[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]




 
   NATIONAL ARCHIVES AND RECORDS ADMINISTRATION ORGANIZATIONAL ISSUES

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 30, 2009

                               __________

                           Serial No. 111-70

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
58-132                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      LYNN A. WESTMORELAND, Georgia
JIM COOPER, Tennessee                PATRICK T. McHENRY, North Carolina
GERALD E. CONNOLLY, Virginia         BRIAN P. BILBRAY, California
MIKE QUIGLEY, Illinois               JIM JORDAN, Ohio
MARCY KAPTUR, Ohio                   JEFF FLAKE, Arizona
ELEANOR HOLMES NORTON, District of   JEFF FORTENBERRY, Nebraska
    Columbia                         JASON CHAFFETZ, Utah
PATRICK J. KENNEDY, Rhode Island     AARON SCHOCK, Illinois
DANNY K. DAVIS, Illinois             ------ ------
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      PATRICK T. McHENRY, North Carolina
CAROLYN B. MALONEY, New York         LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of   JOHN L. MICA, Florida
    Columbia                         JASON CHAFFETZ, Utah
DANNY K. DAVIS, Illinois
STEVE DRIEHAUS, Ohio
DIANE E. WATSON, California
                     Darryl Piggee, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 30, 2009....................................     1
Statement of:
    Thomas, Adrienne C., Acting Archivist of the United States, 
      National Archives and Records Administration, accompanied 
      by Gary M. Stern, General Counsel, the National Archives 
      and Records Administration, and Sharon Thibodeau, Deputy 
      Assistant Archivist for Records Services; and Paul 
      Brachfeld, Inspector General, National Archives and Records 
      Administration.............................................     6
        Brachfeld, Paul..........................................    18
        Thomas, Adrienne C.......................................     6
Letters, statements, etc., submitted for the record by:
    Brachfeld, Paul, Inspector General, National Archives and 
      Records Administration, prepared statement of..............    21
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    McHenry, Hon. Patrick T., a Representative in Congress from 
      the State of North Carolina, prepared statement of.........    29
    Thomas, Adrienne C., Acting Archivist of the United States, 
      National Archives and Records Administration, prepared 
      statement of...............................................     9


   NATIONAL ARCHIVES AND RECORDS ADMINISTRATION ORGANIZATIONAL ISSUES

                              ----------                              


                        THURSDAY, JULY 30, 2009

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:40 p.m. in 
room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the subcommittee) presiding.
    Present: Representatives Clay, McHenry, and Norton.
    Staff present: Darryl Piggee, staff director/counsel; Frank 
Davis, professional staff member; Jean Gosa, clerk; Charisma 
Williams, staff assistant; Charles Phillips, minority chief 
counsel for policy; Adam Fromm, minority chief clerk and Member 
liaison; Howard Denis, minority senior counsel; and Chapin Fay 
and Jonathan Skladany, minority counsels.
    Mr. Clay. The Information Policy, Census, and National 
Archives Subcommittee will now come to order.
    Good afternoon and welcome to today's hearing entitled, 
``National Archives and Records Administration Organizational 
Issues.''
    Without objection, the Chair and ranking member will have 5 
minutes to make opening statements, followed by opening 
statements not to exceed 3 minutes by any other Member who 
seeks recognition.
    Without objection, Members and witnesses may have 5 
legislative days to submit a written statement or extraneous 
materials for the record.
    The purpose of today's hearing is to examine the loss of an 
external hard drive containing data from the Executive Office 
of the Clinton administration. We will hear from the Acting 
Archivist, Adrienne Thomas, and the NARA Inspector General, 
Paul Brachfeld, and we hope to get real insight into how the 
security breach occurred and what steps have been taken, and 
what steps should be taken to tighten security at NARA 
facilities.
    The missing hard drive, which is a backup copy, contained 
the entire computer files of 113 White House employees. Their 
entire computer files were downloaded and stored on a hard 
drive and later transferred to the backup hard drive that is 
now missing.
    Classified documents and personally identifiable 
information of former Clinton administration staff and visitors 
to the White House are now exposed.
    Before we continue with this hearing, let us be very clear 
that the subcommittee has no intention of interfering or 
impeding the investigations currently being conducted by the 
NARA Inspector General, the Secret Service, or the Federal 
Bureau of Investigation. We urge everyone's cooperation with 
these investigations and I thank all of our witnesses for 
appearing today and look forward to their testimony.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T8132.001
    
    [GRAPHIC] [TIFF OMITTED] T8132.002
    
    Mr. Clay. Now, we are on a tight schedule today, so what I 
am going to do is, normally we would yield to the ranking 
member, who is not here yet. When he gets here, he will be 
allowed an opening statement, but I will swear the witnesses 
in. I will introduce you and swear you in, and hopefully by the 
end a minority Member will be here.
    Let me first introduce the panel. We will hear first from 
Ms. Adrienne Thomas, Acting Archivist of the U.S. National 
Archives and Records Administration. Ms. Thomas is currently 
the Acting Archivist of the United States. Prior to her 
appointment as Acting Archivist in December 2008, Ms. Thomas 
served as the Deputy Archivist of the United States.
    Ms. Thomas has been with the National Archives for 38 
years, beginning as an Archivist Trainee in the Office of 
Presidential Libraries, and subsequently holding a number of 
policy and administrative roles.
    Ms. Thomas will be accompanied by Mr. Gary M. Stern, 
General Counsel for the National Archives and Records 
Administration.
    Welcome to both of you.
    Our next witness will be Mr. Paul Brachfeld, Inspector 
General, National Archives and Records Administration. Mr. 
Brachfeld serves as the IG of NARA and as the IG for NARA, he 
oversees the conduct and execution of all audits, 
investigations and inspection for the agency, in compliance 
with provisions of the Inspector General Act of 1978 as 
amended.
    Mr. Brachfeld's entire career has been devoted to 
investigative activities since graduating from the University 
of Maryland College Park in 1979. Go Terps. And today, he 
brings 10 years of experience as the NARA Inspector General and 
30 years of exceptional service to the U.S. Government. 
Currently at NARA, Mr. Brachfeld's tenure has included the 
recovery of hundreds of stolen archival holdings and related 
successful prosecutions of identified subjects. And we look 
forward to his testimony.
    I want to welcome all of you to our hearing today, and it 
is the policy of the Oversight and Government Reform Committee 
to swear in all witnesses before they testify.
    Would all of you please stand and raise your right hands?
    [Witnesses sworn.]
    Mr. Clay. You may be seated. Thank you.
    Let the record reflect that the witnesses answered in the 
affirmative, and each of you will have 5 minutes to make 
opening statements. Your complete written testimony will be 
included in the hearing record. The yellow light will indicate 
that it is time to sum up. The red light will indicate that 
your time has expired.
    Ms. Thomas, you may begin your opening statement.

