[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]




  LIMITLESS SURVEILLANCE AT THE FDA: PROTECTING THE RIGHTS OF FEDERAL 
                             WHISTLEBLOWERS

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 26, 2014

                               __________

                           Serial No. 113-88

                               __________

Printed for the use of the Committee on Oversight and Government Reform






[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform

                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

87-176 PDF                WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001

















              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington             ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia                 PETER WELCH, Vermont
THOMAS MASSIE, Kentucky              TONY CARDENAS, California
DOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan        Vacancy
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director

































                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 26, 2014................................     1

                               WITNESSES

The Hon. Charles E. Grassley, A U.S. Senator from the State of 
  Iowa
    Oral Statement...............................................     9
    Written Statement............................................    13
Mr. Walter Harris, Chief Operating Officer and Acting Chief 
  Information Officer, U.S. Food and Drug Administration, 
  Accompanied by Jeffrey Shuren, M.D., Director, Center for 
  Devices and Radiological Health, U.S. Food and Drug 
  Administration, and Ruth McKee, Associate Director for 
  Management, Center for Devices and Radiologic Health, U.S. Food 
  and Drug Administration
    Oral Statement...............................................    21
    Written Statement............................................    24
Ms. Angela Canterbury, Director of Public Safety, Project on 
  Government Oversight

                                APPENDIX

HHS Office of IG Report, Submitted by Rep.Issa...................    88
Joint Staff Report, Submitted by Rep. Issa.......................   119
Letter to Rep. Cummings from Rep. Issa, Submitted by Rep. Issa...   271

 
  LIMITLESS SURVEILLANCE AT THE FDA: PROTECTING THE RIGHTS OF FEDERAL 
                             WHISTLEBLOWERS

                              ----------                              


                      Wednesday, February 26, 2014

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 10:00 a.m., in Room 
2154, Rayburn House Office Building, Hon. Darrell E. Issa 
[chairman of the committee] presiding.
    Present: Representatives Issa, Mica, Turner, Duncan, 
Jordan, Walberg, Lankford, Amash, Farenthold, Woodall, Massie, 
Collins, Meadows, Bentivolio, Cummings, Maloney, Lynch, 
Connolly, Speier, Kelly, and Lujan Grisham.
    Staff Present: Alexia Armstrong, Legislative Assistant; 
Molly Boyl, Deputy General Counsel and Parliamentarian; 
Lawrence J. Brady, Staff Director; Ashley H. Callen, Deputy 
Chief Counsel for Investigations; Sharon Casey, Senior 
Assistant Clerk; John Cuaderes, Deputy Staff Director; Lamar 
Echols, Counsel; Adam P. Fromm, Director of Member Services and 
Committee Operations; Linda Good, Chief Clerk; Caroline Ingram, 
Professional Staff Member; Mark D. Marin, Deputy Staff Director 
for Oversight; Ashok M. Pinto, Chief Counsel, Investigations; 
Krista Boyd, Minority Deputy Director of Legislation/Counsel; 
Aryele Bradford, Minority Press Secretary; Jennifer Hoffman, 
Minority Communications Director; Elisa LaNier, Minority 
Director of Operations; Una Lee, Minority Counsel; Juan 
McCullum, Minority Clerk; and Dave Rapallo, Minority Staff 
Director.
    Chairman Issa. The committee will come to order.
    The Oversight Committee's mission statement is that we 
exist to secure two fundamental principles: First, Americans 
have a right to know that the money Washington takes from them 
is well spent; and, second, Americans deserve an efficient, 
effective government that works for them.
    Our duty on the Oversight and Government Reform Committee 
is to protect these rights. Our solemn responsibility is to 
hold government accountable to taxpayers, because taxpayers 
have a right to know what they get from their government.
    It is our job to work tirelessly in partnership with 
citizen watchdogs and whistleblowers to deliver the facts to 
the American people and bring genuine reform to the Federal 
bureaucracy.
    Before I deliver my opening statement, because we have 
Senator Grassley here, I am going to ask unanimous consent that 
the IG report released last night entitled Department of Health 
and Human Services IG Report, ``Review of the Food and Drug 
Administration's Computer Monitoring of Certain Employees in 
Its Center for Devices and Radiological Health'' be placed in 
the record. Without objection, so ordered.
    Additionally, I ask that the joint staff report entitled 
``Limitless Surveillance at the FDA: Protecting the Rights of 
Federal Whistleblowers,'' be placed in the record.
    Mr. Cummings. Mr. Chairman?
    Chairman Issa. Yes.
    Mr. Cummings. I have no objections, but I just want to make 
sure it is clear that that is the staff report of the 
Republicans. Is that right?
    Chairman Issa. It is a joint report of the House and Senate 
Republicans.
    Mr. Cummings. House and Senate. So the Senate Democrats 
were not involved. In this report, the Senate Democrats----
    Chairman Issa. This report is a result of an investigation 
in which all your Democrats' staff were in there, but we did 
not ask for or provide a long comment period to your people. 
You are entitled to place a minority staff report at your 
convenience. You have the same information.
    Mr. Cummings. We will definitely do that. I just wanted to 
make it clear on the record.
    Chairman Issa. Absolutely.
    Without objection, so ordered. They are both in the record.
    And I will place my entire opening statement in the record 
and be brief.
    Today's hearing is about a questionable practice at the 
FDA, one that has been under investigation for over 2 years--or 
almost 2 years, July of 2012, by the Inspector General, one 
that we do not consider to be political in any way, shape, or 
form, or partisan in any way, shape, or form.
    We consider it to be questionable, if not despicable, that 
whistleblowers, a known whistleblower and others, appear to 
have been targeted for an investigation proactively monitoring, 
effectively a wiretap on their computers, in order to see if 
they could get the dirt on employees so that they could take 
action.
    The FDA justified this based on a leak to the New York 
Times. However, to the best of our investigation, rather than 
working retrospectively to see if they could discover who had 
in the past leaked, they began a practice of monitoring 
computers, one that captured all information, forwarded all 
information, including, at a minimum, correspondence as 
whistleblowers with three members of Congress's staff, Senator 
Grassley's, our staff, and Chris Van Hollen of Maryland.
    It does not matter whether it is one or all. It does not 
matter whether it is a Republican or a Democrat. This committee 
believes in whistleblowers, encourages whistleblowers, and 
particularly believes that communications with members of 
Congress, the other branch, Article 1, are, in fact, off limits 
to that kind of monitoring.
    It appears as though no protections were placed on that, 
but, rather, this was an attempt at ``gotcha.'' There may have 
been good reason to be concerned. An investigation into leaks 
may have been very justified. In this case, we are not 
questioning whether or not an investigation should have 
occurred, but, rather, the tactics and the lack of protection 
there.
    Today we are holding this hearing, and we are pleased to 
welcome Senator Grassley, whose investigation really kicked 
this off and whose staff has worked hand in hand, along with 
the Democratic members of this committee's staff, on hearing 
all of the witnesses.
    I might note, during the period of July 2012, when this 
began, until now, whistleblowers involved in this have been 
reticent to go on the record. They have wanted to deliver with 
as few people hearing what they have to say as possible and 
then let the facts speak for themselves.
    In the purest sense, that is what whistleblowers should do. 
In the purest sense, we should have an independent 
investigation that discovers the facts with limited testimonial 
by the whistleblowers. Their concern when they are reporting, 
essentially, whistleblower retaliation is certainly 
understandable.
    Neither the IG nor the minority on this committee has had 
an opportunity to speak to those whistleblowers. I will 
continue to encourage them to speak to both the IG and minority 
staff, but it is their decision.
    A whistleblower may come to one member of Congress, any one 
member of Congress, in my opinion, and that member of Congress 
should proceed on his constitutional or her constitutional 
responsibility and protect the whistleblower to the greatest 
extent possible. This committee will also always support that 
protection.
    The misconduct that we are looking at is not just 
overreach. It mirrors a famous book and movie ripped from the 
pages of George Orwell's ``1984.'' Constant monitoring of your 
screens. The only thing that was missing, of course, was a 
camera looking both ways.
    I am here to say that the Federal employees know that every 
communication they do on government property, on government 
time, or using government assets, or doing government business 
is subject to the Federal Government looking at it. There is no 
expectation of privacy.
    But that is not to say that targeting is appropriate. It is 
not to say that these five scientists' and doctors' concerns 
are not reasonable. They are.
    If there is a reason on behalf of the government to look at 
the use of government assets, government communication, of 
course, we expect the Executive Branch to do that.
    However, if there is going to be use of products such as 
Spector 360, a product that captured every 5 seconds the 
screens of the computers being used and the keystrokes, then, 
quite frankly, it has to be done for all at every moment and 
then there have to be rules on how it can be used.
    I am not suggesting that. Just the opposite. The Federal 
workforce is a highly trusted force, and trust is what we 
depend on. At times, it is clear that that trust is broken and, 
when it is, there are appropriate remedies.
    But until that trust is broken, we depend on a skilled and 
motivated workforce that believes, as they should, that they 
are not working for Big Brother, that, in fact, they are 
trusted in their roles and not being unreasonably spied on or 
targeted for disciplinary action.
    For that reason, we are holding this hearing today not as 
just an indictment of the FDA, which I think Senator Grassley 
will speak to, but as a recognition that all Federal employees 
need to be protected from an unreasonable activity, which, at 
least in this chairman's opinion, is part of what went on at 
the FDA in targeting these five whistleblowers.
    Again, I will put the rest of my opening statement in the 
record.
    And I yield to the ranking member.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Today we examine two distinct, but related, issues. First, 
we will review allegations that the FDA employees leaked trade 
secret and other confidential business information from 
companies seeking FDA approval of medical device applications.
    We will also review allegations by these employees that 
they were whistleblowers concerned about the safety of these 
medical devices and that the FDA retaliated against them by 
monitoring their computers.
    Whistleblowers play a critical role in rooting out waste, 
fraud, and abuse at Federal agencies and making our government 
more effective and efficient. They sometimes risk their 
careers. They sometimes risk their reputations to challenge the 
abuse of power.
    Our committee must take every allegation very seriously 
with regard to retaliation. I have said it before and I will 
say it again. We must at every point protect our 
whistleblowers. I am committed to that, and we are all 
committed to that.
    Unfortunately, the majority has taken a traditionally 
bipartisan issue, something that all committee members should 
be investigating together, and turned it into another partisan 
spectacle for which our committee has become well known.
    One of the most basic steps that our committee should have 
taken was to interview the FDA employees who had concerns. I 
remind all of us that everybody on this side of the aisle and 
everybody on that side of the aisle represents 700,000 people 
each, every one of us, the 435 members of our Congress.
    As the foundation for a responsible investigation, we 
should have met with them, asked them questions, learned about 
their concerns, and given them an opportunity to address 
evidence that may contradict their accounts.
    Instead, despite multiple requests from the Democratic side 
over the past year, the chairman declined to hold interviews 
with these employees, although he and Senator Grassley 
apparently have been communicating with them directly.
    These employees were never called in for standard committee 
interviews. And I heard what the chairman said. But at the same 
time, as I have said, we need to have an opportunity, just as 
Senator Grassley has, to talk to these folks, just as the 
chairman has.
    As a result, most committee members have no opportunity to 
talk to these employees and will not have the benefit of their 
input as we proceed. Again, we are talking about effectiveness 
and efficiency. We are talking about transparency with regard 
to the members of the committee.
    The chairman also chose to issue a highly partisan 
Republican staff report this morning. Just to be clear, this is 
not an official committee report. It did not follow committee 
rules for an official committee report. It was not vetted for 
accuracy by the committee.
    Also unfortunate was the timing of today's hearing. Over 
the past month, the Inspector General was finishing his own 
investigation and was poised to issue his report on this issue.
    Rather than wait a week or two so the committee could hear 
directly from the IG, the committee rushed to hold today's 
hearing, apparently trying to beat the IG to the press.
    As a matter of fact, the press got the report before we 
did, their report. It is interesting that we have a situation 
where the IG was able to complete his report, and he provided 
it to the committee last night.
    Now, let us look at what the IG found, first, ``The FDA''--
this is the IG--``had reasonable concern that confidential 
information, including possibly trade secrets and/or CCI, had 
been disclosed by agency employees without authorization.''
    Companies that submitted applications had asked the FDA to 
investigate which employees leaked their trade secret and 
confidential commercial information in violation of the law.
    The IG found, ``The FDA had provided notice to its 
scientists and all other users of the network through a network 
log-on banner that there was no right to privacy on the FDA 
computer network and that all data on the network was subject 
to interception by the FDA.''
    The committee's investigation has identified no evidence 
that the FDA monitored employees to retaliate against them. The 
agency had a reasonable basis for initiating the monitoring, 
since the disclosure of proprietary information is prohibited 
by law and subject to criminal penalties.
    The IG also found that, regardless of whether the computer 
monitoring was allowable under the law, the FDA did not have 
sufficient safeguards to ensure that monitoring would avoid 
collecting communications with Congress, the Office of Special 
Counsel, or the IG.
    As I close, despite the reasonableness of the FDA's 
concerns and its explicit warnings that employee computers 
could be monitored, the IG found that, ``The FDA'' ``should 
have assessed beforehand and--with the assistance of legal 
counsel, whether potentially intrusive EnCase and Spector 
monitoring would be the most appropriate investigative tools 
and how to ensure that the use of these tools would be 
consistent with constitutional and statutory limitations on 
government searches.''
    The FDA has now implemented new policies that require 
written authorization from the chief operating officer to 
initiate monitoring and a legal review of the proposed 
monitoring by the chief counsel, including a determination that 
proposed monitoring is consistent with the Whistleblower 
Protection Act.
    Protecting the rights of whistleblowers is an issue we 
should all be working on together, and our committee has done 
so in the past. In 2012, this committee passed the 
Whistleblower Protection Enhancement Act, which was signed into 
law on November 27, 2012.
    This is strong evidence that, when the committee operates 
on a bipartisan basis, we can accomplish very important and 
even groundbreaking accomplishments. I hope we can return to 
that type of bipartisanship in the future. I look forward to 
hearing from the witnesses.
    Mr. Chairman, I thank you for your indulgence.
    Chairman Issa. Of course.
    I now ask unanimous consent the letter dated February 25th 
by me to the ranking member be placed in the record. Without 
objection, so ordered.
    Mr. Cummings, I might note that the IG report which came 
out at 4:30 last night was preceded by the staff report being 
given to your staff, which contained substantially all of the 
same information as the IG report, and we noticed on January 
14th the FDA of our plan to have today's hearing.
    At that time, we had no expectation that the IG was going 
to conclude. And, in fact, in a Herculean way, the 
administration managed to respond to the IG's comments in two 
days, and the IG managed to get it out last night. We are proud 
of the fact that that report would not have been in our hands 
today had we not been scheduling this hearing.
    Mr. Cummings. Well, Mr. Chairman, would the gentleman 
yield?
    Chairman Issa. Of course.
    Mr. Cummings. I think the IG and the administration 
wanted--the administration wanted to get that report out 
because it felt that it would be significant with regard to any 
hearing that we might hold.
    And so, therefore, those who might have commented from the 
administration reserved comment so that they could get the 
report out because we know that all of us have tremendous 
confidence in the IG.
    And I guess, going back to efficiency and effectiveness, 
that, if we have an IG report, an independent agency that has 
looked at these things very carefully, it would be nice to have 
that report before the hearing. To me, that is effectiveness 
and efficiency.
    Chairman Issa. And the good news is we do have it.
    I might note, by the way, that I never spoke to any 
whistleblower. We can certainly ask Senator Grassley. I never 
spoke to them directly.
    Mr. Cummings. Did your staff?
    Chairman Issa. As you have said so many times, Mr. 
Cummings, the book ``The Speed of Trust'' is about trust being 
earned.
    The whistleblowers were unwilling to meet with members of 
your staff because they did not trust that this would not turn 
into retaliation. That is through their attorneys. And they are 
represented by counsel, what we have been told.
    So my staff encouraged them and has in no way dissuaded 
them from talking to your staff, and I openly this morning 
encourage them once again to come and meet with them.
    But, quite frankly, since this hearing is about 
inappropriate--now determined by the IG to be inappropriate 
targeting of whistleblowers using questionable tactics, you can 
understand why the whistleblowers, who, to my knowledge--I do 
not know, but they may or may not be some of the people 
targeted here--are reluctant to be prosecuted, persecuted, and 
triggered again by an agency that they do not personally 
believe in.
    They do not trust their agency, and they do not trust those 
who would report back to their agency. That is not my fault. 
That is not your fault. But that is the reality that the 
whistleblowers have.
    Mr. Cummings. Could we not have brought them in for 
interviews?
    Chairman Issa. Yes. I could haul in whistleblowers and 
expose them to the----
    Mr. Cummings. We haul in people all the time.
    Chairman Issa. I could expose them to the administration 
knowing about them and then retaliating against them. I could 
do that.
    But I will protect whistleblowers' right to give us 
information. Without their testimony, we have independently--
and the IG has independently reached the conclusions which we 
will see today. So I think the record speaks for itself.
    Whistleblowers made Senator Grassley and his staff aware of 
a problem, but independent investigation by the IG and by this 
committee--bipartisan investigation--have led us to the 
conclusions we will hear today.
    And, by the way, the hearing is not about the leak of 
information. It is about the unreasonable retaliation. I might 
caution you that we did not investigate the specifics of the 
leak of this material. It is certainly a knowledgeable fact. 
But our investigation began in the retaliation, not in that----
    Mr. Cummings. Just one more inquiry.
    Chairman Issa. Of course.
    Mr. Cummings. I know Senator Grassley is----
    Chairman Issa. He has been patient, and his time is 
limited.
    Mr. Cummings. Thank you.
    This is a question. You know, life is short. And so you 
just said that you did not look at the allegations made by the 
whistleblowers. Is that what you are trying to say?
    Chairman Issa. No. The whistleblowers made allegations that 
led to an investigation. Senator Grassley, I am sure, will 
cover this. The investigation independently determined what 
they had said.
    We are not relying on their allegations. They are not fact 
witnesses for purposes of the IG, Senator Grassley's staff, or 
my staff.
    The result of both the pieces of paper, the package you 
have, are the results of independent--the IG and your staff and 
my staff and Senator Grassley's staff--interviews. We did not 
need the whistleblowers except to be aware of a problem.
    The investigation is complete and does not need further 
testimony. In other words, there was no reason to expose the 
whistleblowers to the possibility of retaliation because their 
allegations have been confirmed independently.
    You believe it, and I believe it, and the IG believes it, 
that this retaliation that was done against these five people 
was, in fact, done.
    Mr. Cummings. If the gentleman will yield.
    Chairman Issa. Of course.
    Mr. Cummings. The only thing I am getting to is that--and 
Senator Grassley, I am sure, will address this--if there is 
equipment being used in hospitals that is defective, that 
people are getting diseases from, I mean, that's--I mean, we 
got two issues here. I want to make sure that we deal with 
that.
    Because we can get so caught up in the political stuff that 
we forget the people who are the victims of some of this, one 
of which--and I don't know whether it was from equipment, but I 
just had a constituent to die after giving birth to twins from 
disease that was contracted in the hospital this week.
    So I am trying to figure out will we--are we going--I mean, 
we got two parts here. We got the whistleblowers. And I think 
the reason why the whistleblowers bring information to us is so 
that we can do some reform--remember, that's a part of our 
title--and try to make sure that the constituents that we serve 
are safe.
    So you are saying that we will not get to that piece of it?
    Chairman Issa. No. Not at all. I am saying that the 
investigation was as to the retaliation.
    Dr. Smith, who was a qualified whistleblower, had deep 
concerns about the FDA's process and validity of medical 
devices they certified, and he made allegations that the FDA 
was not doing their job properly. That's the initial 
whistleblower activity, which was not disputed.
    The leak, justified in the FDA general counsel's mind, 
which makes me question whether or not these reforms are any 
good when the general counsel was receiving the information, 
made them believe that they could monitor five employees 
prospectively on everything, including their communications 
with Congressman Van Hollen, Senator Grassley, and my staff. 
That is what we are researching today.
    I am not qualified, quite frankly, to look at the 
allegations of medical device effectiveness, and I don't 
believe his initial claim came to our committee on the 
invalidity of the medical devices.
    But Dr. Smith, who is not a witness here today and is not 
part of it, was a qualified whistleblower. He had complaints, 
and he was making them.
    The investigation was not--supposedly not about his 
whistleblowing, but he became the target when they said that 
there had been a leak, which apparently there had.
    And I am perfectly happy to have people drift off onto the 
question of the leak in the New York Times. But what we do know 
is, although leaks to the New York Times occur all the time, we 
have whistleblower retaliation in the unreasonable, if you 
will, activities, in the opinion of the IG and in the opinion 
of this committee staff report.
    And that's what the primary reason for the hearing is, is 
we do not want to have a chilling effect on potential 
whistleblowers.
    But, more importantly, you and I know that we have to and 
we had better trust our Federal employees and not be spying on 
them 24/7, even though we have a right to look at the material 
on which they work, if necessary.
    Mr. Cummings. As I close, let me just say this. You talk 
about ``The Speed of Trust.'' And I don't want anybody watching 
this or hearing this to be left with the impression that folks 
on this side of the aisle, including our staffs, in some kind 
of way are not protective of whistleblowers. I don't want that 
getting out into the universe because it's simply not true. I 
would never say that.
    Chairman Issa. And, Mr. Cummings, I am not asserting that 
you are not trustworthy. What I am asserting----
    Mr. Cummings. And my staff.
    Chairman Issa. --is that the whistleblowers were unwilling 
to.
    And I have been corrected on one thing. In 2009, under 
Chairman Towns, Dr. Smith provided thousands of pages to this 
committee in support of his whistleblower allegation. So that 
is really the beginning of Dr. Smith's activity, as far as this 
committee goes.
    And he was a qualified whistleblower, having come to 
Chairman Towns and this committee with his concerns--and I 
think other committees--with his concerns about the FDA's 
activity.
    And, again, even though I also serve on Energy and 
Commerce, I am not claiming that I can understand the details 
of his allegations.
    And I would like, to the greatest extent possible, to 
caution all Members to primarily look at the question of 
whether the activities at the FDA, pursuant to their trying to 
find a leak, crossed a line and interrupted and would have a 
chilling effect on whistleblowers, which I think is what our 
committee's primary jurisdiction is.
    Mr. Cummings. And, Mr. Chairman, which is my primary 
concern, also.
    Chairman Issa. Okay. Senator Grassley, you have been 
incredibly patient. You have heard more testimony than you 
planned to. And, with that, such time as you may consume.

