February 5, 2010 By Hilton Collins
The National Archives and Records Administration (NARA) is still on the lookout for a missing external drive containing copies of personal data -- including Social Security numbers -- of former Bill Clinton administration staffers and people who contacted or visited the White House during the Clinton era. One of former Vice President Al Gore's three daughters is among those affected.
"To date, we've been unable to identify and recover the hard drive. It's still outside of our control and custody as an agency," said Paul Brachfeld, the NARA's inspector general.
Brachfeld began an investigation into the drive in March 2009, right after the data was discovered missing on March 24. He expects to have a report ready to go a few weeks from now.
The data was stored on a 2 terabyte Western Digital MY BOOK external hard drive that went missing from an NARA processing room in Maryland. It was last seen somewhere between October 2008 and early February 2009. The drive was being used as a copy of originals that are still safe and sound.
"It wasn't original material. We're not missing the material itself -- that's at the archives, so we know exactly what was missing," said Susan Cooper, a spokeswoman for the NARA.
The office is willing to pay up to $50,000 for information leading to the copies' recovery. The NARA issued a Jan. 4, 2010 press release disclosing that 150,000 letters had been sent notifying affected individuals that their personal information is missing. But other letters have gone out before.
"We sent out recently [approximately] 150,000 letters, and initially we sent out 26,000 letters. So far, we're up to about 176,000," she said.
No evidence exists so far that any of the missing information has been used for nefarious purposes. The NARA is offering free credit monitoring assistance to affected parties.
So far, the office's handling of the situation seems to be a good example of how to operate after a data breach has occurred, according to Michael Maloof, CTO at TriGeo Network Security.
"I think companies have come to realize both, obviously, within the government and commercial space, that silence is deadly," he said. "If the news breaks on the front page of the Wall Street Journal that it's far more damaging than for the news story to be, 'We're announcing this breach and proactively taking these steps.'"
The NARA is currently revising internal policies and procedures to enhance its protection of electronic and textual records with personal information.
"The archives takes this very seriously, and we've taken a number of steps to ensure that this never happens again," Cooper said.
Maloof thinks governments are held to a higher standard when it comes to safeguarding personal information than private companies.
"I think there's an expectation that you're our government, and we must give you our information. I can choose which bank I want to do business with. I can choose which retailer I do business with, but if I want a passport, the Department of State's got my information," he said.