NARA admits violating internal policy on personal info

 The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them, according to a top NARA official.

However, the agency believes there was no disclosure of personally identifiable information despite the violations of its own policy, said NARA’s then-acting archivist Adrienne Thomas.

Thomas told the House Oversight and Government Reform Committee's Information Policy, Census and the National Archives Subcommittee Nov. 5 that on two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house.

Today the Senate confirmed David Ferriero as the head of the agency.

Meanwhile, during the hearing Thomas said senior NARA officials recently discovered the agency had returned a hard drive from a system designed to digitize the official personnel files of current government employees. The system is believed to have contained files on employees from NARA, the General Services Administration and the Office of Personnel Management when the drive was returned to the vendor in April, she said. Thomas said the agencies had been notified.

Earlier, a similar violation of NARA policy happened when officials sent away a defective drive from a system the agency uses to track the more than one million requests for veterans records it gets annually. To ask for a record, veterans must provide information such as date and place of birth, branch and duration of service, social security number and/or service number, and the date and place of medical treatment.

Thomas said in both instances the drives were returned under existing contracts that contained privacy protections. However, she said that since those contracts had been signed, NARA’s policy had changed to prohibit the return of failed drives. That non-return policy, put in place in summer 2008, was broken in both cases, she said.

“It simply should never have happened,” Paul Brachfeld, NARA’s inspector general, told the committee.

“It’s game, set [and] match if you go to [National Institute of Standards and Technology] standards, if you go to [Office of Management and Budget] requirements, if you go NARA’s own internal policies and procedures: Once you have PII data stored on a mobile device it must be encrypted," he said. "Furthermore should you ship that or lose custody, or give up custody and control, it must be scrubbed, wiped, [or] degaussed. In neither case that we’re talking about today was that done. This data went out."

Meanwhile, Thomas said the return of the drive from the veterans record request system didn’t violate the Privacy Act or OMB guidance. In addition, she said, the agency handled the drive in accordance with government and industry standards for maintenance of unclassified computer hardware.

"NARA and the inspector general continue to review these incidents; however, at this time, there is no evidence that the defective disk drives were ever in unauthorized hands or that any PII was accessed from these disks and my staff and I have concluded that there was no PII breach,” she added.

However, Brachfeld wasn’t sure about the security of the hard drive from the veterans system or who had access to the data after it left NARA’s control and then passed between several companies.

The concern over how NARA handled defective hard drives comes after the revelation in May that a 2T external hard drive containing copies of records from the Executive Office of the President during the Clinton administration disappeared from a processing area at a NARA facility near Washington. NARA has offered a $50,000 reward for information leading to its recovery and issued thousands of breach notifications.

“We have policies and procedures that are defined, because they’ve been derived from NIST and OMB, so we have that piece of the equation,” Brachfeld said. “The question ... is ensuring with training and with oversight that there’s compliance…and, as appropriate, punishment.”

Rep. Patrick McHenry (R-N.C.), the ranking member of the subcommittee, said there was “a culture of blatant disregard” at NARA that needed to be fixed. “It’s become very clear that the ongoing security breaches are not the result of a lack of awareness of security procedures by the staff, but a failure at the managerial level to enforce the procedure.” McHenry said lawmakers didn’t blame Thomas, who took over as acting archivist in December, for the current situation.

Meanwhile, Thomas said the agency was working to improve its IT security, which the agency has declared a material weakness, and was committed to learning from past mistakes. Thomas said NARA was conducting a comprehensive review of internal security controls related to the protection of PII in information technology systems at all of NARA’s locations.

She said the agency has started a review of:

• Database encryption in systems.
• Back up procedures.
• All computer acquisition and maintenance contracts.
• Internal PII awareness and training processes and procedure.

NARA plans to ensure it uses procedures for destroying and sanitizing media that are approved by the National Security Agency, Thomas said.