BUFFALO, N.Y. - Fifty case files with sensitive information about Erie County constituents were potentially exposed to the public during two separate instances in 2017, according to a letter sent this week from the Department of Social Services to the county legislature.
Commissioner Marie Cannon sent the correspondence to Minority Leader Joseph Lorigo after he requested information about the county's purchase of LifeLock, which protects people against data breaches.
There is no evidence that any Erie County residents had their identities stolen or had their information used against them in any way. However, according to Cannon, the two instances of possible data breaches involved Adult Protective Services and Child Protective Services case files, which include important information about some of the county's most vulnerable citizens.
A total of 37 Adult Protective Services case files were found in a folder on Clinton Street and returned to the Rath Building security desk, Cannon reported. An internal investigation showed the "vast majority" of cases found in the folder "had workers supervised by a recently retired civil service employee."
In a separate incident, a total of 13 Child Protective Services case files were potentially exposed after an employee had a bag stolen during a car break-in. That bag with those case files was recovered in a neighbor's driveway the next day, and the files did not appear compromised, Cannon said. The employee was disciplined for not properly securing the files.
All individuals and families involved in the possible data exposure were offered LifeLock, and the Department of Social Services contacted the County Executive's office and the state's Office of Children and Family Services, as required by protocol. A spokesperson for OCFS confirmed the agency provided technical assistance to the county after learning of the data breach concerns.
Legislator Lorigo, a Conservative who is frequently critical of Democrat Mark Poloncarz's administration, said he was disappointed in the lack of communication from the Department of Social Services. The possible data exposure was not reported to the public until the purchasing department told Lorigo in a committee meeting last week that it had approved the LifeLock transaction through the county's imprest fund.
"We weren't told about it. We happened upon it just by accident, really," Lorigo said. "You could have everything from social security numbers, addresses, credit card information, basically any information that a criminal would need to steal someone's identity."
In her letter to Lorigo, Cannon said the department followed all laws, regulations and policies regarding data breaches and reporting requirements.
"The information was not hidden," she said. "The Department contacted the appropriate state oversight agency and the individuals potentially affected."
County Executive Mark Poloncarz's spokesperson, Peter Anderson, said in an email that only three people took the LifeLock protection after it was offered by the Department of Social Services. The county spent only $879.10 on LifeLock, he said.
"It's really an overabundance of caution for the department to even offer the LifeLock protection," Anderson said, "but the security of personal information is important."
Lorigo said the county should have notified the public as a whole.
"The issue here isn't that there was a security breach. That happens every day," Lorigo said. "The issue here is that the Department of Social Services actively tried to hide it from the public and the legislature."
Cannon, who disputed that claim, said she would "happily" attend a committee meeting to discuss the issue further. Lorigo said he would welcome that opportunity.
A spokesperson for the Majority Caucus of Democrats in the county legislature said the group will be reviewing the information from DSS.