                       WITNESS STATEMENTS

  STATEMENT OF THE HON. CHARLES E. GRASSLEY, A UNITED STATES 
                 SENATOR FROM THE STATE OF IOWA

    Senator Grassley. Before I read, I would like to say a 
couple things.
    Chairman Issa. Our mics on this side don't amplify as well. 
They need to be much closer. They are House mics.
    Senator Grassley. Two things I would like to say before I 
read, one, generally about whistleblowing. In 33 years, under 
both Republicans and Democrats, I found the problem the same, 
whatever bureaucracy you are talking about. Whistleblowers are 
about as welcome in a bureaucracy as skunks at a picnic. There 
is a great deal of peer pressure to go along to get along.
    And then, specifically in regard to the FDA, just so 
everybody knows, we have a Democrat President, but going back 
to 2003, when I first got involved with whether or not the 
scientific process was being respected within the FDA and 
respected scientists coming forward--first was Vioxx and then 
several things since then--we have found problems with the 
respect of scientists and the respect of the scientific process 
within that agency, regardless of who was President.
    Thank you, Chairman Issa, for calling this important 
hearing and for the great work that you and your staff have 
done. Together, we have conducted a detailed investigation into 
the FDA aggressive surveillance of whistleblowers.
    A group of FDA scientists expressed concern about the 
safety of certain devices under review by the agency. They 
expressed their concern to the President's transition team and 
to Congress. They also contacted the Office of Special Counsel, 
which is an agency, as you know, created by Congress to receive 
whistleblower complaints and protect whistleblowers from 
retaliation.
    The FDA knew that contacts between whistleblowers and the 
Office of Special Counsel are confidential and protected by 
law. However, the FDA was intently spying on whistleblowers. 
There was no effort to avoid snooping on legally protected 
communications.
    This surveillance was much more intense than routinely 
monitoring of government employees on government computers. It 
was far more invasive than what would be necessary to detect 
inappropriate use of computer systems.
    The agency captured a picture of whatever was on the screen 
every 5 seconds, as you have said, and recorded every keystroke 
typed. Again, the FDA did not monitor every FDA employee this 
aggressively, just the whistleblowers.
    When we were--first spoke to the FDA in January 2012, they 
tried to dodge the issue. When I started asking questions, FDA 
officials seemed to suffer from a sudden case of collective 
amnesia.
    It took the FDA more than 6 months to answer my letter 
asking about its surveillance of its own employees. When I 
finally received a response, it didn't even answer the simplest 
of questions, such as who authorized the targeted operation. 
Worse than that, it was misleading in its denials about 
intentionally intercepting communications with Congress.
    When I asked them why they couldn't just answer some simple 
questions, they told my staff that the response was under 
review by, ``the appropriate authorities in the 
administration.'' The FDA's non-answers and doublespeak would 
have fit right into some George Orwell novel.
    The work our staffs have done together uncovered answers to 
many of those initial questions. Today we will hear from some 
of the FDA employees involved in the surveillance.
    There can be legitimate reasons to monitor the use of 
government computers by government employees; however, as our 
joint report shows, FDA officials gave little, if any, thought 
to the legal limits that might restrict their power to monitor 
their employees.
    No one at the FDA made any attempt to limit the collection 
of legally protected communications with attorneys, with the 
Office of Special Counsel, or with Congress. The FDA trampled 
on the privacy of its employees and their right to make legally 
protected disclosures of waste, fraud, and abuse.
    These whistleblowers thought the FDA was caving to pressure 
from the companies that were applying for FDA approval. I don't 
know whether they were right. But they have a legal right to 
express those concerns.
    After expressing their safety concerns, two whistleblowers 
were fired, two more were forced to leave FDA, and five of them 
were subjected to an intense spying campaign.
    At the beginning of FDA Commissioner Hamburg's term, she 
said that whistleblowers exposed critical issues within the 
FDA. She vowed to create a culture that values whistleblowers.
    By the way, that is a promise I have had from several 
people predecessor to her coming to my office, wanting 
confirmation, making those same promises.
    In fact, in 2009, Commissioner Hamburg said ``I think 
whistleblowers serve an important role.''
    I wanted to believe Commissioner Hamburg when she testified 
before the Senate during her confirmation. I wanted to believe 
her when she said she would protect whistleblowers at the FDA. 
However, in this case, the FDA was certainly not a 
whistleblower-friendly place to work, and I have spoken about 
how that's been the case since at least my involvement since 
2003.
    The FDA managers believed that the whistleblowers were 
leaking confidential information improperly, but the managers 
who--claimed that there were many other problems with the job 
performance of the targeted employees.
    Performance issues, of course, should be handled by 
directly supervising and managing employees. Instead, the FDA 
asked the HHS Office of Inspector General to investigate 
whether the employers had violated the law.
    The Inspector General declined on multiple occasions, but 
FDA managers kept asking for a criminal inquiry. Rather than 
simply managing its employees, the FDA then started spying on 
them.
    The managers kept looking for information that would 
convince the Inspector General to seek criminal prosecution. It 
was sort of management by investigation. And, of course, that's 
no way to run an agency.
    According to the OIG, and later the Department of Justice, 
the FDA had no evidence of any criminal wrongdoing by the 
whistleblowers. None whatsoever was ever found.
    The FDA spent months using intrusive realtime surveillance 
of their employees' computers looking for evidence of a crime. 
That time and effort would have been better spent supervising 
and managing the employees directly and making sure the 
employees were doing their job and not bothered from doing 
their job.
    The FDA claimed that their employees had no expectation of 
privacy on their FDA computers. However, when interviewed by 
congressional investigators, none of the FDA officials were 
willing to accept full responsibility for authorizing the 
surveillance. Apparently, no one was properly supervising this 
invasive surveillance program.
    The monitoring software used was so comprehensive it took 
countless hours just to review all the material. It was a 
detailed record of everything each of the scientists did all 
day, every day, for months. Hundreds of thousands of screen 
images had to be reviewed by FDA contractors, all at taxpayers' 
expense.
    So what kind of legal guidance was provided to these 
contractors about what they could capture? None. We would not 
have known the full extent of the spying today if the FDA had 
not accidentally released 80,000 pages of fruits of its spying 
on the Internet.
    Talk about adding insult to injury. After collecting all of 
this information, in an effort to supposedly prevent leaks, the 
same agency ends up posting all of those documents online for 
the world to see.
    In these internal documents that FDA never wanted the 
public to see, it referred to the whistleblowers as 
``collaborators.'' So you understand what I mean when I say 
whistleblowers are about as welcome in an agency as a skunk at 
a picnic.
    FDA referred to our staffers as ``ancillary actors.'' And 
they happened to refer to newspaper reporters as ``media outlet 
actors.''
    Let me tell you, you wouldn't be doing any congressional 
investigation--well, you might do a little bit, because we 
could obviously ferret out some--but we wouldn't be doing 90 
percent of what we do on protecting whistleblowers and 
congressional oversight if it wasn't enterprising newspaper or 
media people or whistleblowers coming forth with some things 
that they find wrong that we don't even know where the 
skeletons are buried in the bureaucracy of this big government 
of ours. But, anyway, so they are collaborators, they are 
ancillary actors, or they are media outlet actors.
    The FDA claimed it was a mistake made by the company it 
hired to convert surveillance records for legal review. And, of 
course, that wasn't true. The FDA incorrectly filled out a 
purchase order for the work. The FDA did not mark the documents 
as confidential or sensitive. It didn't even fill out the form 
until after the work had been done.
    Our inquiry uncovered no record that the private 
contractors were told that the documents were sensitive. So, 
the FDA failed to classify these documents as sensitive and 
then tried to blame the small business company that it hired to 
convert the documents. This is the scene that comes up time and 
time again in this entire story that you are looking into 
today.
    The FDA has failed to accept responsibility for its actions 
or impose accountability. This is from an agency that 
purportedly wants to foster a culture where whistleblowers are 
valued, based upon Director Hamburg's testimony to our 
committee.
    The FDA's actions are, of course, disappointing, not just 
disappointing because of the history that we are now--of this 
history, but over a long period of time. And it was supposed to 
change when this commissioner was appointed.
    But it would be even worse if that agency fails to learn 
from its mistakes. And since 2003, I--and maybe people before 
me would say the same thing--would say that they have been 
looking for learning from the mistakes of the past. It doesn't 
seem to happen.
    And most of these are just simple respect for the 
scientific process because, if you leave the politics out of it 
and let scientists do it, the scientific process of one 
scientist checking on another scientist's work will prove 
itself, or that scientist isn't going to be worth anything.
    These policies need to ensure that any monitoring is 
limited to achieving only the legitimate purpose. Watching on 
employees every minute leads to a culture of intimidation and 
fear, which not just the FDA, but bureaucracies generally, want 
whistleblowers to know about so that they don't tell what they 
know is wrong. And, of course, that's no way to encourage 
whistleblowers or it's no way to show that you value their 
concerns.
    I thank you very much.
    Chairman Issa. Thank you.
    [Prepared Statement of Senator Grassley follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Chairman Issa. And if you would take a few questions from 
the ranking member, I would appreciate it.
    Senator Grassley. Yes.
    Chairman Issa. Mr. Cummings.
    Mr. Cummings. Thank you very much, Senator Grassley. And I 
really do thank you for being here today. Thank you for your 
patience.
    I have the utmost respect for you and your legacy as a 
champion of whistleblowers and whistleblower protections, and I 
really--on behalf of the American people, I thank you.
    Senator Grassley. Thank you.
    Mr. Cummings. As I said earlier, this has not traditionally 
been a partisan topic, I don't think. You and Senator Akaka 
both sponsored the Whistleblower Protection Enhancement Act, 
and Chairman Issa and I sponsored the House version of that 
bill. I assume you agree that we accomplish much more when we 
are working together.
    Would you agree with that?
    Senator Grassley. I have found----
    Mr. Cummings. I heard what you said about the skunk and all 
that.
    Senator Grassley. Well, listen. I think your question is 
trying to put me between you two people, and I don't relish 
being there.
    But I have found in the United States Senate--I don't want 
to talk about the House of Representatives--I have found in the 
United States Senate that not a whole lot gets done if it's not 
done in a bipartisan way.
    But that's because our two institutions are different. We 
function under a 60-vote rule that requires, when you have 55 
of one party, 45 of the other, you have got to do something in 
a bipartisan way.
    And I have also found, as a member of the minority, that it 
makes a real difference who is chairman of the committee. When 
I was working with Senator Baucus on the Finance Committee and 
he was in the majority, I didn't get much response from any 
administration without the help of the chairman.
    Mr. Cummings. Have you had an opportunity to talk to the 
whistleblowers?
    Senator Grassley. We have only talked to their attorneys.
    Mr. Cummings. I see.
    Chairman Issa and I had a good discussion this morning 
prior to the hearing. And one of the things that he raised--and 
I agreed--it seems like this--and I want the witnesses to hear 
this--it seems to me that the issue comes down to this: When--
first of all, there was a situation which screamed out for 
somebody to look into it. In other words, New York Times 
writing articles with trade secrets, it seems like the agency 
had a duty to at least look into it.
    Would you agree with that?
    Senator Grassley. Would you please ask your question again.
    Mr. Cummings. In other words, the way this whole thing 
started, apparently, are some stories in the New York Times 
with trade secrets in the New York Times that weren't supposed 
to be there.
    Senator Grassley. Okay.
    Mr. Cummings. And so I think it started off legitimately 
saying, ``Okay. We have got a problem here because this 
information is not supposed to be in the New York Times.''
    So would you agree that, at least starting, they had 
something that they needed to look into? Now, I am not saying 
they did it right. I am just asking you----
    Senator Grassley. Okay. I am not sure that I can answer 
your question.
    Mr. Cummings. Okay.
    Senator Grassley. But let me see if I can speak to it and 
give you some satisfaction.
    I think it gets down to a point of whether or not the 
information was accurate or not that these whistleblowers were 
talking about. We have not looked into the accuracy of that 
information. We have only looked into it from the standpoint 
that some people say there is some problems.
    And that's where you get back to the point that I have made 
a couple times, not about the skunk, but about the scientific 
process, that we want an environment within the FDA where the 
scientific process works its way out and is not interfered by 
people that aren't scientists or involved in that process.
    And I will only go back to one other instance a long time 
ago. But we have found that--in one instance years ago, we 
found email from industry that said, ``Well, if you have got a 
problem with our product, talk to us.''
    Well, the point is that the FDA should not consider a 
manufacturer or a company across the table from them. The only 
people that should be across the table from the FDA scientists 
or regulators are the John Q. Public.
    Mr. Cummings. Okay. And so, in this case, a group of FDA 
employees alleged that certain medical devices may have safety 
problems.
    Now, if their allegations are correct, that is obviously a 
huge problem for everyone who relies on these types of medical 
devices when they become ill or get in an accident.
    On the other hand, if these allegations are not correct, 
these FDA employees could be doing damage. They could be 
keeping safe medical devices off the market and out of the 
hands of doctors who use them to help people.
    And I think that you would agree that we--if devices should 
be on the market to save people's lives and make them better, 
they ought to be there. Would you agree with that?
    Senator Grassley. Well, the answer to that is ``yes.'' But 
how do you--how is that decision made? It's not going to be 
made by us in Congress.
    Mr. Cummings. I got that.
    Senator Grassley. It's going to be made by the scientific 
approach in the FDA.
    Mr. Cummings. Just one more question, Mr. Chairman.
    Let me just get to this--the key question that the chairman 
and I were discussing this morning.
    It seems to me that, if they had done this--the 
investigative folk had done this in a retrospective way as 
opposed to a prospective way, we probably would not have the 
issues--as many issues as we have today. Do you think?
    Senator Grassley. Well, yes. But I have to surmise--because 
I can't answer your question. But I have to surmise the reason 
it worked out the way it worked out is people weren't getting 
the proper respect within the agency for their opinion.
    Mr. Cummings. I see.
    Senator Grassley. And their opinion could be wrong. But the 
scientific process is going to prove whether or not they were 
right or wrong.
    Mr. Cummings. Well, again, I want to thank you for being 
here. I really appreciate it.
    Senator Grassley. Thank you.
    Mr. Cummings. And I look forward to working with you.
    Senator Grassley. Please do.
    Mr. Cummings. We need to get together and meet sometime.
    Senator Grassley. I will take you to eat in the Members' 
dining room, and I will pay for it, if you want to take me up 
on that.
    Mr. Cummings. All righty. Thank you.
    Chairman Issa. Senator Grassley, we know how hard it was 
for you to say that.
    Senator Grassley. And it hurt. But since I said it, I will 
have to do it.
    Mr. Cummings. I will hold you to it, too.
    Chairman Issa. Thank you. We are going to take just a quick 
recess to set up the table. Thank you, Senator.
    [Recess.]
    Chairman Issa. We now welcome our second panel.
    Dr. Jeffrey Shuren is the Director of the Center for 
Devices and Radiological Health at the FDA. Ms. Ruth McKee is 
the Associate Director for Management and the Executive Officer 
of the Center for Devices and Radiological Health. Mr. Walter 
Harris is Chief Operating Officer and Acting Chief Information 
Officer for the FDA and, presumably, the person that would 
approve such an activity in the future under the rules. And Ms. 
Angela Canterbury is the Director of Public Policy for the 
Project on Government Oversight, or POGO.
    And we welcome all of you.
    Pursuant to the committee's rules for any non-Senators or 
House Members, would you please rise and take the oath. And 
please raise your right hands.
    Do you solemnly swear or affirm the testimony you are about 
to give will be the truth, the whole truth, and nothing but the 
truth?
    Please be seated.
    Let the record reflect that all witnesses answered in the 
affirmative.
    In order to allow time for questions, I would ask that you 
be as close to 5 minutes as possible in your opening 
statements. Your entire written opening statement will be 
placed in the record.
    And, Dr. Shuren, I understand you do not have an opening 
statement. Is that correct?
    Dr. Shuren. That is correct.
    Chairman Issa. Okay. In that case, we go to Ms. McKee.
    Ms. McKee. I don't have one either. Mr. Harris is speaking.
    Chairman Issa. Okay.
    Mr. Harris?