   STATEMENTS OF ADRIENNE C. THOMAS, ACTING ARCHIVIST OF THE 
 UNITED STATES, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION, 
  ACCOMPANIED BY GARY M. STERN, GENERAL COUNSEL, THE NATIONAL 
  ARCHIVES AND RECORDS ADMINISTRATION, AND SHARON THIBODEAU, 
   DEPUTY ASSISTANT ARCHIVIST FOR RECORDS SERVICES; AND PAUL 
  BRACHFELD, INSPECTOR GENERAL, NATIONAL ARCHIVES AND RECORDS 
                         ADMINISTRATION

                STATEMENT OF ADRIENNE C. THOMAS

    Ms. Thomas. Thank you, Chairman Clay and members of the 
subcommittee. I appreciate this opportunity to discuss a recent 
security incident that is a serious breach of the trust placed 
in the National Archives to protect our Nation's records.
    NARA learned in late March that an external computer hard 
drive containing copies of Clinton Administrative Executive 
Office of the President records was missing from the electronic 
records processing room. As the Acting Archivist, and as 
someone who has devoted my entire 39-year career to the 
National Archives, I am deeply angered that a NARA employee or 
contractor may have intentionally removed this item.
    With me today are NARA's General Counsel and Senior Agency 
Official for Privacy, Gary Stern, and Sharon Thibodeau, Deputy 
Assistant Archivist for Records Services.
    The loss of the hard drive occurred while NARA was 
conducting preservation processing of electronic media received 
from the Executive Office of the President [EOP], at the end of 
the Clinton administration. Tapes containing snapshots of the 
contents of the working drives of EOP employees were copied by 
a contractor to new media to prevent deterioration.
    On September 18, 2008, two My Book hard drives created by 
the contractor were delivered to NARA. The hard drives were 
labeled master No. 2 and backup No. 2. The two hard drives were 
taken to suite 5300 at the National Archives in College Park 
and placed on a shelf in the unclassified electronic records 
processing room within the suite. At the time, approximately 85 
NARA employees and contractors had badges that opened the three 
doors to the office area of the suite. Individuals with badge 
access to suite 5300 also had access to the electronic records 
processing room for unclassified records.
    On October 30th, the work of verifying the records on the 
hard drive was assigned to an information technology 
specialist. Work was performed only on the master No. 2 hard 
drive, not the backup No. 2, which would later be missing.
    On February 5, 2009, the IT specialist placed the master 
No. 2 hard drive into its original manufacturer's box and noted 
that the backup No. 2 hard drive was in a similar adjacent box. 
The two boxes remained on a shelf in the processing room and no 
additional work was done on the hard drive until March 24, 
2009, when the IT specialist discovered that the box that had 
contained backup No. 2 hard drive was empty. The master No. 2 
hard drive was still in its box.
    An immediate division-wide search was initiated. On April 
2, 2009, the Inspector General, General Counsel and I were 
informed of the loss. While the Office of the Inspector General 
continues its investigation, there are currently no facts to 
determine whether the drive was stolen or misplaced and no 
suspect has been identified. NARA has offered a reward of up to 
$50,000 for information that leads to the recovery of the 
missing hard drive.
    NARA staff reviewed the master No. 2 hard drive and 
discovered that it contained numerous files containing personal 
names and Social Security numbers. In addition, NARA also found 
a small number of files that contained markings indicating they 
may contain classified information. While information from the 
EOP provided at the time of transfer indicated that the hard 
drives did not contain classified data, we believe EOP 
employees must have accidentally or improperly stored some 
classified information on their unclassified computers.
    We are compiling a list of those individuals who may have 
had their personal information compromised and a credit 
monitoring contractor is notifying these individuals as they 
are identified. To date, approximately 15,750 notification 
letters have been mailed. NARA is offering each individual 1 
year of free credit monitoring services and fraud protection. 
To date, 796 individuals have signed up for the credit 
monitoring services. Because of the extremely large volume of 
data on the drive, over 8.7 million individual files, we do not 
yet know the total number of individuals whose privacy has been 
affected.
    NARA has taken steps to improve internal security in our 
Electronic Records Division. First, we have added separate bad 
access controls to the doors opening the processing rooms in 
suite 5300. There are now only entrances to the processing room 
and only individuals with badges programmed to open these doors 
may enter the processing room. All others must sign the log and 
be accompanied by an authorized person while in the room.
    Second, we conducted an audit of all electronic media 
containing personally identifiable information and moved it to 
a separate locked block of shelving within a locked stack area 
accessible only to authorized employees.
    Finally, all NARA staff are required to complete training 
on how to handle sensitive information, including the new 
security procedures.
    The Office of Records Services is also conducting 
unannounced inspections of all records branches and divisions 
on a periodic basis, and supervisors are required to do 
periodic walk-through inspections during the day.
    When the investigation of this incident by NARA's Office of 
Inspector General and Secret Service is completed, I can assure 
you that we will act on the results with swift and appropriate 
disciplinary actions if it is determined that any NARA 
employees were responsible for removing the hard drive or 
failed to adhere to proper records handling procedures.
    The National Archives is a public trust and the 3,000 women 
and men who work at NARA's 44 facilities across the country 
take their job and that trust very seriously. Every day, our 
staff performs work that is vital to our democracy by 
preserving and safeguarding the more than 9 billion records 
that make up the National Archives of the United States.
    At the same time, we must balance safeguarding the records 
with providing the people of this country access to those 
records. As with any endeavor that relies on the work of human 
beings, our work, despite our best efforts and intentions, is 
subject to error. However, the loss of even one record or 
breach, even one individual's personal information is 
unacceptable. And I assure you that NARA will continue to 
improve our security procedures and ensure that all staff is 
inculcated with the importance of following these procedures.
    Given the seriousness with which we take this loss, I am 
thankful for the opportunity to testify and I will try to 
answer any questions that you may have.
    [The prepared statement of Ms. Thomas follows:]

    [GRAPHIC] [TIFF OMITTED] T8132.003
    
    [GRAPHIC] [TIFF OMITTED] T8132.004
    
    [GRAPHIC] [TIFF OMITTED] T8132.005
    
    [GRAPHIC] [TIFF OMITTED] T8132.006
    
    [GRAPHIC] [TIFF OMITTED] T8132.007
    
    [GRAPHIC] [TIFF OMITTED] T8132.008
    
    [GRAPHIC] [TIFF OMITTED] T8132.009
    
    [GRAPHIC] [TIFF OMITTED] T8132.010
    
    [GRAPHIC] [TIFF OMITTED] T8132.011
    
    Mr. Clay. Thank you so much, Ms. Thomas.
    Mr. Brachfeld, you are up next.

