006.  These documents were removed between July 8, 2011 and July 14, 2011.

There was no theft.  The document containing the information was accessible on our Web site but access was stopped.  We found no proof that anyone actually viewed or accessed the information.  There has been no report of fraud related to exposure of information on the City’s Web site.

Q. Why was personal information in the database in the first place? 

The information was inadvertently placed on documents that were stored  in the Building Inspection and Community Development files to help provide a history of the building activity and business types in the City. 

Q.  Will I receive the data exposure notification letter?

Notification letters were sent by the City of Arvada only to the individuals and businesses identified by the City, whose personal or sensitive information was contained in documents that were previously accessible through our Web site.  The letter lists the information that was involved.  That information was removed from the Web site and the information is no longer publicly viewable. For further information, please call our privacy line at 855-770-0004 between 8 a.m. and 5 p.m. MST.  When calling, if you received a notification letter, please have it with you and use the reference number provided in the letter.  If you did not receive a notification letter, please use the following reference number: 2490041112

Q.  What personal information was included in the data base?

The letter lists the information that was previously accessible on our Web site.  This information was identified by data security experts the City hired to conduct a comprehensive investigation.  The types of personal information involved included individuals’ names, dates of birth, Social Security numbers, and driver’s license numbers, and businesses’ federal or other ID numbers, and financial information.

Q: Was the information password protected or encrypted?

No.  The City made public databases available over the Web in an effort to provide transparent and convenient access to public records and therefore, none of the document files were encrypted or password protected.  The City has taken aggressive actions, including employee training and new data security practices and protocols, to ensure that private documents will not be included in our publicly available databases in the future.

Q.  How do you know there wasn’t more information in the database?

In order to identify the personal information involved, we retained forensic experts who had a team of attorneys review over 77,857 files comprising 1,196,808 pages of information.  We are confident that this comprehensive and expert review identified the personal information involved in the exposure.

Q.  Why weren’t the affected individuals and businesses notified sooner?

Due to the technical complexity of the investigation, the extremely high volume of document pages on our databases, and our efforts to be as thorough and accurate as possible in our investigation and response, it required a very time-intensive, multi-stage process.  Because the document pages contained in these files were not electronically searchable, the investigation required individual, by-hand review, of 1,196,808  pages of information.

When the City discovered on July 8, 2011 that one document containing personal information was accessible online, we had to determine whether this was an isolated case. As soon as we determined the potential exposure was broader, we immediately began the process of denying access to the applicable sections of the web site.  By July 14, 2011 all applicable sections of the Web site were identified and access to the documents containing personal information was denied.  The scope of this document exposure involved 77,857 files comprising 1,196,808 pages of information.  These pages were non-searchable picture-type (scanned) pages, so a quick computer search of the information was not an option.  For instance, by turning to experts we confirmed that technology did not exist to determine if a specific file was opened or viewed.  We confirmed that a statistical sampling of the documents to assess what percentage of them might contain personal information would not be sufficiently reliable.  Therefore, all of the 1,196,808 pages had to be physically examined in order to determine what personal information was previously accessible on the Web site. 

In order to accomplish this large task, we retained forensic experts who used a team of attorneys to review each page of the documents for legally defined personal information.  There was significant technical and legal work that had to be conducted to coordinate these services, encrypt the 77,857 files, and provide the documents to the review team. 

The expert portion of the document review project was completed on March 2, 2012.  Much of the information identified as potentially sensitive was not legible or not the type of information that can lead to fraud, so those identifications had to be removed.  Much of the information in the documents was at times 30 or more years old, and current address or contact information of affected individuals had to be identified.  City staff, in conjunction with various experts, then developed the notification letters, provision of credit monitoring services, and all information to assist the public and answer questions.

Transparency in City operations is very important.  Transparency in the service of the public was the motivation behind providing online access to our records in the first place.  However, the security of our citizen’s personal information is critical, and as you can appreciate, so was the imperative to ensure accuracy in the recovery and notification process.

Q.  Was any personal information actually stolen, or compromised in any way?  How do you know it wasn’t?

This is a situation where information was inadvertently made accessible online for a period of time.  There was no data theft, and there is no proof anyone even viewed the documents.  There has been no report that anyone’s information has been misused.   

Q.  Has anyone’s personal information been misused as a part of this?

There have been no reports of misuse related to the exposure of the information.

Q.  I haven’t gotten a letter.  How do I know I’m not involved?  

All individuals and businesses affected by this were sent a notification letter.  l

Q.  Are you publishing a list of potentially affected individuals?

No, we have an obligation to keep that information private.  We can say that all 921 individuals and businesses we identified as being involved were sent notifications.

Q.  I received a letter. Am I the only one this happened to?

No, other people were also affected and we have notified them as well.  All 921 individuals and businesses we identified as being involved, were sent notifications.