                   STATEMENT OF WALTER HARRIS

    Mr. Harris. Good morning, Chairman.
    Chairman Issa, Ranking Member Cummings, and members of the 
committee, I am Walter Harris, the Deputy Commissioner of 
Operations, Chief Operating Officer, and Acting Chief 
Information Officer at FDA.
    With me is Dr. Jeff Shuren, the Director of FDA's Center 
for Devices and Radiological Health, and Ruth McKee, CDRH 
Associate Director for Management.
    I am pleased to be here today to discuss issues related to 
the monitoring of FDA's personnel's use of the agency's IT 
systems. Safeguarding the confidential information that 
regulated entities share with FDA is critical to our ability to 
carry out FDA's public health mission.
    FDA routinely receives and reviews trade secrets and 
confidential commercial information from medical product 
sponsors. This information is central to FDA's determination of 
a medical product's safety and efficacy. Without the ability to 
fully access and secure this proprietary information, FDA 
cannot accomplish its public health mission.
    FDA employees secure the controls throughout our IT 
enterprise, including the monitoring of FDA personnel's use of 
government-owned equipment. This and other IT controls supports 
protections of intellectual property entrusted to FDA from 
theft or sabotage.
    Unauthorized disclosures of information not only violates 
Federal law and regulations and undermines the integrity of FDA 
programs, they also can result in civil suits against FDA.
    So it's critically important that FDA protects against 
unauthorized disclosure of such information by agency personnel 
and for the FDA to appropriately investigate any suspected 
incidents of unauthorized disclosure.
    FDA personnel are regularly advised that they have no 
reasonable expectation of privacy when using FDA computer 
networks and that any use of agency IT resources, including 
email, may be monitored. This notice is provided by a variety 
of means, including a warning banner that an employee must 
acknowledge every time he or she logs on to the FDA network, 
which clearly states that, by logging onto the system, the user 
consents to having no reasonable expectation of privacy 
regarding any communications or data in transit or stored on 
that system.
    All FDA users are also made aware of HHS policy that any 
use of HHS email may not be secure, it is not private, it is 
not anonymous, it may be subject to disclosure, and that 
employees do not have the right to, nor expectation, of privacy 
at any time while using HHS IT resources.
    Although FDA has clear legal responsibility and authority 
to monitor personnel use of agency IT resources, we must carry 
out such monitoring in a way that recognizes employees' 
interests and legal protections.
    In 2010, FDA suspected that five CDRH employees were using 
FDA IT systems to send trade secrets or confidential commercial 
information outside of FDA, in possible violation of FDA 
regulations and criminal laws.
    To investigate the suspected leaks, FDA employed computer-
monitoring software on those employees' government-issued FDA 
computers, the computer surveillance that is currently the 
subject of ongoing litigation.
    In 2012, the HHS Office of Inspector General, or OIG, was 
asked to assess whether that monitoring was appropriate and to 
provide recommendations on how FDA should investigate 
allegations of improper dissemination of confidential 
information.
    Yesterday the OIG issued its report. Significantly, the OIG 
found that the CDRH had reasonable concerns that confidential 
information had been disclosed by the monitored employees 
without authorization.
    The OIG also found that FDA had provided notice through the 
network log-in banner to those employees that the use of their 
FDA computers would be monitored.
    The OIG found no evidence that FDA obtained or used 
passwords of any employees' private email accounts, and the OIG 
found that there were no evidence suggesting that FDA 
monitoring was designed to capture communications with any 
particular person, group, including Congress.
    Yet, we understand that we must have adequate procedures in 
place when conducting such monitoring. Indeed, since 2012, we 
have been reviewing and evaluating our policies for monitoring 
the use of government-owned computers to ensure they are 
consistent with the law and with Congress's intent to provide a 
secure channel for protected disclosures.
    In September 2012, Commissioner Hamburg directed FDA 
leadership to adopt policies for requests to monitor FDA 
computers to make sure that any monitoring is justified, 
narrowly tailored and duly authorized, that data derived from 
monitoring is appropriately stored and controlled, and that 
monitoring is used for appropriate purposes and takes place for 
no longer than necessary.
    Last September, we issued our interim computer-monitoring 
policy. This policy provides standards when employee computer 
monitoring takes place.
    It established a special committee to review monitoring 
requests. It requires that monitoring requests be narrowly 
tailored in time, scope, and degree. It requires that all 
requests identify the least invasive approach.
    It also requires considerations of alternative methods to 
address the potential risk, provide documentation standards, 
and states that no computer monitoring may target 
communications with law enforcement, the Office of Special 
Counsel, members of Congress, union officials, or private 
attorneys.
    Notably, yesterday's OIG report acknowledges that our 
September 2013 interim computer-monitoring policy addresses all 
of the OIG's recommendations.
    In order for FDA to effectively carry out its public health 
mission, we must be vigilant to protect against the misuse or 
unauthorized disclosure of confidential information that is 
regularly entrusted to the agency.
    We believe that the policies and procedures we have in 
place appropriately and effectively balance the individual 
interests of employees with FDA's critical needs to safeguard 
the security and integrity of data and IT systems that the 
agency is entrusted to manage.
    Thank you for your commitment to FDA's mission and for the 
opportunity to testify today about the monitoring of FDA 
employees' use of agency IT resources and FDA's 
responsibilities to secure medical product sponsors' 
confidential information.
    I am pleased to answer any questions.
    Chairman Issa. Thank you.
    [Prepared statement of Mr. Harris follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Chairman Issa. Ms. Canterbury?

