NEWS

Information breach: Nashville published private residents' Social Security numbers in court records

Joey Garrison
The Tennessean
Metro Nashville recently publicized confidential personal information — including Social Security numbers on arrest records — of an undisclosed number of private citizens.

Metro Nashville recently publicized confidential personal information — including Social Security numbers on arrest records — of an undisclosed number of private citizens in a public information breach by the city's government.

Davidson County Criminal Court Clerk Howard Gentry's office said Monday that it is "taking action to review and remedy" the breach.

Metro officials say some criminal affidavits attached to publicly available arrest warrants inappropriately included the Social Security numbers and other information of private residents.

The city is offering one year of credit monitoring and identity theft protection service in response to the situation, Mayor David Briley's administration announced.

The website Scoop: Nashville first exposed the breach on Aug. 1, reporting that it affected victims, as well as people who had never been arrested in addition to the accused.

"It is regrettable this information was made publicly available, and it absolutely should not have happened," Gentry, re-elected to his office this month, said in a statement. "We are looking into the scope of the breach, including the Metro agencies and individuals involved, and will be relying on the services of a third-party vendor to help with the investigation.

"Our preliminary review indicates that only a small portion of the total affidavits contained confidential identifying information."

Howard Gentry

Judith Byrd, a spokeswoman Briley, said the city does not have an exact number of people affected.

But Criminal Court Chief Deputy Clerk Julius Sloss said around 5,400 affidavits have been identified that potentially have a social security number or a driver's license number. He said he doesn't believe the number will be this high because there are likely duplicates and outlier data such as false social security and driver's license numbers.

In a news release issued by the mayor's office, the city says it plans to notify those affected within 45 days that their confidential information was disclosed. A third party will review breached information to identify people who have been impacted.

According to Byrd, the Metro Police Department on July 31 issued a reminder to officers that Social Security numbers, bank account numbers and other sensitive personal information that could place someone at enhanced risk of identity theft should not be placed in an arrest warrant affidavit.

Davidson County General Sessions Judge Melissa Blackburn issued an order on Aug. 7 that any arrest warrants including sensitive personal identifying information to be signed by a judicial commissioner. 

The city says it intends to scrub confidential personal identifying information from all affidavits before being posted on the Criminal Court Clerk's Office website, where those records are viewable. 

Briley's administration has also promised "proactive steps" to ensure confidential information does not appear on future affidavits.

The data breach involving criminal justice records is Metro's second episode this year that has raised questions about the handling of sensitive personal information.  

In June, the Tennessean reported that the identities of thousands of Tennesseans with HIV or AIDS, both living and dead, were listed in a computer database kept on a server accessible to the entire staff of the Nashville Metro Public Health. 

Metro Health officials said they don’t believe the database was improperly opened during the nine months it was on a shared server.

Reach Joey Garrison at 615-259-8236, jgarrison@tennessean.com and on Twitter @joygarrison.