                  STATEMENT OF PAUL BRACHFELD

    Mr. Brachfeld. Mr. Chairman and members of the 
subcommittee, I thank you for offering me the opportunity to 
testify today. I have been called before the subcommittee to 
provide testimony on the circumstances surrounding an external 
computer hard drive missing from the National Archives and 
Records Administration which contained a vast amount of 
material from the Clinton administration, including 
Presidential Record Act [PRA], material.
    The Presidential Record Act of 1978 governs the official 
records of the President and Vice President created or received 
after January 20, 1981. The PRA changed the legal ownership of 
the official records of the President from private to public 
and established a new statutory structure under which 
Presidents must manage their records.
    I trust that in reaction to the loss of a hard drive, new 
policies, procedures and processes will be defined and 
implemented at NARA, and certainly my office will evaluate 
these actions, provide guidance and appropriate independent and 
skilled oversight.
    However, our focus now is on the criminal investigation of 
the disappearance of the hard drive capable of holding two 
terabytes of our government's information, and which my 
forensic investigator informs me was essentially filled with 
data.
    At the outset, I must say I am not able to talk about all 
aspects of the investigation at this time. This is an ongoing 
criminal investigation which may have elements affecting 
national security. Therefore, I know that the Chair and members 
of this distinguished committee would not wish me to provide 
any information that could potentially damage the 
investigation's integrity or potential success.
    Currently, we are working with the assistance of the U.S. 
Secret Service and the Federal Bureau of Investigation to more 
precisely identify the content of the hard drive. However, an 
initial cursory review identified that thousands of examples of 
personally identifiable information [P.I.] data, reside on the 
hard drive. We reported this to NARA management officials and 
they have hired a contractor to further analyze this P.I. 
aspect and provide breach notification per OMB requirements.
    I should also note that at my request, the Special Agent in 
charge of the Secret Service Washington Field Office generously 
made their 24/7 hotline operation available to us in order to 
support the investigation and potential recovery of the missing 
drive.
    In response to our suggestion, NARA has established a 
reward of up to $50,000 for information leading to the 
successful recovery of the missing hard drive. No productive 
leads have resulted to date from this action.
    The subcommittee has asked about the security in place at 
NARA at the time the hard drive went missing and after the hard 
drive went missing. The direct answer is that the controls in 
place were inadequate and what controls were in there were 
readily bypassed and obviously compromised on an ongoing and 
dynamic basis. Quite simply, this was an accident waiting to 
happen and now it has.
    As a direct result of these failures in controls, my 
office's capacity to investigate this incident has been 
severely compromised. The loss went unnoticed potentially for 
months. Conservatively speaking, at least 150 people had access 
to the area, and even rudimentary access controls such as badge 
or sign-in logs were not maintained or could be readily 
bypassed.
    While the drive was kept in an area ostensibly secured by a 
proximity card-reading lock, in practice this system failed. 
People could simply piggyback by going through the door when 
other persons opened it, and even worse, doors which should 
have been secured were propped open for ventilation purposes.
    It was also reported to my investigators that the 
processing area in which the hard drive went missing was used 
as a conduit or shortcut to the rest rooms. Therefore, it can 
be argued that the security for this area was no greater than 
the general security for the building as a whole.
    The loss of this hard drive holding PRA materials is not 
the only concern I have in this investigation. Many in the pool 
of potential subjects of this criminal investigation have 
access to the processing area where this drive disappeared, as 
well as more traditional storage or stack areas. Therefore, I 
cannot say with any confidence that data stored in these areas 
was not compromised. This includes the records of the 9/11 
Commission, the Warren Commission, as well as large quantities 
of other national security holdings.
    In a benign case where proper controls were in place and a 
subject hard drive was lost or ruinously disposed of, one might 
take comfort that other data was not compromised. The facts 
dictate that I am afforded no such comfort. If the drive was 
deliberately removed, the person or persons could have just as 
readily removed other holdings or copied information onto other 
mediums.
    I am also deeply concerned about how NARA generally treated 
the category of Presidential data like that which was on the 
missing hard drive. Specifically, when the data was copied from 
original Executive Office of the President [EOP] computer tapes 
to modern hard drives, the copying was done by contractors 
offsite without any security requirements. NARA had a fixed 
price delivery order for the duplication of 1,428 such EOP 
computer tapes to external hard drives to include the missing 
hard drive.
    A small business was provided complete custody and control 
over the housing content of the EOP material. Amazingly, this 
contractor was one in a series of like contracts in which NARA 
was silent in addressing any security requirements for the 
tapes or the information which they held. In fact, the 
contractor made absolutely no mention of the sensitivity of 
these records, nor included a nondisclosure agreement.
    When handling and processing groups of PRA material, I 
would think it essential to institute appropriate measures for 
security over transport and processing of these records offsite 
by contractors. However, no such measures were identified. In 
this specific case, the tapes were sent offsite to a small 
storefront operation in New Jersey. The existing security at 
this location was rudimentary and clearly inadequate to protect 
and limit inappropriate access to PRA material.
    In a June 18, 2009 letter, Senator Charles E. Grassley 
asked the Acting Archivist of the United States: ``Do you 
recognize NARA is a national security agency?'' She stated, 
``No. NARA is not a national security agency by any shared 
means of that term within the executive branch for which we are 
aware. NARA does not make nor does it implement national 
security policy. NARA's only relationship to national security 
is our responsibility for ensuring that those security 
classified records that come into our custody from other 
agencies are stored, protected and handled following the rules 
for which all agencies that handle classified records must 
adhere.''
    I would submit that NARA has in this and other recent cases 
breached that relationship. While by some technical standards, 
NARA may not meet the traditional definition of a formal 
national security agency, the information and records we hold 
are vital to our Nation's security.
    What I will say specific to the loss of this hard drive is 
that the American people deserve better security and 
accountability than NARA has provided them. I can assure you 
that through our audits and investigations, management 
consultations and briefings, we will work to help NARA 
strengthen its internal control and security mechanism.
    While some corrective measures have, and I trust more will 
be taken, it is analogous to closing the barn door after the 
horse has left. The event has passed and damage done, the 
extent to which I cannot quantify for you today.
    I thank you for the opportunity to testify and am available 
to take questions.
    [The prepared statement of Mr. Brachfeld follows:]