                 STATEMENT OF ANGELA CANTERBURY

    Ms. Canterbury. Thank you.
    And good day, Chairman Issa, Ranking Member Cummings, 
members of the committee.
    The FDA spied on whistleblowers, which set off a firestorm 
that led us to this hearing today. But the public story of 
whistleblowers began in 2008, when FDA physicians and 
scientists warned Congress, and shortly thereafter the 
President, that the process for approving medical devices was 
broken, allowing potentially ineffective and unsafe products to 
be marketed. And as Senator Grassley noted, there has long been 
problems with bureaucrats at the FDA respecting the scientific 
process.
    The report released today by Chairman Issa and Senator 
Grassley and the HHS IG report document how FDA surveillance of 
whistleblowers was reckless and heedless of legal limits and 
whistleblower protections. Certainly security concerns and 
available technology will outstrip constitutional rights and 
whistleblower protections unless Congress works to balance 
those goals.
    To be frank, we question why FDA should be in the 
surveillance business in the first place. The FDA's mission is 
to ensure our food and drugs and devices are safe.
    Any suspicion of unlawful disclosures of information or 
criminal misconduct should be investigated by law enforcement. 
Federal agencies cannot be allowed to police themselves. That 
is why we have IGs, the OSC, the FBI, and Congress.
    Ms. Canterbury. Even with just cause and proper controls, 
it will be difficult, if not impossible, to protect 
whistleblowers if agencies are allowed to gather electronic 
evidence without limits or oversight. And to what end? The 
Issa-Grassley report shows the leaks of confidential 
information to the press were not confirmed by this pervasive, 
invasive electronic surveillance. And so, as with the NSA 
domestic surveillance, the risks to our rights may be greater 
than the ability of surveillance to protect against risks to 
security, much less claims of harm to trade secrets or harm to 
profits.
    No doubt the FDA is in a tough spot: attempting to put into 
place a process that is more proscribed for surveillance 
critics, but also placating the lawyers for drug and device 
companies that demand that information be kept confidential. 
Needless to say, the FDA does not have it right yet. Rather 
than protect whistleblowers from unwarranted FDA surveillance, 
its interim policy protects the FDA from whistleblowers. It 
shields it from accountability. Nothing in the FDA's interim 
policy would prevent FDA managers from using information 
collected by the surveillance as retaliation for 
whistleblowing. Thus, this policy does little to lift the 
chilling effect that fosters wrongdoing. How can the FDA ensure 
the public's health and safety if the scientists and physicians 
are too afraid to come over when deadly mistakes are made?
    And far too many mistakes are made. Inadequately tested 
metal-on-metal hip replacements cause crippling disability. 
Defective cardiac defibrillators, unclean syringes containing 
deadly bacteria, old-fashioned pediatric feeding tubes cause 
fatalities because they lack the well-known, inexpensive 
safeguard. And these are just the medical devices that the FDA 
allowed on the market, not to mention the food and drug 
approval disasters.
    And if the FDA isn't doing its job and lives are at risk, 
we have to ask why. The FDA whistleblowers warned us that 
corners were being cut and scientists were being overruled by 
the bureaucrats.
    We need whistleblowers. However, it is worth noting that 
throughout Mr. Harris' testimony there was no acknowledgment of 
the public interest in protecting whistleblowers, only of 
employee protections, yet it is well known that whistleblowers 
save lives and taxpayer dollars and are among the best partners 
in crime fighting. Congress protected public whistleblowing so 
that waste, fraud, and abuse, and threats to public health and 
safety would be known.
    As Senator Grassley said, you couldn't do the majority of 
the oversight this body does without whistleblowers and without 
the media, but the FDA policies do nothing to encourage or 
safeguard public whistleblowing, which is protected so long as 
the disclosure of information is not prohibited under law. They 
claim to exclude from surveillance in their interim policy the 
targeting of disclosures to Congress, the OSC, and others, but 
this is not enough. A legal review at the front end will not 
prevent legal public whistleblowing collected through spying 
from falling into the hands of those in a position to 
retaliate.
    Clearly, the FDA and other agencies will not get this right 
on their own. Congress and the President must mandate a 
government-wide policy to prevent future surveillance abuses. 
Of course, interfering with communications to Congress and 
retaliating for whistleblowing is already against the law, and 
there are some protections for the identities of whistleblowers 
in other laws, but Congress should consider specifically 
protecting the identity of a whistleblower in any surveillance 
that is done by an agency.
    Today, we don't nearly know enough about the scope of 
surveillance across the government. I encourage you to order a 
report, a study looking at this issue. I encourage you to 
conduct oversight over other concerns with national security 
and insider threat programs that might threaten whistleblowers. 
But importantly, we must not forget what brought us here today, 
which is the FDA whistleblowers. They were concerned about the 
device approval process they believed might put lives at risk.
    FDA officials should not be held accountable for 
approving--they should be held accountable for approving 
ineffective and unsafe products, and flawed devices must be 
taken off the market. There must be more transparency and less 
deference to the demands for confidentiality by drug and device 
companies. Seriously, I wonder how much time and taxpayer 
dollars is spent protecting so-called confidential commercial 
information.
    Finally, please do all you can to ensure that FDA managers 
are held accountable for any violations of the rights of the 
scientists and physicians who sought to make medical devices 
more safe and more effective. Thank you.
    Chairman Issa. Thank you.
    [Prepared statement of Ms. Canterbury follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Issa. Mr. Harris, a couple of questions. First of 
all, I mentioned you'd be the person that would review a 
request to spy on an employee in the future, you would be the 
first point of contact. Is that correct?
    Mr. Harris. Yes, sir.
    Chairman Issa. Okay. And your degree is in business 
administration?
    Mr. Harris. Can you repeat the question?
    Chairman Issa. You have an MBA?
    Mr. Harris. Yes, sir, I do.
    Chairman Issa. You're not a lawyer?
    Mr. Harris. I'm not.
    Chairman Issa. And the person that you, once you decided to 
do it, that you'd go to, would be the same person, the general 
counsel, who approved the spying in the past. Is that correct?
    Mr. Harris. Well, I want to give the committee accurate 
information, so most of what we speak about today predates my 
tenure at FDA.
    Chairman Issa. No, no, I understand. I'm just looking at 
the process.
    Mr. Harris. Right.
    Chairman Issa. The process in place, the so-called 
protection that the agency has put forward is you'd still go to 
the same general counsel. The first lawyer, if you will, would 
be the lawyer who thought this was just fine before, which is 
the general counsel, and second of all, before that, you'd go 
to the chief operating officer, who is, by definition, probably 
not an attorney.
    Mr. Harris. That's right.
    Chairman Issa. Okay. I just want to understand the system 
because I don't approve of it.
    Mr. Harris. I'll give you the process. So we have a process 
that requires a request to be formally written.
    Chairman Issa. No, no. I apologize. But I only have 3 
minutes and 55 seconds, and to be honest, the process sucks. So 
now let's move on.
    Ms. Canterbury, you said it very well. They had suspected a 
criminal activity. Is that correct?
    Ms. Canterbury. They suspected that confidential 
information----
    Chairman Issa. Right. So alleging----
    Ms. Canterbury. --was disclosed.
    Chairman Issa. Right. So alleging the criminal activity, 
they did not go to the IG, they did not go to the criminal 
investigation units of which there are a multitude within--HHS 
has their own, obviously the FBI.
    Let me ask a question, Mr. Harris. Your opening statement, 
you used some very carefully toned words, and I picked up on 
just a couple of them as another nonlawyer with a business 
degree. You said that you didn't target or use a term like that 
of Members of Congress, but you didn't protect, in other 
words--not you--but the general counsel received all of the 
information without any attempt to screen out, you know, Mr. 
Van Hollen or my committees or Senator Grassley's committees or 
for that matter, lawyers, doctors, there was no protection in 
place.
    Mr. Harris. Again, Mr. Chairman, that predates my time at 
FDA.
    Chairman Issa. Right. But I just want to make sure that's 
correct, that there was no protection put in place. So the idea 
that you didn't target doesn't really matter. You didn't 
protect the likelihood of five known whistleblowers, and 
especially Dr. Smith, a known whistleblower, the likelihood is 
he's still talking to Members of Congress, he's still--he 
didn't change his opinion that the FDA had problems. So by 
definition, the FDA knowingly intercepted correspondence with 
Members of Congress because there was a reasonable expectation 
that he was having correspondence with Members of Congress.
    Let me just ask a couple of quick questions. To your 
knowledge, you weren't there at the time, there were five 
people targeted. Was there anybody else at the FDA that had 
access to the information that was linked to The New York 
Times? Anyone else?
    Mr. Harris. Again, that predates my time at FDA.
    Chairman Issa. Well, why don't we make the assumption that 
there were just a load of them, that these five people were by 
all reasonable account not the only ones that had the ability 
to have gotten this information.
    Since you received none, the real question is, did the FDA 
and does the FDA have not the ability to be narrow, but the 
ability to be broad? If you have a leak and 4,000 people could 
have leaked it, the only way to do it properly would be to make 
the assumption that you had to equally monitor 4,000, unless 
you had a specific, credible reason to believe that one person 
had done it. Isn't that right? You're the approving officer. I 
need to understand how you would do it.
    Mr. Harris. In the current process, we would ask for a 
written request. That request would then be reviewed by a 
committee before we make any actions happen. From the 
committee, it goes to a legal review, and we get----
    Chairman Issa. You're the final approval. Would you have 
targeted just these five known whistleblowers or would you have 
had to target more people who had accessed that information?
    Mr. Harris. It depends on the scenario.
    Chairman Issa. Okay. So you're not binding yourself to any 
kind of protection for the Federal workforce from being 
targeted.
    Mr. Harris. Just the opposite, Chairman. We clearly state 
in all documents these days, since our new policy has been 
implemented, that we consider interactions with the Hill, legal 
counsel, OMB, et cetera, as protected activities. When our 
staff has any interaction with that type of information, they 
know to----
    Chairman Issa. Oh, your staff.
    Mr. Harris. Any staff.
    Chairman Issa. Oh, no, no. But the whole point is, who gets 
to see this information under your current policy first?
    Mr. Harris. Under the current policy, the information comes 
immediately back to me. I then bring the appropriate folks to 
the table. We talk through our next steps. It goes no further.
    Chairman Issa. Okay. So you're looking at correspondence 
that they had with me and you're going to protect me.
    Mr. Harris. No. No. What I'm doing is actually when they 
walk up on that type of information, they cease----
    Chairman Issa. Who is they?
    Mr. Harris. Those who are actually----
    Chairman Issa. Who are they?
    Mr. Harris. Those staff members who are part of the 
process.
    Chairman Issa. Okay. I just want to understand. You've got 
staff members looking at correspondence with Members of 
Congress.
    Mr. Harris. No, sir.
    Chairman Issa. Well, you just said that.
    Mr. Harris. That was not my statement. My statement was, 
when we are going through the monitoring process, should my 
staff who is actually administering the monitoring process find 
information of that type is considered protective activity.
    Chairman Issa. But they see it in order to consider it.
    Mr. Harris. They do stop--well, you know, during the 
monitoring process they may walk up on that, but they stop all 
processes today. I can't tell you what happened 2 or 3 years 
ago, but I can tell you what happens today.
    Chairman Issa. Okay. Well, let me just close by saying do 
you know the name ``Paul Hardy''?
    Mr. Harris. I do.
    Chairman Issa. Do you know what happens if you Google his 
name?
    Mr. Harris. No, sir. What happens?
    Chairman Issa. Well, he Googled his name because he was 
concerned and apparently looking for a job, feeling that his 
was insecure.
    Mr. Harris. Oh, I'm sorry. I thought you said Paul Harvey.
    Chairman Issa. No, Hardy.
    Mr. Harris. No, I don't know Paul Hardy.
    Chairman Issa. Well, he was one of the targets, and the 
Internet was filled and Google-able with all those screen shots 
basically, because your agency took no precautions on that 
confidential information, his correspondence with Congress, if 
it was there, his correspondence with his doctor, his lawyer, 
his priest, anybody. And it simply became an Internet 
phenomenon that you could Google and get it because it was put 
out on an open site because the FDA did not take the 
precautions, did not fill out the forms properly, and did not 
protect that information which it had captured clandestinely. 
Isn't that true?
    Mr. Harris. Well, that may have been the case a few years 
ago.
    Chairman Issa. No, no, no, wait a second. You're a witness, 
you're under oath.
    Mr. Harris. I am, sir.
    Chairman Issa. You say may have been the case. Are you here 
today and you don't know if it was the case?
    Mr. Harris. I was not there 2 years ago, so I would not 
have----
    Chairman Issa. Do any of you know if it was the case or if 
I'm just coming up with something that's Internet lore?
    Ms. Canterbury. Respectfully, sir, I believe that Dr. 
Shuren was in charge of CDRH at the time.
    Chairman Issa. Are you familiar with the--and I'm just on 
the same thing, I've got to give time to the ranking member--
but are you familiar with the release of that information, the 
fact that it wasn't protected, and it became essentially 
Internet public?
    Dr. Shuren. Yes, I know information was made public. I 
don't know the full extent of it. I wasn't involved in dealing 