Q.  Is the notification letter I received legitimate and from the City?

Yes, it is.  The City has provided notification letters to individuals and businesses affected by this data exposure event.  To confirm the legitimacy of a notification letter, the recipient of a letter can contact the Call Center at 855-770-0004 between 8 a.m. and 5 p.m. MST and provide the Reference Number which is underlined in the fifth paragraph of the letter.  The letter explains that the credit monitoring and other services are being provided for one year at no cost to them by the City of Arvada.  The Call Center can provide further information regarding how to enroll in this service.

Q. Is anyone a victim of identity theft?

We have no information that indicates anyone has been a victim of identity theft.  The Federal Trade Commission states on their Web site: “Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.”  The fact that someone may have had access to personal information does not mean that  anyone is a victim of identity theft, or that the personal information was used to commit fraud. We wanted to let everyone know about the incident so that  steps can be taken to to protect  one’s personal identity should you feel it is appropriate to do so.

The FTC provides a lot of helpful information.  You can visit their Web site at www.ftc.gov/bcp/edu/microsites/idtheft/ or you can call their hotline at 1-877-IDTHEFT (438-4338). 

Q.  What you can do to protect yourself?

To protect against possible identity theft or other financial loss, data security experts recommend that you to remain vigilant and to monitor your credit reports.   Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus, Equifax, Experian and TransUnion.  To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

In addition, the Federal Trade Commission provides a lot of helpful information.  You can visit their Web site at www.ftc.gov/bcp/edu/microsites/idtheft/ or you can call their hotline at 1-877-IDTHEFT (438-4338). 

According to the FTC, to determine whether someone is using or trying to use your personal information you should consider questions such as the following:

- Have you noticed any charges on your credit accounts that you do not recognize?
- Have you received phone calls from creditors, bill collectors, or service providers that you do not recognize?
- Have you noticed a significant change in your credit score, but have not opened/closed any accounts?
- Have you received any medical claims from procedures you did not have done?
- Have you been notified by the IRS about money owed that you are unaware of?
- Have you been denied medical coverage for a procedure due to your coverage max being met, but you feel you should have ample available coverage?
- Has a background check on you come back with discrepancies that you are unaware of?
- Have you received checks, debit cards, or credit cards from accounts that you have no knowledge of?
- Are you receiving or have you received calls from a college or university or student financial aid service stating that you are delinquent on tuition payments, even though you are not attending school or have no outstanding loans?

For individuals who received a notification letter
To protect against possible identity theft or other financial loss, we encourage you to take advantage of the resources the City has made available to you and the other advice and resources.  These are outlined in the letter you received, which includes enrollment information for a free one-year membership to Experian’s ProtectMyIDTM Alert.  You may call our privacy line at 855-770-0004 to learn more.  When calling the privacy line, you will need the ten-digit reference number provided on your letter.

Q. What happens if you suspect that you are the victim of Identity Theft?

The Federal Trade Commission provides a lot of helpful information.  You can visit their Web site at www.ftc.gov/bcp/edu/microsites/idtheft/ or you can call their hotline at 1-877-IDTHEFT (438-4338).

For individuals who received a letter: We encourage you to enroll in a free one-year membership to Experian’s ProtectMyIDTM Alert.  This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification of and resolution of identity theft.  You may call our privacy line at 855-770-0004 to learn more.  When calling the privacy line, you will need the ten-digit reference number provided on your letter.

Q.  How did the City let this happen? 

We have an important obligation to share information with the public and transparency in City operations is very important to us.  That’s why we provide online access to our records in the first place.  However, the security of our citizen’s personal information is also critically important to us and we are going to be more secure going forward.  A number of measures are already in place and we will continue to improve.  We are truly sorry for any impact this may have caused, and we want to assure you that we take this matter very seriously.

We have taken comprehensive action to address this specific incident and to safeguard City records in the future.  In order to avoid having this occur again in the future, the City has updated its Public Information Repository/Document Imaging Policy.  The City also conducted in depth training sessions on the Public Records Security Protocol with staff members responsible for scanning City documents and their supervisors.  In addition, the City is expanding the technological safeguards and use of system audits to prevent future incidents.

Q.  Has the City fixed the problem? How can I be assured if I continue doing business with the City that this won’t happen again?

We have taken action to address this specific incident and to safeguard City records in the future.  In order to avoid the exposure of personal information, the City updated its Public Information Repository/Document Imaging Policy.  The City also conducted in depth training sessions on the Public Records Security Protocol with staff members responsible for scanning City documents and their supervisors.  In addition, the City is expanding the existing technological safeguards and use of system audits to prevent future incidents.

Q: When will the web site be fully functional again?

The documents containing Personally Identifiable Information have been removed.  We are doing some final testing to make sure the web site is functioning the way we want it to before restoring all sections.

Q. Where can I go for more information?

We encourage you to call our privacy line at 855-770-0004 between 8 a.m. and 5 p.m. MST.  When calling, if you received a notification letter, please have it with you and use the reference number provided in the letter.  If you did not receive a notification letter, please use the following reference number: 2490041112


 


Look for other Answers