    [GRAPHIC] [TIFF OMITTED] T8132.012
    
    [GRAPHIC] [TIFF OMITTED] T8132.013
    
    [GRAPHIC] [TIFF OMITTED] T8132.014
    
    [GRAPHIC] [TIFF OMITTED] T8132.015
    
    [GRAPHIC] [TIFF OMITTED] T8132.016
    
    [GRAPHIC] [TIFF OMITTED] T8132.017
    
    Mr. Clay. Thank you very much, Mr. Brachfeld.
    We have been joined by two additional Members. I will yield 
to Mr. McHenry for his opening statement.
    Mr. McHenry. I thank the chairman.
    Ms. Thomas, thank you for agreeing to join us today, this 
time, for the hearing.
    The topic today is, of course, the National Archives and 
Records Administration organizational issues, but I think that 
is sort of diminishing the import of this. And organizational 
issues I think is putting it lightly, the scope or the 
magnitude of the problem that we are facing.
    The National Archives is an agency with an extremely 
important function. It serves as the keeper of our Nation's 
valuable records, preserves government and historical records 
that include copies of acts of Congress, Presidential 
proclamations and Federal regulations. While the Archives 
maintains public access to some documents, other records 
contain highly sensitive data.
    Mr. Brachfeld, thank you for touching on the national 
security component in your testimony.
    And these must be secured to ensure our national security 
and shield personally identifiable information as well. The 
effectiveness of the Archives as protector of the records under 
its control is key to preserving our history and maintaining 
accountability in our government.
    The Archives conducts truly invaluable work, very important 
work, obviously, yet they are an agency that the public doesn't 
often hear much about. Unfortunately, they have been getting 
quite a lot of press lately, all of which or most of which 
seems to be negative. In May, the National Archives Inspector 
General, Mr. Brachfeld, notified Congress that an external hard 
drive containing national security information had gone missing 
from the agency's College Park facility sometime between 
October 2008 and March 2009, when its absence was first 
noticed.
    That drive contained one terabyte of information, and what 
we have come to know is that Clinton presidency records, the 
equivalent of which are millions of books full of information, 
as Mr. Brachfeld has previously put it. The missing data, 
including more than 100,000 Social Security numbers, the 
personal contact information of Presidential administration 
officials, the entire computer files of 113 former White House 
employees, Secret Service and White House operating procedures, 
and other highly sensitive information.
    Disturbingly, the missing hard drive was stored in an 
easily identifiable package, as Ms. Thomas testified to today, 
in a workspace that the Archives has already admitted was 
unsecured, unattended, and accessible to personnel without 
clearance. Even now, it is still not known whether the hard 
drive was misplaced, lost or stolen, or even when it actually 
went missing.
    It is my hope that the National Archives management would 
immediately react to what has been called a catastrophic loss 
by tightening security and accessibility at their College Park 
facility, particularly in the area which the hard drive was 
removed.
    However, when a bipartisan group of Oversight Committee 
staff visited the campus on July 17th, they observed many of 
the same deficiencies in security measures and left with the 
impression that a motivated criminal would be able to remove 
sensitive material with little to no resistance.
    Now, this is a bipartisan assessment. There wasn't much of 
an effort on the part of National Archives staff to even make 
it appear that substantive changes had been made to secure the 
location. To be fair, the pattern of material mismanagement of 
the National Archives precedes Ms. Thomas by quite a few years. 
We are still remembering Clinton administration official 
National Security Adviser Sandy Berger caught walking out of 
the Archives with his pants stuffed, or actually rather socks, 
stuffed full with classified uninventoried documents.
    There are many more alarming cases of negligence at the 
Archives, yet none as egregious as the disappearance of the 
hard drive. These include the disappearance of $6 million worth 
of taxpayer-funded equipment over the periods of 2002 to 2006, 
the disposal of countless original records from the Bureau of 
Indian Affairs with the Archives trash, and the disappearance 
of 55,000 pages of CIA and other Federal agency records right 
off the shelf in 2006.
    There is a prevalent culture of carelessness at the 
National Archives and it must be replaced with meticulous 
accounting for all materials, paper and electronic, and 
stringent security measures that restrict access of 
unauthorized employees to areas where confidential data is 
kept.
    On Tuesday, President Obama announced he had selected his 
nominee as Archivist to replace Ms. Thomas, David Ferriero. 
Quite frankly, I believe this announcement couldn't come soon 
enough. Mr. Ferriero has certainly had a lot of experience 
managing mass quantities of paper and electronic documents and 
other information in his tenure as director of Research 
Libraries at the New York Public Library, and I look forward to 
hearing about his qualifications and his plans for the National 
Archives at his Senate confirmation hearing, whenever the 
Senate really gets around to doing their job.
    And I thank the witnesses for appearing here today, and 
look forward to the testimony and explanation of how the hard 
drive full of sensitive information was lost or stolen.
    [The prepared statement of Hon. Patrick T. McHenry 
follows:]