with the contractor or any handling of that material. But I am 
aware that information was posted on the Internet.
    Chairman Issa. Okay. And I'll give you equal time, but if I 
had your indulgence for one more quick question.
    There has been an alluding to the confidential information 
The New York Times got. Just for the record, it wasn't patent 
information. It wasn't a deep, dark secret on how you make a 
product. It was the fact the product was in question as to 
whether it was safe and effective. Isn't that correct, Doctor?
    Dr. Shuren. It was whether or not the product was under 
review, and that has been considered confidential. Companies 
many times do not want competitors to know that they're working 
on a product and that it's under review by the agency.
    Chairman Issa. Okay. I just want to understand. The level 
of trade secret is a product, The New York Times reported, was 
under review and may not have been safe.
    Dr. Shuren. It was just simply that the product was under 
review would be confidential commercial information.
    Chairman Issa. Okay. But it's something that--I want 
everyone to understand that the term ``confidential'' is not 
the term the public thinks is all that confidential. Most 
people look at these products, clinical trials, the process of 
approval, and then the question of whether they're being re-
reviewed, most people probably listening and watching today 
believe the public has a right to know that information and may 
not agree with the FDA's view that that is private or 
confidential or somehow a secret from the American people as to 
whether a product that may or may not yet be on the market is 
safe and effective.
    Ms. Canterbury, if you wanted to respond quickly.
    Ms. Canterbury. I couldn't agree more. I think that at the 
base of all of these questions is, why is this information 
considered confidential in the first place, and is that serving 
the public health and safety? I think that there needs to be a 
question answered about why the FDA did not choose to first 
verify whether or not it was legitimately considered to be 
confidential in the first place and investigate that matter 
instead of investigating a so-called leak of confidential 
information.
    Chairman Issa. Thank you.
    Mr. Cummings.
    Dr. Shuren. If I may. I was going to respond to your 
question.
    Chairman Issa. Of course.
    Dr. Shuren. But our employees know that that information is 
confidential, and that has been for longstanding time. Keeping 
that information confidential is critically important. It can 
undermine ongoing review of medical device applications. In 
fact, I believe in that particular case it, in fact, did that. 
It undermines our medical device program, keeping that 
confidential information confidential. Companies, that 
information we need for making decisions about products, and 
companies rely on the fact that we protect that information. We 
don't protect it, the companies don't bring innovative 
technologies to the U.S., our patients lose. Public health gets 
hurt when that happens. That's why those protections are in 
place in the first place. That's why Congress put the 
protections in place. And it hurts American businesses----
    Chairman Issa. Doctor, I appreciate what you're saying. 
They bring innovative products here because of profit. But 
let's understand one thing. Do these companies sign a gag 
order, are they prohibited from disclosing that you're looking 
at it?
    Dr. Shuren. No, they may disclose it. That is their 
decision to make. It's their information.
    Chairman Issa. Okay. Thank you. It's a one-way gag order.
    Please, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    I want to pick up where the chairman left off. Dr. Shuren, 
prior to the initiation of the monitoring, the agency believed 
that the FDA employees were involved in unauthorized 
disclosures of confidential information and trade secrets as a 
result of the monitoring. What did the agency find?
    Dr. Shuren. So the agency did find, as I understand that, 
there was unauthorized disclosures to members of the public, 
and that is, from our perspective, in violation of HHS 
personnel policy and probably a violation of the law.
    Mr. Cummings. So the agency found clear evidence that Dr. 
Smith and the other FDA employees whose computers were 
monitored were involved in unauthorized disclosures of 
confidential agency information. And as I understand it, that's 
a violation of the law and can be subject to criminal 
penalties. Is that correct?
    Dr. Shuren. Depending upon the kind of information that's 
released. But, yes, this can be violative of the law.
    Mr. Cummings. Now, when I listen to Ms. Canterbury--and I'm 
going to come back to you in a moment, Ms. Canterbury--you 
know, one of things that she said was perhaps the FBI and other 
agencies should be handling these kinds of issues. And I'm 
trying to figure out how would even--and you can address this 
in a minute--I mean, you all have laws that we passed that 
you're trying to adhere to. And so, I guess there's almost a--
there is a duty to at least look into it. Is that right?
    Dr. Shuren. There is an obligation to look into it.
    Mr. Cummings. And if you don't look into it, then you're in 
trouble. Is that right?
    Dr. Shuren. That's correct.
    Mr. Cummings. And as I understand it, with regard to The 
New York Times, there were people who were--companies that were 
complaining that, look, you know, we gave you information, we 
expected it not to be--not to read about it in The Times. 
That's the last place we expected it to be. We thought it was 
confidential. And now this is where we see it. Is that fair to 
say?
    Dr. Shuren. That is correct. Actually, the company involved 
sent a complaint and actually pointed out that we were in 
violation of Federal law. They asked for an internal 
investigation. Five days after receipt of that letter is when 
monitoring was started. It was also in the setting of a pattern 
of unauthorized disclosures that had occurred starting over a 
year before.
    Mr. Cummings. Now, I don't know whether you--you need to 
hear this question, too, Mr. Harris--I don't know whether you 
heard me a little bit earlier, but it seems that there is a 
major issue here with regard to whether this investigation 
should have been just retrospective or retrospective and 
prospective. And I'm just wondering what's your view on that.
    Dr. Shuren. So the honest answer is, I don't know. I'm not 
an IT expert. And when the issue was raised what we asked for, 
what I asked my executive officer for was options to try to 
identify the source of the leak and to address further 
unauthorized disclosures. Our information technology people 
decided on what the appropriate solution would be. So I do not 
have the expertise.
    Mr. Cummings. So you just passed it on, look, you said we 
got a--obviously The New York Times has got information that 
they're not supposed to have, I just want you to help me figure 
out how this information is getting out there. Is that one of 
the things you wanted to know?
    Dr. Shuren. Yes, what the source of the leak was, what the 
options were for doing it. And they proceeded to authorize----
    Mr. Cummings. And what was your plan after you got this 
information? I mean, what happened?
    Dr. Shuren. So what happened with the information, we put a 
process in place; also tried to protect privacy. First the IT 
people collected information they thought met very narrow 
search terms. That information was then put on secure iron 
keys, one of two. It was passed to my executive officer. It was 
then conveyed to a subject matter expert to look at, was there 
confidential information in here? And then if there are issues 
of concern, there was something I called the management team. 
There was a group set up, which was the assistant commissioner 
for management, it was lawyers from HHS and employment law, and 
it was people from our labor employee relations, a group 
already established actually as in part as a protection for 
these complainants. And that information then went up to these 
individuals and others to try to decide what, if there is an 
issue here, what are the appropriate steps to take, which could 
be administrative or could be referred on for other action.
    Mr. Cummings. And do you know which specific medical 
devices these individuals were concerned about?
    Dr. Shuren. I know of some that were reported out in the 
press and some that went on a referral up to the OIG. And I say 
that because I wasn't a subject matter expert, and I'm not the 
person who makes the personnel decision, so I was not reviewing 
the emails. We were trying to limit the people who would look 
at any information coming out in order to respect privacy of 
the individuals.
    Mr. Cummings. Now, have these employee safety concerns been 
borne out? So you don't know that either? In your assessment, 
were their concerns valid?
    Dr. Shuren. Well, for the products--and I am aware of the 
concerns that they were raising on a variety of products, and I 
don't think that their concerns were valid. I'll raise the case 
in question here of The New York Times article of CT 
colonography, which was to be used to screen asymptomatic 
patients for cancer. And there was a lot of good evidence on 
the table, several clinical studies, a big one that was funded 
by the Federal Government. And just last year, we held a joint 
meeting of two advisory committees at the FDA, experts in 
radiology and gastroenterology, 20 people in all, and they 
unanimously felt that CT colonography should remain an option 
for the screening of asymptomatic patients.
    Mr. Cummings. Well, it's interesting that the employees 
raised concerns regarding integrity of the device review 
process, and they called it corrupted and distorted. Did you 
know that?
    Dr. Shuren. Yes.
    Mr. Cummings. And when you first took over the center, did 
you evaluate these concerns regarding the review process?
    Dr. Shuren. I did look into the concerns from my own 
standpoint of the complainants. The Office of the Inspector 
General was also investigating whether or not managers were 
retaliating against these complainants. And I will tell you the 
OIG found that there was no retaliation, there was no 
prohibitive personnel practices. The complainants raised 
concerns about that investigation, they reopened it, and then 
they subsequently concluded again there had been no 
retaliation.
    I will tell you I also took steps along the way for trying 
to assure that these complainants were actually protected and 
to make sure that if there really were problems and if I 
thought there were problems, I would have done something about 
it.
    Mr. Cummings. And so you're telling us today under sworn 
testimony that you are concerned about whistleblowers and would 
do everything in your power to protect them?
    Dr. Shuren. Yes, I would. One example of something that I 
did do soon after I got there, I was hearing concerns from 
them, I was looking into the managers, I did not see problems. 
But I said to them, look, you're complaining about the managers 
all the way up your chain of command to the office director. 
Here is what I will do. I have two offices involved in 
premarket review. I will offer to move the entire Radiological 
Devices Branch out of the one office and move it to a new 
office with new managers.
    I didn't have evidence that I had bad managers. The OIG was 
continuing its investigation. But I said, in light of that, if 
the OIG finds problems, we will pursue that. But I am willing 
to do this. I am willing to disrupt my organization because of 
your concerns. And I did that. They wanted the move. I made the 
move. And within a few weeks of the move, the exact same 
complaints were now being levied against a brand new group of 
managers.
    Mr. Cummings. Ms. Canterbury, you heard Mr. Harris, and he 
talked about the IG report. I guess that was what he was 
saying, the recommendations have now----
    Mr. Harris. Yes, sir.
    Mr. Cummings. You are telling us, Mr. Harris, that all of 
those recommendations are now in place?
    Mr. Harris. Yes, they are.
    Mr. Cummings. And when did they go in place?
    Mr. Harris. September of last year.
    Mr. Cummings. September of last year. So with regard to the 
recommendations, you all didn't know about them in September, 
did you?
    Mr. Harris. No.
    Mr. Cummings. We just got the report last night.
    Mr. Harris. Correct.
    Mr. Cummings. So, how did, I mean, how did that come about, 
just out of curiosity?
    Mr. Harris. Again, it goes back to I documented a couple of 
notes in Ms. Canterbury's statements about making sure we 
protect all employees and their rights. She's right on the 
money. So our process does that.
    I got a little bit concerned with the chairman's comment 
that the process may suck. So the reason we're here is because 
they were not commonly understood across the agency. So what we 
put in place today are commonly understood processes where a 
request comes in, it's formally documented, it then goes before 
a committee, and then goes for a legal review and approval. 
Even beyond that, if we approve a process for monitoring to 
begin, there are regular checkpoints along the way to make sure 
we know what's going on there.
    So we weren't aware of the IG's report, but, you know, we 
could have taken this in a Keystone Kop approach and then find 
ourselves here on a regular basis. We decided to look at a more 
methodical approach to this, and knowing that there are many 
scenarios out there that we have consider when putting any 
policy like this in play. What I want to have us do is have the 
folks who operate within the administrative process, when it 
comes to monitoring, understand the processes first, then we 
permeate the organization so they can understand what 
procedures we go through.
    Mr. Cummings. Ms. Canterbury, just in my last question. You 
have your concerns. You heard Mr. Shuren say that he's very 
concerned. It sounds like Mr. Harris is very concerned and 
taken steps to address the issue. Do you believe that it's been 
adequately addressed?
    Ms. Canterbury. Thank you, sir. I believe that they are 
taking steps. I don't believe it's been adequately addressed. I 
would very much like to hear how he intends to protect the 
public whistleblowing once he receives, as COO, what has been 
collected. And there is no legal review of the collected 
information guaranteed under the interim rules, and I would 
like to hear from him on that.
    I also think it's curious that Dr. Shuren said that he 
sought to protect those particular whistleblowers who were 
targeted for surveillance. If that's his idea of protection, I 
find that very curious.
    I also want to point out that it doesn't matter if the 
whistleblowers' concerns bear out to be valid, whether those 
devices are unsafe or effective. As you know, sir, it is a 
reasonable belief that is protected under law for 
whistleblowing.
    And I also wanted to just point out another curious thing 
that Dr. Shuren said, which was the surveillance began 5 days 
after the receipt of a letter from GE Healthcare. In fact, the 
letter is dated April 16th. They received the letter on April 
