CYBER SECURITY CONCERNS AT IDOC

With all Govorner Butch Otter's lip service being paid to tightening cyber security within state government during the 2018 State of the State address, the IDOC maintains SOPs related to computer [data] access by staff which not only threaten the privacy rights of prisoners and their families, but may endanger the very lives of crime victims.

Prior to a convicted felon being sentenced, the IDOC conducts a comprehensive investigation into the past and present of the defendant and generates a report called a Presentence Investigation report or PSI (Idaho Criminal Rule 32). The stated purpose of this report is to allow the sentencing judge to consider various factors about the defendant, including (but not limited to) criminal and civil records, social history (famiy and friendships), employment, financial and medical history (physical and mental), even the defendant's "sense of values and outlook on life in general" [ICR 32 (b)(9)]. The report may also contain the opinions of the IDOC presentence investigator, as well as any hearsay if the investigator believes the information may be reliable [ICR 32 (e)(1)].

The PSI, in addition to containing data concerning the defendant will also contain data and information on family and friends of the defendant, including addresses, social and medical histories, contact information, even financial records and social security numbers. This data may also be available regarding the victim[s] of the defendant. Most PSIs contain photo or data files regarding the defendant, the crime and the victim - even copies of child pornography (in such cases) and graphic crime scene photos.

Due to the extremely sensitive nature of the PSI, disclosure and dissemination of the data within the PSI are limited by law to a handful of persons/entities including the presiding judge, the prosecutor and the defendant. The Rule even prohibits all but "authorized" court personnel from reviewing the data within the PSI, including attachments, addendum and the like. After sentencing, the PSI must be "sealed" by the court - after which it cannot be opened without a court order authorizing the release of the report to a specific agency or individual [ICR 32 (h)(1)], however, the law also provides that a copy of the report must "be available to the to the Idaho Department of Corrections [sic] so long as the defendant is committed to or supervised by the Department, and may be retained by the Department for three years after the defendant is discharged." Therein lies the problem.

In interpreting this Rule [ICR 32], the IDOC has determined that ANY IDOC staff, from the maintenance and food service personnel, to probationary security staff, to the Director of IDOC, even education staff may access - and even print out - (without specific authorization or oversight) a prisoner's [unredacted] PSI data as maintained by the IDOC. This, in effect, circumvents the Idaho Criminal Rules regarding access to the PSI, and opens the door to any staff member, regardless of intention or need, to personal data of hundreds of thousands of people in Idaho and beyond - prisoners, victims and family/friends alike. 

In addition to the photos and other such data, these staff, most of which have no professional or work-related need whatsoever to view a PSI (other than to be nosey or for nefarious reasons), have direct access to social security numbers, birthdates and other data necessary to steal or create identities [FN 1]. In some cases, information regarding victims or their families (including photos, addresses, dates of birth, etc.) has been disclosed to prisoners by staff after having been looked up in PSI. In other instances, staff have reviewed PSIs and divulged information to prisoners regarding otherwise unpublished aspects of another prisoner's crime [author DS complained of this issue to case management staff on August 3, 2016 yet there was no resolution other than verification that this was indeed allowed by SOP].

Restricting access to prisoner PSIs to staff on a need-to-know basis should be a priority of the IDOC, with accountability and records maintained of those accessing these sensitive files, and the specific data accessed. As is the unofficial IDOC mantra, Security, [whether cyber or physical] is never Convenient. 

-------------------------
[FN 1] Whether or not any current or former staff has used the data available in the PSI for purposes of identity theft is currently unavailable (to me) and indeed may not even be able to be directly traced to the PSI access that IDOC allows all staff. 

DS