[GRAPHIC] [TIFF OMITTED] T8132.018

[GRAPHIC] [TIFF OMITTED] T8132.019

[GRAPHIC] [TIFF OMITTED] T8132.020

[GRAPHIC] [TIFF OMITTED] T8132.021

    Mr. Clay. Thank you, Mr. McHenry.
    We will now go into the questioning stage of this hearing, 
and I will start it off with Ms. Norton for 5 minutes.
    Ms. Norton. Thank you very much, Mr. Chairman.
    I see why you called this hearing. It is a virtually 
mandatory hearing in light of the circumstances and the buildup 
of the security issues.
    Let me make sure what we are talking about, because as I 
looked at the testimony, I think it is Mr. Brachfeld's 
testimony, I tore it out, which says the hard drive contained 
examples of personally identifiable information.
    You know, the word secure information has been thrown 
around in the last several years so loosely. I am trying to 
understand what was on the hard drive. What does it mean by 
personally identifiable information?
    Mr. Brachfeld. Is that question directed at me, ma'am?
    Ms. Norton. Yes, Mr. Brachfeld, that is fine.
    Mr. Brachfeld. There is a technical definition for PII. For 
purposes of this hearing, what I will define is that OMB 
defines PII material to include Social Security numbers and 
like material that could be used to damage a person's security, 
banking, for identity theft, along those lines. It could be 
names, addresses, associates, that kind of information.
    As this information was a compilation from the Clinton 
administration, it was a compilation, it has information that 
was resided on individual computers, and thus there is 
information that meets that definition that resided on the hard 
drive that is missing.
    So again, it was a compilation of material.
    Ms. Norton. Have all of the parties whose information was 
compromised been so informed?
    Mr. Brachfeld. I will yield to the Acting Archivist.
    Ms. Thomas. We are in the process of identifying the 
individuals that need to be notified of the breach.
    Ms. Norton. When did the breach occur?
    Ms. Thomas. I am sorry?
    Ms. Norton. When did the breach occur? When was it noted?
    Ms. Thomas. At the end of March, actually on April 2nd it 
was reported to me, to Mr. Brachfeld, and to Mr. Stern that the 
hard drive had been lost.
    Ms. Norton. Considering the nature of information and that 
this is the month of almost August, are you saying that most of 
these parties have not been so notified?
    Ms. Thomas. We don't at this point know how many people's 
names and Social Security numbers are on the hard drive.
    Ms. Norton. Why do you not know that information?
    Ms. Thomas. There are 8.7 million individual files on this 
hard drive, and we have a contractor at this time trying to 
extract all of the data that they can to come up with the lists 
to go through----
    Ms. Norton. Is that contractor, like this one, off the 
premises? This is another contracting out matter where people 
who apparently should not have been handling secure information 
were doing so. Now, where is this contractor located and why 
couldn't this be done on the premises so the hard drive would 
not have had, why did the hard drive have to leave the 
premises, I suppose is my question.
    Mr. Brachfeld.
    Mr. Brachfeld. Let me answer your last question. The 
process of copying the information from White House tapes or 
what were White House EOP employees' tapes to the hard drive 
was done offsite and that is what I testified regarding. That 
was done offsite up in New Jersey, and that is where I have 
raised significant security issues.
    The second part of your interest, which is on now 
attempting to mine and identify those individuals whose PII may 
have been compromised, that is under a separate contract which 
is being administered by the Archives.
    The reason it is taking so exceptionally long is this is 
probably, as far as I know through my 30-year career, this is 
probably the greatest challenge in trying to identify----
    Ms. Norton. You are having to reconstruct essentially what 
was on the hard drive with nothing to go on?
    Mr. Brachfeld. What my investigators are trying to do and 
are now yielding the PII element to the contractor, what we are 
attempting to do is to use the latest forensic investigative 
software available. This is not normal data that sits in one 
standard language or one standard format.
    If you think about every record that you have ever captured 
over your career in different languages and different spread 
sheets and different formats, all being compressed into one 
entity. That is what has happened. It is not readily mineable 
and definable as one would think.
    Ms. Norton. So nobody's been notified as of now?
    Mr. Brachfeld. I yield.
    Ms. Thomas. We have sent I believe it is 15,000, somewhere 
between 15,000 and 16,000 letters have gone out to notify 
people of the breach of their information.
    Ms. Norton. Do you have any idea how long it will take 
before all of the parties have been notified? What kind of harm 
could be done in the meantime?
    Ms. Thomas. I think it is going to take several months. I 
think one of the things that this has made perfectly clear to 
us, it is very difficult to get the information off the hard 
drive. There are many different----
    Ms. Norton. So you think that in terms of a nefarious act, 
someone trying to use the data, that would not be very easy to 
do?
    Ms. Thomas. Given that we have a contractor that was 
suggested to us by the National Security Agency as somebody 
that they had worked with, who they thought was the best in the 
field to try and do this, I do indeed believe that it is going 
to be difficult for anybody to extract this information from 
the hard drive.
    Ms. Norton. Well, Mr. Brachfeld, you said a criminal 
investigation is going on. Is there any possibility other than 
this being stolen that you would regard as a credible 
possibility? I mean, could it have been mislaid? If it had been 
mislaid, where would that have been, since there were only two 
places it should be, either the Archives or with the 
contractor?
    Mr. Brachfeld. I cannot dismiss any aspect as to whether or 
not it is missing, somebody took it for purposes of benign 
intent, just to use it for their own medium, or the worst case 
scenario, that it was taken for more nefarious purposes. That 
is a potential.
    I also want to state that people with the correct 
technologies and tools can mine this data. We have a contractor 
now that is trying to, my investigation is focusing on how it 
happened and what the impact of the loss is, and if we can find 
the subject.
    I am also looking at what classified material resided on 
that hard drive and other sensitive information. I am no longer 
involved in looking at the PII content. That has now been 
yielded to the contractor working for the National Archives.
    What I can say is, again, people with the capacity to read 
this data, the tools, can do it. My investigators, my forensic 
auditor could in fact pull up PII information fairly readily. 
Now, to find the tremendous quantity to issue PII letters, as 
the agency is doing, that is another subject. But certainly, 
somebody with, if they had that intent, and if in fact it 
really is out there and somebody is using it for that purpose, 
certainly they could pull P.I. information off of that drive.
    Ms. Norton. Mr. Chairman, could I just ask to the extent 
that there is a discovery of criminal use of this information 
that the chairman of this subcommittee be informed immediately? 
I don't know what people could do to protect themselves, but I 
think the worse thing to happen in a circumstance like this is 
not to even know that out there in the stratosphere and perhaps 
in the hands of thieves is all your personal information.
    And if it is discovered, it seems to me at such point it is 
discovered, if you are at 20,000 of 8 million or whatever, it 