21st, and the surveillance began on April 22nd, according to 
documents that we have through FOIA and through the IG report 
and through the staff committee report. So I have never in my 
life, sir, seen the Federal Government move that fast. I find 
it highly suspect that the letter arrived and then they made 
the decision after the arrival of the letter to do this 
surveillance.
    Mr. Cummings. Well, Ms. Canterbury, my time has run out. 
This is what this is all about, trying to make sure that the 
Federal Government is doing the right thing. But I want to keep 
in mind what Mr. Shuren did say. He's saying he's got a set of 
laws that we passed, and he's trying to adhere to the laws that 
we passed, and so there are certain things that they had to do. 
The question is, did they do it right? I don't think so. But it 
sounds like they're going in the right direction.
    Unfortunately, I've run out of time. I wish Mr. Harris 
could answer your question, but I've run out of time, and I'll 
yield back.
    Mr. Farenthold. [Presiding] Thank you very much, Mr. 
Cummings.
    We'll now recognize the gentleman from Michigan for 5 
minutes.
    Mr. Walberg. Thank you, Mr. Chairman, and thanks to the 
witnesses for being here today.
    Dr. Shuren, I'll give you a chance to respond to the 
timeline that Ms. Canterbury addressed here. It appears the 
differences in the dates of beginning the investigation, 
sending the letters, respond to that, if you would, please.
    Dr. Shuren. Yes. No, in terms of when we received it, it 
was close, and my only point was, it was still within 5 days of 
getting the receipt of that letter the monitoring started. 
Mainly to say that this was not disconnected in time, that this 
was related to this complaint that came in, as well as a series 
of unauthorized complaints. That was my only point to make.
    Mr. Walberg. Ms. Canterbury, let me ask you some questions, 
and then you might respond to that with greater detail as well. 
Is there any situation where monitoring employee communications 
with Congress or OSC can be justified?
    Ms. Canterbury. No.
    Mr. Walberg. It's a simple answer. Then is the problem of 
monitoring protected employee communications widespread across 
the Federal agencies?
    Ms. Canterbury. I don't know----
    Mr. Walberg. Federal agencies.
    Ms. Canterbury. Yeah, I don't know the answer to that, and 
I don't know that anyone does. I think that it would be very 
good for this committee to order a study, a comprehensive 
independent study, perhaps at GAO, perhaps in consultation with 
the MSPB to determine the extent to which agencies are using 
surveillance programs on their employees.
    Mr. Walberg. So this could be widespread?
    Ms. Canterbury. It very well could be, and there could be 
widespread abuses.
    Mr. Walberg. What protections can agencies put in place to 
minimize the monitoring of protected communications such as 
with Congress or OSC?
    Ms. Canterbury. Well, firstly, I think that we need to 
question whether or not there is a legitimate reason for 
agencies to use surveillance on questions of criminal behavior 
or leaks of potentially unlawfully disclosed information. I 
think that, again, law enforcement should be conducting those 
investigations, and if there is a few legitimate, very narrow 
reasons to monitor employees in this way, can it be done in a 
way that is in balance with the rights, the constitutional 
rights, with whistleblower protections, and if not, perhaps 
good, old-fashioned management is in order.
    Mr. Walberg. Well, should management, in speaking of that, 
management be responsed to make sure that the law enforcement 
agencies are aware of their concerns, potential concerns? Is 
that what you would suggest?
    Ms. Canterbury. Yes, there would be a referral to a law 
enforcement agency.
    Mr. Walberg. To quickly step away, refer it to a law 
enforcement agency.
    Ms. Canterbury. Yes.
    Mr. Walberg. Mr. Harris, tell me about training that's 
being implemented since you've arrived, the directions that are 
going to management relative to leaks, relative to 
whistleblowers, how you deal with them, relative to responding 
to what we just discussed here about referring to an 
appropriate agency to deal with the law and not outside of the 
law.
    Mr. Harris. So can you give me your first question again?
    Mr. Walberg. First question is, what are you doing? What 
training having you implemented?
    Mr. Harris. Got it.
    Mr. Walberg. Secondly, what administrative steps have you 
made to make sure that the department, the agency stays out of 
it as much as possible, to make sure that whistleblowers 
understand that they're part of the agency but they're 
protected by the law and that there are appropriate agencies 
that will be brought in to make sure the law is followed?
    Mr. Harris. Yes. There is standard training that occurs at 
FDA. There is when an employee comes on board an orientation, 
they get understanding about IT security awareness programs and 
trainings. There is annual training for NO FEAR, which does 
address the whistleblower issues. We have regular training that 
goes on in the information technology groups.
    And so we have lots of required training every year for all 
of FDA to understand how security awareness works. We often, as 
I said earlier, the banner flashes up and makes them aware of 
their right to a reasonable lack of privacy. It comes up on all 
devices we give them.
    As it relates to the management process we put in place, 
clearly, as I stated earlier, I would like to address Ms. 
Canterbury, if I could. I think this would kind of tie it all 
together.
    Mr. Walberg. Tie it together.
    Mr. Harris. We consider the whistleblowers as our staff. 
They should not be treated any different as it relates to 
protection. We give everyone protection in our staff. So we 
don't consider them outsiders. We consider them as part of our 
staff.
    The way we want to try to approach the issue is the 
committee we put together is not just myself and a couple of 
attorneys. There is an HR director there to determine whether 
we infringed on employee rights. There is IT professionals 
there to give Mr. Shuren in the future better information and 
guidance. There's a legal team. And then there is myself. When 
we do find that we've stepped into an area where we have 
communication occurring between Congress or anybody else, 
again, they stop everything they're doing, nothing continues, 
monitoring stops, my office is notified.
    Mr. Walberg. Are you notified immediately then?
    Mr. Harris. Immediately.
    Mr. Walberg. When they come across something, it all stops.
    Mr. Harris. Immediately.
    Mr. Walberg. No more eyes are seeing it.
    Mr. Harris. Nothing else happens after that. And this is 
why the committee is such a small group. We then bring legal 
into the conversation, and if it's appropriate to send it out 
to another law enforcement agency, we do that.
    Mr. Walberg. Well, I appreciate the answer, but I would 
suggest that last statement would be the approach to take more 
rapidly, to the outside agency.
    Mr. Chairman, thank you.
    Mr. Farenthold. Thank you very much.
    We'll now recognize my distinguished ranking member from 
the Subcommittee on Postal, Census, and the Workforce, the 
gentleman from Massachusetts, Mr. Lynch.
    Mr. Lynch. Thank you, Mr. Chairman.
    I want to thank all the witnesses for your willingness to 
testify and to help the committee with its work.
    I do want to say that from an Oversight and Government 
Reform perspective, from this committee, our goal is to create 
and maintain an environment where whistleblowers can come 
forward. As has been said by Ms. Canterbury and the chairman 
and the ranking member, and Mr. Grassley earlier, our 
bureaucracies and these agencies and the work that they do has 
become so complex, whether it's financial derivatives or 
whether it's the FDA, some of us, it's just so complex that 
unless we have someone on the ground in place that comes 
forward, our chances of finding out about wrongdoing or 
misconduct is negligible.
    So we really need to make sure that we have an environment 
there where people feel comfortable that if they have a 
reasonable belief that the laws are being broken, or that the 
public is being harmed, that they can come forward.
    So there's a couple of instances. Usually the FDA flies 
below the radar screen. But this instance really gets me, and 
it's the second time recently that the FDA has just caused me 
to shake my head and ask what the heck is going on over there. 
You know, this instance it looks like there's a very robust 
framework in place to protect manufacturers' trade secrets. And 
in this case I'm not so sure anybody has ever pointed to 
specifically trade secrets that have been protected, but by 
God, we went after these employees because we thought there 
might be a chance that they might disclose something.
    So I think it was a very, very strong response in 
protecting the manufacturers. I think it was very, very weak in 
terms of protecting the employees. And, you know, I have to 
acknowledge, Mr. Harris, this predates your involvement here, 
so I'm not criticizing you.
    So I see the FDA overriding their scientists in this case. 
And the last time that the FDA, their conduct came to the 
attention of this committee, was the approval of Zohydro, okay. 
Now, I know this doesn't involvement medical devices, but in 
that case the FDA overrode, again, their own scientific panel. 
Their scientists voted 11-2 that approving Zohydro, which 
didn't have any protections against abuse, quite similar to the 
early iterations of Oxycontin, so 13 scientists, 11-2, they 
said to the bureaucrats, do not approve Zohydro. And the FDA 
turned right around, right around, with an opioid epidemic in 
this country from coast to coast. This is one of the most 
serious threats to our communities, and the FDA goes ahead and 
puts a gun to the head of the American people by approving 
Zohydro. So we got this problem.
    You know, personally I spend a lot of my time dealing with 
the effects of substance abuse in my communities. I've got 
three cities, major cities, and I've got 22 towns, and no one 
is immune. Good families, families that are struggling. It's 
just unbelievable. It just blows my mind that the FDA would 
approve Zohydro.
    And so I need to put you on notice. I need to put you on 
notice. You have shaken my faith in the FDA because of that 
decision and what's going on here today. And I just want to put 
you on notice that, you know, I used to give people the benefit 
of the doubt, but I've seen such bad decisions coming out of 
that agency that we've got a problem, which is I've got a 
problem, you've got a problem. So, you know, we got to start 
straighten up and fly right and start doing things that are in 
the best interest of the American people.
    And, you know, I appreciate that your mission and your goal 
is to do the right thing. I just think we've strayed. Sometimes 
the bureaucracy can do that. We just need to get back on the 
same page here in protecting the American people.
    I've exhausted my time, Mr. Chairman. I thank you for the 
indulgence, and I'll yield back.
    Mr. Harris. We will be happy to have someone provide 
follow-up to you on that, on this issue.
    Mr. Lynch. That would be great. Thank you, Mr. Harris.
    Dr. Shuren. And, sir, we would also be happy to talk to 
more details on what really was happening with these 
unauthorized disclosures and the impact, because, in fact, what 
it was doing is it was stifling other scientists. It's not that 
these complainants were necessarily just willy-nilly overrode. 
There were other scientists in the agency who disagreed with 
their opinion, and those people's opinion was actually being 
disenfranchised. People were feeling harassed, retaliated 
against. Other scientists were feeling retaliated against by 
the complainants, and they were complaining that the 
unauthorized disclosures was having a chilling effect on the 
internal discussion within the FDA and that people were afraid 
to put their opinions in writing because it would be disclosed 
to the press.
    It's the same thing that Senator Grassley talked about. We 
want to have open discussion within the FDA. We think it is so 
important. But it goes on both ends.
    Mr. Lynch. Sure.
    Dr. Shuren. And we were seeing that that actually was being 
adversely affected, and that adversely affects public health. 
We cannot make well-informed decisions when that happens. And 
that was a misuse of those disclosures, and that's unfortunate, 
and they were used to influence public meetings, and they were 
used to influence advisory committee meetings.
    Mr. Lynch. Well, I'll be happy to have that information 
offline, Dr. Shuren, and again, I thank you for your testimony.
    Mr. Farenthold. Thank you very much. I am going to now 
recognize myself for 5 minutes for a couple of questions.
    First off, I want to say that whistleblowers are the 
lifeblood of this committee. It's dedicated government 
employees who see something going wrong in their agency that 
have no recourse other than to bring it to the attention of 
Congress, which is the right way to do it. It's not the right 
thing to do the way Mr. Snowden did it and take it to another 
country. And we work hard and we've passed legislation to make 
it safe for whistleblowers, and this committee, and I think 
Ranking Member Cummings will agree with me, will bend over 
backwards to protect a legitimate whistleblower.
    In fact, the committee Web site, Oversight.House.gov, has a 
place you can go online to become a whistleblower. And I guess 
there might be a lesson in this for potential whistleblowers. 
Maybe the initial contact needs to be made from your home 
computer or a computer at the library or from a Starbucks. But 
you shouldn't be afraid to use your government computer to 
report government problems.
    And, Mr. Harris, I know a lot of this happened before you 
got there, but you are the acting chief information officer, so 
I want to take a step back and maybe look at what should have 
been done. I mean, I understand that our computer, our rule 
mentality, in the private sector, you've got a lot more 
flexibility than you do in the public sector. The Constitution 
doesn't apply you due process in your private sector job. In 
many private sectors there are no whistleblower statutes other 
than potentially to the government. So as a manager you've got 
a lot more options in the private sector.
    But in the public sector, going in and installing snooping 
software seems rather draconian. I would think good practice is 
to have something on your network that captures all incoming 
and outgoing mail, and then you have the ability to search that 
after the fact if you've got a leak. I've used EnCase before. 
That's a forensic software that lets you go copy somebody's 
computer. But, you know, nowadays with all compliance issues in 
various industries, there are appliances that you can put on 
your network that catches all the mail and saves it. And you 
ought to be able to search that for emails to The New York 
Times and have an exclusion saying if it's mail.house.gov don't 
show me that. I mean, it seems like it's that simple. Didn't 
