Archives officials grilled on the Hill over missing data drives

So, why can't the National Archives hang on to its computer hard drives?

That's the question that the House Information Policy, Census and National Archives wants answered.

Rep. William Lacy Clay (D-Missouri), is chairman of the panel, a part of the House Oversight and Government Reform Committee.

The theft or loss of the Clinton hard drive was very disturbing, and we look forward to hearing a status report on the agency's efforts to notify and identify individuals whose personal information may have been compromised.

It is more troubling, however, to hear of new instances of data breaches or losses.

The circumstances, and the agency's handling of them cast doubt on the National Archives ability to understand existing and emerging risk in order to properly safeguard the nation's electronic record.

Several months ago, Archives officials were in this same hearing room reporting to the panel on a hard drive containing archived electronic data representing thousands of e-mail messages containing data from the Clinton Administration.

In some cases, those messages contained personal information about White House staff of that era. That hard drive, one of several acting as a transition tool for the conversion of the data into a new database format, went missing from Archives offices in College Park, Maryland earlier this year.

Acting Archivist of the United States, Adrienne Thomas, says the device is still missing, and an investigation into the missing hard drive is continuing. She also told Chairman Clay that disciplinary action against NARA staff involving the missing hard drive is on hold at the request of NARA Inspector General Paul Brachfeld, while his office continues what he described as a "sensitive" investigation.

Just last month, Archives IG Brachfeld announced that his office was also investigating the loss of another hard drive approximately one year ago.

In this case, the device contained tens of millions of records for a system used by veterans to get copies of their records and discharge papers. The drive had malfunctioned, but contrary to an August 2008 NARA policy stating faulty storage drives were to be destroyed at a NARA facility, the drive instead was being returned to the manufacturer for data erasure, and eventual recycling.

In this case, NARA officials say the missing drive does not pose a significant data breach, because only authorized individuals had access to the disk until the time that it went missing, and that the drive was inoperable.

Archivist Thomas noted that in all cases, the contractor handled the disk according to privacy procedures specified in a government-wide contract for such services.

In questioning by Rep. Patrick McHenry (R-NC.), Archivist Thomas was asked what, if anything has changed at the Archives following the loss of the two devices.

We've decided to go beyond what is "acceptable", and the NARA CIO has adopted a policy that we will not send disks back to the vendor.

Thomas, who has been acting Archivist since December of last year, maintains that her agency followed all procedures specified in the contract, and believes that the missing drive poses no active security threat to those whose data was on the hard drive.

NARA IG Brachfeld testified that his investigation into the missing "veterans" hard drive is continuing. In written testimony, NARA officials told committee staff they are also "evaluating whether they should procure an external risk analysis" of the circumstances behind policies concerning these computer hard drives.

Archivist Thomas blamed the incidents on her agency's inability to more readily adapt policies and procedures with the rapidly changing technology of data storage.

Tags: seguridad archivos