seems to me that this committee should be informed at that 
point.
    Mr. Clay. Oh, for certain that will be made part of this 
official hearing record.
    Ms. Norton. Thank you very much, Mr. Chairman.
    Mr. Clay. Thank you for the question.
    Mr. McHenry, are you ready?
    Mr. McHenry. Yes.
    Ms. Thomas, how long have you been Acting Archivist?
    Ms. Thomas. Since mid-December 2008.
    Mr. McHenry. Since mid-December.
    Mr. Chairman, I am not familiar with most administration 
officials testifying with counsel at the desk. It seems to me a 
bit telling about the situation we are in, about how sensitive 
this is. But you know, Ms. Thomas, I know this predates you. I 
mean, this doesn't necessarily simply fall at your feet. So I 
mean, how long have you been with the Archives?
    Ms. Thomas. Thirty-nine years.
    Mr. McHenry. Thirty-nine years, full career. So you know, 
there have been studies on job satisfaction within the Federal 
Government. And I think it was American University's Best 
Places to Work in the Federal Government 2009, American 
University's Institute for the Study of Public Policy. Are you 
familiar with the study?
    Ms. Thomas. Yes.
    Mr. McHenry. Yes. It was telling to me, based on our 
Oversight Committee, to see where National Archives and Records 
Administration ranks. It is extraordinarily low in terms of job 
satisfaction within the Federal Government. It is actually, I 
think the second to last of all the institutions they studied.
    Do you think there is a linkage between job satisfaction--
well actually, let's start here. What do you attribute the low 
job satisfaction assessment to?
    Ms. Thomas. Well, we did some further analysis of what the 
different rankings were in the different parts of the National 
Archives. And the truth of the matter is that most of the very 
low rankings came from our regional facilities. And we have, 
for example, in our Federal Records Centers, which are fairly 
low paid occupations, they are not exactly intellectually 
stimulating.
    It is people moving boxes in and out and so forth. There is 
not a whole lot of promotion potential within the Records 
Center system, and a great deal of the very low scores in terms 
of job satisfaction came from those regional activities.
    If you look at the National Archives in the Washington 
area, we rank at at least the same average as most other 
agencies or a little higher. So the regional scores basically 
bring the agency score down to the level that is reported in 
that study.
    Mr. McHenry. OK. OK. Do you think that there is any 
linkages between dissatisfaction and disappearance of records 
or theft of records?
    Ms. Thomas. I think there could be, but the averages for 
the people who are working with archival records are much 
higher and they are not low. The Records Center records, of 
course, are agency records, temporary records, not archival 
records. So the incidents that have occurred over the past 
several decades have occurred in archival records.
    Mr. McHenry. OK.
    Ms. Thomas. So I am not sure that the linkage is there.
    Mr. McHenry. In terms of your testimony, you said that this 
drive with one terabyte of information was kept in its original 
package. Is that true?
    Ms. Thomas. Yes, that is correct.
    Mr. McHenry. OK. Is that standard procedure within your 
division of government to put these objects back in their 
original box?
    Ms. Thomas. In most cases, information----
    Mr. McHenry. If you don't have a policy, then that is fine, 
then if you will just state that.
    Ms. Thomas. I don't know. I can provide that for the 
record. I don't know the answer.
    Mr. McHenry. Yes, if you could, that would be good.
    Ms. Thomas. Sure.
    Mr. McHenry. It seems somewhat bizarre to me to have such 
important information, and this is not really judging the 
information. You know, but having it lost to history is a major 
concern and being able to piece this back together on what 
the----
    Ms. Thomas. Well, the information is not lost because this 
was a backup tape. It is a copy.
    Mr. McHenry. OK. Where was the original kept? Wasn't it all 
in the same desk?
    Ms. Thomas. The originals are the tapes that were delivered 
from the EOP at the end of the Clinton administration. Those 
tapes were backed up onto these hard drives, one of which was a 
master hard drive and one which is a copy hard drive.
    Mr. McHenry. And they were next to each other?
    Ms. Thomas. Yes, but the tapes were stored in the locked 
staff area, the original records.
    Mr. McHenry. OK. Is there a procedure for having a master, 
the original and the backup, the two drives, is there a process 
to keep them separate? If you have the backup and the main 
drive, right? Same information, is there any policy you have 
within the Archives to keep them in separate locations?
    Ms. Thomas. Not while they are being processed, and that is 
what was happening at the time that the hard drives were there.
    Mr. McHenry. Is it not true that the reason why we don't 
know if it is October or March is because they have been 
sitting on someone's desk the whole time and they were not 
being processed? They were left out untouched.
    Ms. Thomas. I think it is unclear how long they were left 
untouched.
    Mr. McHenry. OK, which tells me you don't have any policies 
or procedures on how this works.
    Mr. Brachfeld, are there policies and procedures on paper 
within the Archives about how to handle two copies of the same 
data?
    Mr. Brachfeld. I will answer your question by getting 
specific in this matter. In this case, I should note that 
drives that were not used new were maintained in a locked area. 
Whereas the drives that were in process and therefore holding 
the kind of data and quality of data we talked about today were 
left in an unlocked, exposed area, put back in the original 
box.
    So to me, it seemed curious and bothersome, troublesome 
that clean tapes are locked up for security, but tapes that 
have documentation were left in an open area.
    As far as policy and procedures, I guess more specifically, 
that is what we are investigating. Right now, my focus is 
investigating a potentially criminal act. We have time and we 
will look at audit issues. We will look at new internal 
controls. I can simply say, as I said in my testimony, it would 
seem that internal controls were not the focus in this area.
    Mr. McHenry. Well, thank you for your testimony. My time is 
up, but it seems to me that the basic Archives procedure was 
the equivalent of putting your car keys and your backup car key 
on the same key chain. It seemed that it was very basic 
procedure that was not instituted, nor was there a culture of 
following those procedures to ensure that you have two pieces 
of data--right?--kept separately, both secure so that therefore 
you have in this new technology age that we have, with 
diminishing documents from the early 1990's as that technology 
is getting older, that you would actually have those policies 
and procedures.
    So, you know, to the larger issue here is making sure this 
doesn't happen again for any administration or any document.
    And with that, I yield back.
    Mr. Clay. Thank you, Mr. McHenry.
    It begs the question of the backup system, that there be a 
fool-proof backup system. Let me ask both witnesses, do you 
know anything about hundreds of thousands of veterans' PII that 
has been compromised when the National Archives sent 
unencrypted hard drives to a vendor in return for replacement 
of hard drives? And if you do, what has been done to inform 
veterans that their information has been compromised? Either 
one.
    Mr. Brachfeld. I will answer that by saying we are in the 
process, as I stated in my last semiannual report, of 
conducting an investigation specific to that matter. At this 
time, I do not have information to the extent that I could 