you all hire a contractor back there? Couldn't you have told 
the contractor when pulling the EnCase stuff and it says 
mail.house.gov, I don't want to see it?
    Mr. Harris. Yeah, I think you're on the right track. I 
think one thing we should note is that monitoring is actually 
rare. And I think what sews this together is when you think 
about the reasons we do monitor at times. I can give you a 
couple of instances. I mean, we have had cases of child 
pornography. In my mind, we should immediately act on that and 
we should immediately start to look for the issues there 
because the child's life is in the balance here. And then there 
are other instances where insider training does become an issue 
to protect trade secrets.
    But, you know, everyone is correct. The need to protect 
those who whistleblow is important. So this new process that we 
have in place does that. It has, again on the committee, a 
legal individual, someone from IT, someone from HR to consider 
the entire range of issues that we may face before we even 
initiate our monitoring process.
    Mr. Farenthold. And it's just hard to judge what the 
culture of that is. You know, if within your agency there is a 
culture of gossip, you know, does it slip out? You've got to 
deal with the human elements of that as well, and I do think 
there needs to be a technological solution to that.
    Let me go to Ms. Canterbury and get her thoughts on what 
the appropriate way to do this is.
    Ms. Canterbury. So first I would like to ask why on Earth 
the FDA would conduct surveillance if they had suspected child 
pornography or insider training occurring, why would they not 
go to the FBI? That just makes no sense to me. So I'm 
struggling with under what circumstances----
    Mr. Farenthold. I've run a computer consulting company. 
I've done this for private sector. You know, you've got an 
employee you think is--let's take child pornography out of it--
and is just surfing porn and that's against your policy. They 
haven't broken the law, but they've broken your policy. So, I 
mean, obviously there are cases where you need to do that
    Ms. Canterbury. Sure. And so in that case, my question 
would be on the back end of the review committee, I think, is a 
substantial structural reform, but it's only reviewing, to my 
knowledge, according to your interim policy, on the front end. 
So what would be an improvement would be to do a similar review 
on the back end, because there is no way you can use enough 
search terms to protect public whistleblowing. So if an 
employee is blowing the whistle with nonlegally protected 
information to The New York Times or to the Project on 
Government Oversight, that also cannot be swept up or they've 
been in violation of the Whistleblower Protection Act.
    Mr. Farenthold. And I'm going to agree with you that in 
many cases retrospective is the way to go.
    I'm about out of time, but I will give Mr. Harris an 
opportunity to respond before we go to the gentlelady from 
California.
    Mr. Harris. Well, let me be clear. We by no stretch of the 
imagination are coming here today to tell you that our process 
is 100 percent perfect. The idea behind this is to have a 
methodical approach to this. And by the way, the FBI comes to 
us sometimes for referrals to do some of the work that we do. 
And so it is by no way perfect, but the only way the agency can 
move forward is to start something now and then we can perfect 
it to a point to where we can then spread it to the rest of the 
agency and then we all understand what our policies, rules of 
engagement are around monitoring.
    Mr. Farenthold. All right. Thank you very much. I 
appreciate your indulgence.
    We'll now recognize the gentlelady from California.
    Ms. Speier. Mr. Chairman, thank you, and thank you to all 
of our witnesses.
    You know, we are really very good here at calling agencies 
onto the carpet and beating them up and then talking to the 
companies in our district and hearing their complaints about 
the process being too slow, and the result is, is that so much 
innovation is going abroad because our process doesn't work.
    We can't have it both ways. If we want the FDA to be more 
streamlined so more of this research and development of 
clinical trials happens here in the United States, you know, 
we've got to embrace that. If we don't, then we should just 
tell all of our constituents that if they want the new medical 
device that can save their lives, you're going to have to go to 
France or Germany to get it.
    Having said that, I want to send some kudos to Dr. Shuren, 
because we do beat you guys up from time to time. I am sitting 
on an airplane 2 weeks ago coming back from going home, and the 
gentleman sitting next to me is a VC who specializes in medical 
devices, and he had nothing but praise to offer about your good 
work, Dr. Shuren. So I wanted you to have that at the outset.
    Now, let's go to my questions. It appears that there were 
search terms that were developed within the administration that 
were superimposed on the computers of these scientists. What 
were those search terms? The inspector general report isn't 
very specific about them.
    Ms. McKee. The search terms were ``K'' followed by a string 
of letters----
    Ms. Speier. Right.
    Ms. McKee. --which indicates an identification for a 510(k) 
submission, the word ``colonography'' based on the release in 
the article in The New York Times. And then there were also 
names identified of individuals where managers had voiced 
concerns in the management team that Dr. Shuren talked about 
that were performing ghost writing
    Ms. Speier. Okay. So the first two make some sense to me. 
The others appear to be the beginnings of a witch hunt, and 
that troubles me. I think that Ms. Canterbury's concern is one 
that we all have in that if we want to be clear about not 
having reprisals it's better to have a hands-off investigation 
or review taking place so that it's not within the department. 
Go to the Justice Department, whether it's child pornography or 
leaks of trade secrets. And it's not your core competency 
anyway. So I guess the real overriding question that I have is, 
why not just punt these all to Justice for them to undertake 
the review?
    Dr. Shuren.
    Dr. Shuren. Yes. So a challenge we faced back then is in 
the past we had our Office of Internal Affairs. That is the 
group who did investigations within the FDA. And due to 
concerns raised by Senator Grassley, and I understand those 
concerns, in early 2010, the policy changed. The Commissioner 
said in the future the Office of Internal Affairs cannot do 
investigations of allegations of criminal conduct for employees 
who made allegations against the agency. It would go to the 
Office of the Inspector General. But they were not doing 
investigations unless they had adequate evidence to do it.
    And that has caught us in a bind. And in fact when just the 
GE letter was sent to them, they came back and said, at this 
time, based on the information provided, they are not taking 
any action, the referral lacks any evidence of criminal 
conduct. But after, from the monitoring, there was evidence of 
unauthorized disclosures. In fact, the OIG did open a formal 
investigation and did look into it. And at that point they 
decided we're not going to prosecute, but they also came back 
and didn't say that this wasn't wrong. In fact they said, we 
understand you have sufficient evidence to support 
administrative actions, and they closed the case at that point. 
In other words, this could be a problem, you are welcome to 
pursue it now with administrative action. And that's what 
happened.
    Ms. Speier. All right. I have very little time left, but 
I'm concerned about the allegations by the scientists that 
thought that these devices were potentially unsafe or exposed 
people to radiation. Where are we in terms of evaluating that?
    Dr. Shuren. Yeah. So for CT colonography and their concerns 
about exposure radiation, it shouldn't be on the market, as I 
mentioned, there is a lot of evidence to support it. We think 
it is safe and effective. And last year there was a meeting of 
joint advisory committees, so two advisory committees with 
experts in radiology and gastroenterology, 20 people, and they 
unanimously felt that CT colonography should be an option for 
doctors and patients for screening asymptomatic individuals for 
colon cancer. Unanimous.
    Time and time again there were issues that were brought to 
advisory committees, outside experts, who did not agree with 
the complainants. In one case, I actually set up for an issue 
to be brought to the advisory committee, and I let the 
complainants give their own individual perspective. Actually 
had two perspectives. We never do that. We have the center 
provide a unit, one perspective, and here I said there is 
difference of opinion, I want to put sunshine on it, didn't 
hide from it, put sunshine on it and get feedback, and the 
advisory committee didn't agree with the complainants.
    And scientists within the agency, there were many 
scientists who didn't agree. And many of our managers, they are 
scientists. These people are also experts. And they disagree, 
and that's okay. People can disagree. They should disagree if 
they feel that way, and we have a process if they disagree, how 
they can appeal that.
    Unfortunately, never took advantage of that process, which 
actually brings it all the way up to my office, can even bring 
it up to the Commissioner's office, and it has to be in writing 
and they have to justify their rationale, and never took 
advantage. Instead, it was put information that by law is 
prohibited to be disclosured by any FDA employee, whistleblower 
or not, and put that out in the public venue. And that does 
adversely affect public health, it adversely affected 
discussion within the agency, and it adversely affected the 
very issue of open dialogue, which they were complaining about. 
In fact, in one investigation, independent investigation, it 
was found that it was one of the complainants who was creating 
the hostile work environment.
    Ms. Speier. I thank you. My time has expired.
    Mr. Bentivolio. [Presiding.] Thank you.
    At this point I'll recognize myself. I would like to thank 
each of our panelists for being here today.
    Mr. Cummings. Yeah, I just want to close.
    Mr. Bentivolio. Okay. Well, I'm going to ask a few 
questions.
    Mr. Cummings. Oh, okay. Sure.
    Mr. Bentivolio. Briefly.
    But, Doctor, you've answered a few of my questions. But 
after listening to testimony and the questions that were asked, 
I seem to have all my questions answered. But there seems to be 
an underlying problem that you just addressed, is that, you 
know, when you have a whistleblower there is procedures to 
follow to make your points, to make your complaint heard, 
correct? And you've just explained that procedure. But there 
is, according to your testimony, if I understood this 
correctly, they didn't follow all the procedures and went over 
and above and then contacted Congress or blew the whistle, so 
to speak.
    Dr. Shuren. No. They are welcome to contact Congress. The 
issue was they disclosed confidential information that is 
prohibited by law from disclosure to members of the public, 
including the press.
    It was never about Congress. None of this had anything to 
do about Congress. They had been complaining to Congress for 18 
months before this started.
    When I first started at the Center was in September 2009. 
Before I could even speak to any of my staff and hold an all-
hands, my first two days, I spent a lot of it on Capitol Hill, 
at the request of congressional staff, to talk about them and 
their complaints. They were complaining all the time, which is 
fine. No one objected. And I kept hearing they were constantly 
complaining.
    If anyone was going to retaliate, they would have done that 
well before. This was in response to unauthorized disclosures. 
And the OIG even concluded that there was reasonable concern 
for doing the monitoring.
    Now, people will have issues about how that was done, but 
that is a different issue. This was nothing to do with 
retaliation. There was no targeting of Congress. The OIG 
concluded that was well. There was no targeted of protected 
disclosures by whistleblowers. None of that.
    Mr. Bentivolio. Thank you, Doctor.
    Ms. Canterbury.
    Ms. Canterbury. So, the Inspector General did not confirm 
that there were disclosures of unauthorized information.
    The staff report, the Issa-Grassley report, explicitly says 
that they did not find evidence of unauthorized disclosures in 
their surveillance of the employees, of the whistleblowers.
    And I wanted to go back to one other thing that Dr. Shuren 
said about the IG refusing to conduct an investigation for lack 
of evidence.
    The IG declined on May 18th in 2010 to investigate for lack 
of evidence of criminal activity, but also pointed out to the 
agency at that time that 5, U.S.C., section 1213, identifies 
that disclosures such as the ones alleged, when they relate to 
matters of public safety, may be made to the media and 
Congress--to the media and Congress--as long as the material 
released is not specifically prohibited by law or protected by 
executive order and classification.
    So that is what they got back, was their first 
determination, their first warning, not to violate 
whistleblower protections.
    When they went back to the IG and asked for a review, the 
IG looked at whether or not these unauthorized disclosures were 
in violation of the law, consulted with the Department of 
Justice, and, in fact, found that no further action would be 
taken.
    DOJ declined to prosecute. The OIG declined to investigate 
it further. There was no evidence of prohibitions of law.
    What the IG said in the letter was not that there was 
sufficient information to take administrative action, but, 
instead, it said your office indicated it had developed 
sufficient evidence to address the misconduct through 
administrative process.
    So the message from the IG was not that we think you have 
sufficient evidence, but you say you do; so, go ahead and take 
care of it administratively.
    Dr. Shuren. Yes. But the OIG in the first place was 
actually making clear you can have certain disclosures to the 
media unless it is prohibited by law. That was the whole point.
    The kinds of disclosures that were occurring, and the ones 
we were concerned about----
    Mr. Bentivolio. Doctor, I think what really concerns me is 
that, when an employee, a scientist, raises a red flag on some 
medical equipment or medical product and they bring it to the 
attention of the people in charge of the agency and, yet, for 
some reason, their issues aren't addressed to their 
satisfaction, they have to go outside of the agency to get 
redress.
    I think--to me, you know, after listening to all this 
testimony, it seems to be a cultural problem within a lot of 
government agencies, not just the FDA. So I think that is the 
thing we really need to focus on.
    Why can't an employee, a scientist, probably one of the 
smartest people in that agency, have some concerns and those 
concerns be addressed in-house and taken care of? And, yet, 
