Report Suspected Data Breach to City IT - Colorado Springs

Colorado Springs, Colorado residents, contractors, and city staff must report suspected data breaches to the City Information Technology team immediately to protect personal data and enable timely containment and notification. This guide explains who to contact at the City, what information to collect, the department roles that enforce incident handling, likely enforcement outcomes, and practical steps to report, escalate, and appeal. It is intended for anyone who discovers unauthorized access, loss, or disclosure of city-held information systems or records.

Who should report and when

Any employee, contractor, vendor, or member of the public who suspects unauthorized access, disclosure, destruction, or loss of data held by the City of Colorado Springs should report the incident without delay. Early reporting preserves logs and evidence and enables the City to begin containment and notification processes.

How to report a suspected breach

Collect basic facts before reporting: date/time of discovery, systems affected, types of data involved (e.g., personal identifying information), current containment steps taken, and contact details for the reporter. Then submit the information to the City Information Technology incident intake channel or the City privacy contact listed by the City. See official City contacts below for submission methods and expected acknowledgements.City Information Technology^[1] City privacy notice^[2]

Penalties & Enforcement

The City handles security incidents under the authority and policies of the Information Technology department and the City Attorney where legal review is required. Specific fine amounts or statutory penalties for failures to report or secure data are not specified on the cited City pages; refer to the enforcing department contacts below for case-specific consequences and legal referrals. Current policy references and procedural guidance are maintained by City IT and legal counsel and may be updated; where numeric penalties or escalation schedules are not published, the source pages are cited below and are current as of February 2026.

• Enforcer: City of Colorado Springs Information Technology and City Attorney for legal actions and referrals.
• Inspection and complaint intake: use the Information Technology incident reporting channel and the City privacy contact listed on the City site.^[1][2]
• Fines and monetary penalties: not specified on the cited page.
• Escalation: legal referral, civil or administrative action, or law enforcement referral depending on severity and applicable law; specific escalation timelines are not specified on the cited page.
• Non-monetary sanctions: corrective orders, system access restrictions, mandatory remediation, or civil litigation may be pursued by the City or its legal representatives.

Applications & Forms

The City does not publish a public, standalone ‘‘data breach form’’ on its IT or privacy pages; reporting is handled via the Information Technology incident intake process or the privacy contact listed on City pages. If a formal form is required for a specific incident, the IT department or City Attorney will provide it during intake.^[1][2]

Action steps - immediate checklist

• Stop further unauthorized access if safe to do so and document actions taken, including timestamps.
• Preserve logs and evidence; do not overwrite or delete system logs where possible.
• Prepare a short incident summary with affected systems, data types, and known impact.
• Report the incident to City Information Technology via the official contact channel.^[1]
• If personal data of residents is involved, follow any applicable state breach notification laws and City privacy guidance; the City privacy page describes the City contacts for notifications.^[2]

FAQ

Who in the City receives reports of suspected data breaches?

The City Information Technology department is the primary intake point; the City privacy contact and City Attorney collaborate for legal review and notification decisions.

What information should I include when I report?

Include discovery time, affected systems, types of data exposed, steps you took, and your contact information.

Will I get confirmation after I report?

The City IT intake process typically acknowledges reports and may provide next steps; specific acknowledgement timelines are not specified on the cited pages.

How-To

1. Document the incident facts: when and how it was discovered, systems affected, and immediate containment actions taken.
2. Contact City Information Technology using the official intake channel and provide your incident summary and contact details.^[1]
3. Preserve evidence and refrain from making changes that could destroy logs; follow IT instructions for secure handover.
4. If directed, complete any forms provided by IT or the City Attorney and submit supporting documentation as requested.
5. Follow up with the City contact for updates, remediation actions, and any notice or appeal instructions.

Key Takeaways

• Report suspected breaches immediately to City IT to protect evidence and enable rapid mitigation.
• Use the official City IT intake channel and the City privacy contact for notifications and legal review.^[1][2]

Help and Support / Resources

• City of Colorado Springs - Information Technology
• City of Colorado Springs - Privacy Notice
• City of Colorado Springs - City Attorney
• City of Colorado Springs - Police Department

1. [1] City of Colorado Springs - Information Technology
2. [2] City of Colorado Springs - Privacy Notice