respond fully to that question.
    We do believe an event occurred. The question is, what is 
the nature of the event and what are the implications? We are 
currently investigating that matter.
    There have also been other issues related to and have been 
reported in a management letter, related to St. Louis and the 
military veterans records in terms of other PII policy and 
procedures that have been violated that also potentially 
compromises veterans' information. And again, that is an issue 
which I cannot discuss in a public forum because should that 
information be made available publicly, it could be damaging.
    So I respectfully cannot--I don't think you would want me 
to discuss this in this public forum.
    Mr. Clay. OK. Well, I will go to my next witness, and ask 
Ms. Thomas, can you shed any light on it? Are you aware of it?
    Ms. Thomas. I am unfamiliar with an incident relating to 
veterans' records and a hard drive and missing records. I just 
don't have any information on that.
    Mr. Clay. OK. All right. Ms. Thomas, in June 2006, the 
Information Security Oversight Office inspected the information 
security controls of NARA's Washington National Records Center. 
ISOO found that due to inadequate records management, hundreds 
of boxes of classified materials could not be readily located.
    It is my understanding that since the ISOO inspection, NARA 
has taken steps to improve security at the Washington National 
Records Center. What is the status of those missing boxes and 
what has NARA done to improve the management of classified and 
other materials at the Washington National Records Center?
    Ms. Thomas. There are two vaults at the Washington National 
Records Center. One contains top secret SCI and R.D. material, 
and the second vault contains secret and confidential 
information.
    The Washington National Records Center has almost four 
million cubic feet of records. Of those, 333,000 are 
classified, either at the top secret SCI or secret or 
confidential.
    The controls, the ISOO made recommendations, 22 different 
recommendations for how to improve security at the Washington 
National Records Center. At this stage, I believe all of them 
have been implemented. An Information Security Program Manager 
has been hired. A Vault Manager has been hired. Resources have 
been thrown into the Records Center to do a complete inventory 
of both vaults.
    They started on the top secret and the SCI one. And they 
completed that inventory. Initially, they found 1,400 boxes 
that were not where they were supposed to be. They then did a 
complete check and got that number down to, I believe, 125 
boxes of material that is not apparently on the shelves at the 
Washington National Records Center.
    These records are owned by the agencies. They are not NARA 
records. They are not archival records. They are often called 
back by the agencies. And often what has happened in the past 
is that an agency calls back records and they either keep them, 
because they are their records and they have that right, and/or 
they will send them back some months or years later in another 
accession so that the number changes in terms of how you 
identify the records, and they get shelved as a new accession, 
and they contain boxes from the old accession.
    So there certainly was a record keeping issue that needed 
to be straightened out so we could keep better control over 
what went back to the agency, whether they were permanently 
withdrawn and kept in the agency, or whether or not they were 
returned to the Washington National Records Center.
    We are now, for the 125 boxes that are still not accounted 
for, we have contacted six different agencies whose records 
these are and asked them if they could check and find out if 
perhaps they have a record of whether or not they borrowed back 
these records. I believe there was something from the Energy 
Department just in the past few weeks that said, oh yes, they 
have 15 of the boxes that they have been able to account for.
    So we are still working the process to find out where the 
records are, and a similar inventory of the secret and 
confidential vault is underway. And we will go through the same 
process of completing the inventory, determining to the best we 
can where the records are, and whether or not they have been 
loaned back to the agencies or permanently withdrawn by the 
agencies.
    Mr. Clay. OK. And thank you for your response.
    Mr. McHenry's second round of questioning.
    Mr. McHenry. Certainly. Thank you, Mr. Chairman.
    Now, you found out about this security breach, or the 
disappearance of the drive April 2nd, you said. Is that 
correct?
    Ms. Thomas. Yes. That is when I was informed.
    Mr. McHenry. OK.
    Ms. Thomas. All three of us were informed. Gary is here 
because he is the Privacy Officer for the agency and has 
responsibility for PII.
    Mr. McHenry. So what have you done to address this so it 
doesn't happen again?
    Ms. Thomas. The Office of Record Services for Washington 
did a complete review of procedures, and has implemented much 
more stringent procedures to make sure that it doesn't happen 
again. Some of them I went through in my testimony, and they 
are in more detail in my longer testimony that is submitted for 
the record.
    Mr. McHenry. Yes.
    Ms. Thomas. They have put card readers on doors where 
before you could go into the office area and then go into the 
processing area. The card reader on the office door would, in 
essence, get you into the office area and into the processing 
office. Now, the processing space has another layer of 
security, and so you have different card reader access for 
those doors.
    They are doing spot inspections. The supervisors and 
managers are going through the space to make sure that the 
procedures that we put in place are being adhered to.
    We intend to do more training for people so that they truly 
get the message that this is a basic part of their job is 
protecting the records that they are working with. And that is 
a balancing act between providing access for research purposes 
and securing the items, but securing the items is a critical, 
critical part of their job.
    Mr. McHenry. Certainly. Now, are you familiar with the 
Inspector General's audits from between October 2007 and March 
2008? Are you familiar with the audits that the Inspector 
General's office issued?
    Ms. Thomas. Well, I see the audits, yes.
    Mr. McHenry. OK. Because at that point, it was pointed out 
in that audit that the Archives was, ``not accounting for 
artifacts in a timely manner.'' That was one. And two, among 
other things, artifacts were ``not maintained in appropriate 
space.''
    So the audit there expressed some of the same failings that 
resulted in the disappearance of this data. Did you have any 
actions you took off that audit from----
    Ms. Thomas. Well, I think that audit referred to the museum 
items, the artifacts in Presidential libraries.
    Mr. McHenry. Yes.
    Ms. Thomas. And Presidential libraries had started an 
inventory process. It was at various stages in the different 
libraries. We indeed poured more resources into completing the 
inventories, and they are underway. Some of them have been 
completed. Some of the problems that existed in the older 
libraries will not exist for the Bush Library or any library 
going forward because there will be a computer system that 
tracks every artifact as it arrives in the White House, and 
then that system is provided to us so that we will have a 
complete list to start out with.
    The record keeping in the White House Gift Office wasn't as 
complete in the past, and it was not consistent, if I can give 
you an example. A tea set, is that one item or is that a teapot 
and four cups? And is there a tray? Is that seven items? You 
know, there was no consistency in how they dealt with it.
    Mr. McHenry. But within one division of the Archives, when 
