Washington, DC…There has been a recent allegation by a National Archives employee that the National Archives and Records Administration had improperly disclosed sensitive, personally identifiable information (PII) about veterans. The disclosure, the employee said, occurred when a defective disk drive from a veteran information database was sent for repair to a contractor in the fall of 2008.
After careful review by the National Archives privacy breach response team, the agency has concluded there was no breach of personal information.
The defective disk was one of several in a RAID array that supports an Oracle database, the Case Management and Reporting System (CMRS). The CMRS system is used by NARA’s Military Personnel Records Center in St. Louis to track requests for veterans’ personnel records.
In accordance with its established internal policy for handling potential information breaches, National Archives officials launched an investigation. The agency concluded that there was no breach of personally identifiable information (PII), since there is no evidence that the defective disk drive was ever in unauthorized hands or that any personal privacy information about veterans was ever accessed from the disk. A breach of PII occurs when unauthorized individuals have access to sensitive personal information.
Only authorized individuals and contractors had access to the defective disk, in accordance with the maintenance contract;
The contract included appropriate privacy protection requirements, which also applied to all subcontractors;
There is no evidence that the contractors that handled the disk engaged in any improper activity.
The National Archives has long conducted maintenance for unclassified computer hardware using standards consistent with the rest of the Federal government and the private sector utilizing authorized computer maintenance contractors to monitor, fix, and replace this equipment, and placing appropriate management controls on the contractors to protect sensitive data that may have remained on defective magnetic computer storage components that were returned for repair or disposal. The defective CMRS disk drive was handled in accordance with these processes and controls.
In the summer of 2008, in response to guidance from the Office of Management and Budget advising Federal agencies on how to protect PII, the National Archives enhanced its PII policy to require that defective or otherwise decommissioned storage media that contained sensitive data, such as PII, be destroyed and disposed of at a NARA facility, rather than being returned to maintenance vendors as had been done previously.
Although the defective disk drive was sent to the maintenance contractor after this new policy was put in place, because the contract had not been changed as quickly as the policy, there is no evidence that doing so resulted in an unauthorized breach of any personal privacy information of veterans. Nor did this action violate the Privacy Act or OMB guidance.
The Federal government defines a PII breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, whether physical or electronic.” (See OMB Memo 07-16, on “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.”) OMB 07-16 also states the following:
“[A]gencies should assess the likelihood personally identifiable information will be or has been used by unauthorized individuals.”
Agencies should consider “the likelihood any unauthorized individual will know the value of the information and either use the information or sell it to others.”
“Agencies should bear in mind that notification when there is little or no risk of harm might create unnecessary concern and confusion.”
A “surfeit of notices, resulting from notification criteria which are too strict, could render all such notices less effective, because consumers could become numb to them and fail to act when risks are truly significant.”
The National Archives contracted with Sun Microsystems and its resellers and system integrators, including GMRI, to service or recycle its computer hardware. Under the terms of the contract, GMRI and its subcontractors were prohibited from releasing privacy data or information obtained during the performance of the contract.
The defective 2008 CMRS hard drive was provided only to authorized vendors – GMRI/Sun, Pinnacle Data Systems, Inc. (PDSI), and Sims Recycling – for authorized purposes, in accordance with a U.S. Government contract for the purpose of repair and maintenance of the CMRS system. All of these vendors were bound by the terms and conditions of the contract, which specifically prohibited them from releasing Privacy Act and any other sensitive data or information obtained in the performance of the contract.
The defective drive was part of a RAID-5 array. (RAID stands for Redundant Array of Independent Disks). An inherent feature of a RAID array system is that the failure of an individual disk drive does not result in the loss of any original data.
Because NARA’s new, more stringent IT security requirements had not been fully implemented, the drive was sent back to the vendor, GMRI, for maintenance. GMRI sent the drive to Sun’s disk drive repair vendor, PDSI. PDSI, with 20 years of IT repair experience in repair and data recovery, tested the defective CMRS drive and determined that it was not economically feasible to repair. The drive was then sent to Sims Recycling Solutions to be scrapped for usable metals and parts. There is no evidence that any of these contractors improperly accessed sensitive information from the disk drive.
Because the disk drive was at all times with authorized contractors for authorized purposes, NARA does not believe that a breach of PII occurred. Accordingly, individual notification is not necessary.