even if you have to put in some overtime.
    Dr. Shuren. I would agree with you. And actually----
    Mr. Bentivolio. But, apparently, those aren't there. You 
have not created a culture--or the FDA has not created a 
culture where those things can be addressed and the public can 
be satisfied. And I think I am out of time.
    And now Mr. Cummings.
    Mr. Cummings. Thank you.
    Thank you very much, Mr. Chairman.
    Looking at the report of the IG, Mr. Harris and Mr. Shuren, 
it says--and it is on page 20 of the report--it says, ``Given 
this, FDA's interim policy addresses our five recommendations 
outlined above. HHS should determine whether all other 
individuals OpDiv policies meet our recommendations above. HHS 
also should regularly review and, as necessary, update its 
Department-wide monitoring policies to ensure they are 
compatible with new and emerging technologies and 
methodologies. Information technology is continually changing, 
and a static monitoring policy could fail to address key 
implementation issues as capabilities evolve.''
    And I just want to make sure--it sounds like the IG is 
satisfied for the moment. But as he says, the technology is 
continuously changing. And as you know, you can have technology 
today that is outdated today.
    And so the question becomes, you know--I want to--what I am 
going to do, Mr. Chairman, with Chairman Issa, is try to follow 
up with the IG to make sure that he is satisfied that 
everything that can be done at this moment, consistent with his 
recommendations, has been done.
    And, number two, I am just curious as to how you plan to 
keep up with the technology and make the changes that are 
necessary so that we are not outdated.
    Mr. Harris. Thank you, sir.
    Clearly, as we stated earlier, we don't consider this 
process as anywhere near completed. Instead of static, it has 
to be fluid. We have to keep up with the emerging technologies. 
I mean, there is a smart kid somewhere who is able to come up 
with an idea of how to breach our system. So we have to always 
be out in front of the process.
    But going back to the earlier statement that we know that 
we need to have a set of clearly understood processes across 
FDA that requires us to have, again, approval before anything 
starts, I think the IG is also stating that we started out 
pretty good, but we still have much more work do. We recognize 
that. The agency recognizes it. So we are in no way saying that 
we are done here. We have a lot of work to do.
    Mr. Cummings. I know the chairman was about to end the 
hearing; so, I will just finish my closing right here. I know. 
I saw him. That is why I said ``was about to.''
    I just want to thank all of you for being here.
    And I want to reiterate the comments of Congresswoman 
Speier and, also, Lynch. It is so important that government 
operates correctly because, when government does not operate 
correctly, there are consequences.
    I go to the same bank every Friday. For the last five 
months, I have been following my teller, whose son's wife was 
having--well, his girlfriend was having twins. And so, you 
know, everybody's excited and everything.
    And then about a week ago I went in and I said, ``Well''--
you know, she was so excited that these twins were going to be 
born. And they knew it was two boys.
    I was excited for her, and I would ask about them every 
time I walked in the bank. And then she said, ``They have been 
born'' and then she said, ``I have got good news and bad 
news.'' She said, ``The boys are fine. The mother's in a 
coma.'' Apparently, there was some complications. Developed 
MRSA in the hospital. And then, when I came back last Friday, 
she said she died.
    Whether this was with regard to a device, I don't know. I 
am not saying it is. But now we have got two boys a week old 
who will go for the rest of their life without their mother. 
Those are the consequences.
    I think a lot of times we here in government forget that 
there are people that are affected by our decisions, but they 
are. And so I think--first of all, I don't think, to be frank 
with you, that a whistleblower has a right to remain silent if 
they see something wrong. That is why we want to protect them. 
We want to get it right.
    I am asking you all, when you go back to your shops, to 
reiterate that. We are going to continue to follow this. I know 
the chairman will and our committee will. But this is so very, 
very, very important.
    And I heard you, Ms. Canterbury, and, basically, what you 
were saying was, ``Look, we don't trust that this is going to 
work out. It is not all complete'' and all that.
    Well, it has got to work out. It has to work out because 
the American people deserve absolutely nothing less. That is 
why they pay our servants--our Federal servants, employees, to 
do these jobs.
    And going back to something Chairman Issa said, it is also 
about trust. So the more we do it right, like you said, Mr. 
Shuren, when you were talking about dismissing everybody or 
however--you know, when you said you were trying to make sure 
that the whistleblowers were protected, those are the kinds of 
things we have to continue to do because the public needs to 
feel that trust, and we have got to make sure that we take care 
of them.
    So I want to thank you very much.
    I am out of time, Ms. Canterbury, but that is up to the 
chairman.
    Ms. Canterbury. I just want to say that I have full trust 
that, if you and the chairman work together, that you will get 
the job done right.
    Mr. Cummings. Thank you very much. And we will. Thank you.
    Mr. Bentivolio. At this time I would like to recognize the 
gentleman from Florida, Mr. Mica.
    Mr. Mica. Well, thank you, Mr. Chairman, and ranking 
member.
    I came in a little bit late. I will try to ask a couple of 
questions, hopefully, that haven't been asked.
    I was going to turn my first question to Mr. Harris. Mr. 
Harris, in September, I guess, of last year, you were acting 
CIO and you released an interim policy staff manual and guide 
for employees' computer monitoring.
    You have both the role, I guess, of--is it COO and, also, 
CIO?
    Mr. Harris. Yes, sir.
    Mr. Mica. Okay. Now, in that capacity and in developing 
that manual, under the interim policies, what are your 
responsibilities as both the COO and, also, as the chief 
information officer?
    Mr. Harris. As the COO, it is my responsibility to make 
sure that the process is fluid and that it is commonly 
understood by all.
    As the chief information officer, it is to make sure that 
we give good guidance to program officers and centers across 
FDA when they have a request to look at issues that may occur 
within their centers.
    And so there is two separate hats there. One is of 
processes. I mean, this is not about power. This is really 
about well-matured processes that the entire agency can 
understand what we are doing from A to Z.
    And from an IT perspective--Dr. Shuren spoke of it 
earlier--the question was asked whether we could have taken a 
different approach.
    I think, as an IT professional, I would have said that we 
need to look at the entire scenario so we can determine the 
most appropriate approach.
    Mr. Mica. Well, do you think, again, with you in the 
position of being both COO and CIO, there is a potential 
conflict?
    Some of your responsibilities are for the approval of the 
monitoring, the execution of the monitoring, and the direction, 
but, also, the review of the monitoring.
    Do you see that as something that actually should be kept 
separated? I don't know how you are able to achieve your sort 
of--I would see it as in competing roles. What is your opinion?
    Mr. Harris. Well, the review committee that we have as part 
of our steps does have legal review included in it. So when it 
comes to--as a formal request, there is a committee, again, 
that has an HR person on it, has an IT person, a legal person 
on it. And then it comes back to me.
    So they have an opportunity to look at it without me even 
being present. But I think the most important part of this is 
the legal review takes place and then, before anything starts--
--
    Mr. Mica. So you are saying on top of this there is another 
review that would ensure, again, some objective review?
    Mr. Harris. Yes.
    Mr. Mica. Ms. Canterbury is answering--or shaking her head 
``no.'' Did you want to respond?
    Ms. Canterbury. I understand from the interim policy that 
there is a legal review on whether or not to conduct the 
surveillance.
    But once the information is collected, it is Mr. Harris who 
maintains that and determines who gets to use that information 
and how it is used.
    And so my recommendation is that the COO shouldn't be 
involved. As you suggest, sir, I think it may be a conflict of 
interest.
    He should not have a part in all decision-making and then 
control what--the information that is collected at the back 
end.
    Certainly, at the back end, there has to be a legal review 
to make sure----
    Mr. Mica. So you don't think that even though what he cited 
and considers as another step is not really doing the job 
because, again, just the nature of the conflict of his having 
both of those responsibilities--I mean, I don't want to put 
words in your mouth. Is that correct?
    Ms. Canterbury. Right. My concern is with, after the 
information is collected, what happens to it.
    Mr. Mica. Right.
    Ms. Canterbury. Are there protected disclosures swept up in 
what is collected? And only Mr. Harris would get to decide 
that, according to the interim policy.
    Mr. Harris. I think, again, we stated earlier that the 
policy is nowhere near complete. We made a conscientious choice 
to have an interim policy so that we can get this right, and 
this has to be done right over time.
    There are many scenarios that apply here that don't have a 
single answer to it.
    The other piece of it is that we want the agency to begin 
to move forward and, one, again, protect the whistleblowers, 
and, two, make sure that our processes are commonly understood 
from end to end. And then, at the end of the day, before 
anything begins, anything begins, we have to have an approval.
    And so I don't know what happened, again, 2 or 3 years ago, 
but I know now that we have a much more well-oiled process.
    It is interim. It is not perfect. We have to build it as we 
go because, as Mr. Cummings said earlier, the landscape changes 
with IT on a regular basis. We have to be fluid with it if we 
are going to stay on top of things.
    Mr. Mica. Also, again, in protections and making certain 
that important responsibilities are fulfilled. I think Ms. 
Canterbury did allude to, again, some conflict that exists just 
by the nature of the current way this is conducted.
    Mr. Harris. That is right. It comes out of my hands and 
goes, as we talked about, to the legal review. We call it a 
legal tank team. When something has occurred that needs to have 
a set of fresh eyes on it, it comes out of my hands and goes 
into the hands of a legal team, who looks at it, and we call 
them a tank team. They then decide the best recourse of action 
from there.
    So I think it would probably be better if we could at some 
point in time have some conversations about what we are doing 
because, I think, again, from where we were 2 or 3 years ago, 
night and day.
    Mr. Mica. Well, again, we wouldn't be holding this hearing 
if it all worked right. But that is why we are here.
    Let me turn--a final question just to Ms. McKee. You are 
involved in, again, some of the monitoring. Is that correct?
    Ms. McKee. That is correct.
    Mr. Mica. Yeah.
    And did anyone ever tell you that it was inappropriate to 
look at disclosures to OSC or members of Congress or attorneys? 
Did they tell you that?
    Ms. McKee. The focus of the monitoring wasn't on any of 
those disclosures. While they may have been captured broadly, 
it was not something that we looked at.
    Mr. Mica. Okay. And did you think that it was fair game, 
because they were doing it on an FDA computer, that they could 
again look at that information and make the disclosures?
    Ms. McKee. I am sorry. I don't understand your question. 
They could look at it?
    Mr. Mica. Again, you thought it was fair game because they 
were using an FDA computer in the process.
    Ms. McKee. The software that was used captures everything, 
is my understanding. There was not a way to wall off different 
communications--types of communications.
    Mr. Mica. Well, again, you--but you thought it was 
appropriate use of computers and information?
    Ms. McKee. I am not getting your question. I am sorry.
    Mr. Mica. Again, you said to the committee that you were 
involved in this process.
    Ms. McKee. That is correct.
    Mr. Mica. And you, in fact, had said that it was 
inappropriate to look at disclosures--or you said there was not 
a problem with looking at disclosures to either OSC or members 
of Congress or attorneys, is what I--some of the information I 
have been provided. That is not correct?
    Ms. McKee. I don't believe that is correct, sir. It may 
have been a mistake, misspoke during an interview.
    Mr. Mica. Well, again, I am looking at information that was 
provided from your transcribed interview. And, furthermore, 
when questioned about this, I am informed that you thought it 
was fair game because they were doing it on an FDA computer. 
And I think you responded--at least in those interviews, you 
thought it was a fair game because, again, they were using FDA 
computers.
    Ms. McKee. If I recall--I am trying to put your question 
into context with the question I was asked--I believe 
monitoring FDA employees' computers is fair game.
    Mr. Mica. Is fair game under the rules. And you still 
believe that.
    Ms. McKee. I believe there are times when it is 
appropriate, yes, to monitor FDA employees' computers.
    Mr. Mica. Okay. And about--what about disclosure of that 
information? What is your feeling about what has taken place 
and how that has worked?
    There have been disclosures from the monitoring that are 
inappropriate. And, obviously, the monitoring, again, monitors 
people's inappropriate activity. That is part of the purpose of 
the monitoring. Correct?
    Ms. McKee. That is correct.
    Mr. Mica. Okay. And what is your opinion as to how this has 
worked and functioned? You said it is fair game, which they are 
doing. They are conducting this monitoring. And, obviously, we 
have had problems with it not working. What is your opinion? 
What is the flaw? Where do we need to go?
    Ms. McKee. I certainly believe the processes that the 
agency has put in place in the last six months would have 
helped in the situation----
    Mr. Mica. If it had been in place.
    Ms. McKee. If it had been in place in 2010, it certainly 
would have helped.
    Mr. Mica. Okay. Thank you.
    Yield back.
    Mr. Bentivolio. Thank you.
    At this time I would like to thank all of our witnesses for 
taking time from their busy schedules to appear before us 
today.
    The committee stands adjourned. Thank you very much.
    [Whereupon, at 12:27 p.m., the committee was adjourned.]


















                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 