you have issues like, you know, not having information secured 
in appropriate space, does that raise questions for the overall 
system? Do you look at overall systems within the Archives? Or 
is that just one division and therefore isn't applicable to 
anywhere else?
    Ms. Thomas. For the issue with the hard drive, we are going 
to undertake a complete review. The Office of Records Services 
in Washington has already started.
    Mr. McHenry. I thought you said they have already done 
that.
    Ms. Thomas. I am sorry?
    Mr. McHenry. I thought you said, in my last question, that 
they had already done a complete review.
    Ms. Thomas. They did it for the Electronic Records 
Division. They are branching out to all of their records 
holding units and, as you said, looking at it more holistically 
across the agency, as opposed to just in one division. So we 
are looking at all security procedures and whether or not they 
are sufficient, whether they need to be improved.
    We certainly have decided that we need to improve our 
training and that we need training at a lot of different 
levels. For example, I am proposing that we will train every 
employee that comes to the National Archives as part of their 
orientation, whether they are a budget analyst or whatever, to 
make them understand what the mission of the agency is and that 
everybody has a responsibility to make sure that records are 
protected.
    Mr. McHenry. Thank you. Thank you. Very good answer. Thank 
you.
    Mr. Clay. Ms. Thomas, regarding the notices that were sent 
out to the 16,000, roughly, people, were there any problems 
with the notices? I have received reports that recipients of 
those notices thought that they were scams.
    Ms. Thomas. We did have some questions come in. We had a 
hotline set up for any questions that anybody did have. And we 
also had an email box where they could contact us. And yes, the 
most frequently asked question that came to us was: Is this a 
scam? Is this somebody who is, you know, Prince so and so from 
somewhere who is, you know, trying to get hold of my personal 
information and drain my bank account or something?
    So we have answered those questions.
    Gary, if you have anything to add to that?
    Mr. Clay. Mr. Stern.
    Mr. Stern. I can try. Yes.
    The letters were sent out by our contractor providing the 
credit monitoring services as well. And so while it is on NARA 
letterhead, it was put in an envelop that looks more like the 
kind of envelope you get from, you know, a bank or something 
else.
    Mr. Clay. A solicitation?
    Mr. Stern. Exactly. So I think some people thought, weren't 
sure, is this really from the National Archives or is this just 
some company just trying to, you know, solicit my business. And 
so we assured those people that it really was from us. We 
referred them to our Web site and we put up an updated notice 
to say we have sent these letters out and they are legitimate, 
and we are informing you of this potential breach and offering 
this service.
    So there was some confusion that we just hadn't occurred to 
us that would result by sending out the letters in that format.
    Mr. Clay. I see.
    Any recommendations, Mr. Brachfeld?
    Mr. Brachfeld. Specific to that question?
    Mr. Clay. Yes.
    Mr. Brachfeld. I am pretty much apart from that process. 
Again, my duty is to do the investigations. We reviewed the 
language in the breach notification letter just as a courtesy 
and the language in the breach notification seemed to be 
appropriate.
    As far as the contractor, the mailing, that is completely 
outside of my domain.
    Mr. Clay. So there was really two mailings. Did you re-mail 
the notices or no?
    Ms. Thomas. No, no, no. But there was an email box set up 
and in the letter that notified people of the breach, they were 
provided with the email address. They were provided with a 
hotline number that they could call. And they were notified 
that they could look at our Web site for further information, 
so that if they had any questions about the breach 
notification, they could contact us in several different ways.
    Mr. Clay. Ms. Thomas, regarding the copying of Executive 
Office computer tapes onto this hard drive, why were security 
requirements not built into the contract documents with your 
vendor?
    Ms. Thomas. Well, the contractor that did the work on the 
latest batch of copying, because there were five different 
contracts, I believe, for various stages of copying of this 
material, was a GSA schedule contract with the routine, I will 
say routine, because they were, clauses about protection of 
government information, government products that were provided 
to the contractor.
    In hindsight, our people should have included some 
additional security requirement clauses in the contract and 
that will certainly be a part of any contract going forward.
    Mr. Clay. OK.
    Mr. Brachfeld, any comment on that?
    Mr. Brachfeld. I have pretty much all the documentation 
related to this contract and what is clearly missing is any, 
any mention of security as even a consideration within the body 
of any of the solicitation.
    The company that received the tapes did not even respond in 
terms of their having any security arrangements in place. 
Again, there was no clause for nondisclosure of information, as 
should be customary in such a contractual relationship, 
contractual document.
    Basically, it just shouldn't have happened, and I think the 
Archives will learn from that.
    Mr. Clay. This sounds pretty sloppy as far as how we handle 
sensitive information.
    Mr. Brachfeld. We visited the site and it is not the 
contractor's fault, per se, because the contractor was doing a 
duplication service. They were honoring the terms of the 
contract. But if you went to the contractor site, as my agents 
did, along with other law enforcement you would have seen a 
basic storefront operation with security clearly not the focus. 
You would see that the tapes were kept in a room where doors 
were propped open also.
    I have actually images of this and it will be in my 
investigative report when it is finalized, or I could present 
them to you subsequent to this hearing. It was not the 
environment that one would expect you would keep something of 
even minimal importance, much less the quality and quantity of 
data that we have discussed today.
    Mr. Clay. You can certainly share whatever information you 
can with this subcommittee, so that we can get a clear picture 
of it.
    Mr. Brachfeld. I will do that.
    Mr. Clay. I will stop there and let Mr. McHenry have the 
last question.
    Mr. McHenry. Mr. Chairman, I thank you for having this 
hearing. I think it is important that we get the right policies 
and procedures in place. And this is not necessarily an 
adversarial thing, I am just perplexed at how something so 
basic could disappear. You know, these hard drives in my 
experience aren't cheap to get anyway. They are not cheap 
objects to have lying around, much less with no information, 
much less with sensitive information on it.
    And so it seems to me that even so much as actually taking 
that hard drive, instead of leaving it out, putting it in a 
locked desk drawer would have been a world apart from what 
happened, or as near as we can tell, happened with the minimal 
amount of information that is actually known right now.
    And as the IG still has the investigation going on, and I 
would love to have any information as you produce it that you 
are able to share with us, we would certainly appreciate it.
    Mr. Chairman, thank you for having this hearing and thank 
you for your leadership.
    Mr. Clay. Thank you, too, Mr. McHenry.
    Since there are no further questions, that concludes this 
hearing.
    The committee is adjourned.
    [Whereupon, at 3:44 p.m., the subcommittee was adjourned.]

                                 
