FSGB Case: Why You Should Not/Not Take Your Hard Drive With You When Departing Post

13 GoingOn 14: Help Keep the Blog Going For 2021 — GFM: https://gofund.me/32671a27

 

The FSGB Annual Report for 2021 mentions a disciplinary case where  the Board affirmed the agency’s decision in a case concerning an information security violation (FSGB Case No. 2018-030). So we went and looked up the case which includes Charge 1 for failure to follow proper security procedures:

12 FAM 625.2-2 Removal of Microcomputers, Media and Software
Personnel are prohibited from removing U.S. Government microcomputers or media from Department premises without the prior written approval of the [Information Systems Security Officer] ISSO and additionally, if abroad, the RSO or [Post Security Officer] PSO.

And Charge 2 for failure to safeguard government property:

12 FAM 622.1-7 Protection of Media and Output
… (b)(2) Abroad: Media shipped between posts must be sent at a minimum by controlled shipment.
( c) The data center manager and the system manager must label removable media either UNCLASSIFIED or SBU.

Overview via ROP:
Held – The Department of State (Department, agency) has established via preponderant evidence that grievant violated Department regulation both in removing a Sensitive But Unclassified hard drive from his computer and taking it with him to his next post, and in failing to comply with the requirement to use a controlled shipment in returning it to post. On review, the Board finds that the proposed penalty is reasonable.
Case Summary – Grievant, a removed the Sensitive But Unclassified hard drive from his computer when leaving post in and took it on to his next post without reporting his action or seeking permission from the Information Systems Security Officer or the Regional Security Officer at post. When the RSO in asked him to return the hard drive, grievant mailed it back to post via an uncontrolled shipment, but it never arrived. The Department charged him with Failing to Follow Proper Security Procedures for removing the hard drive without permission, and Failure to Safeguard Government Property, for failing to return the hard drive in conformity with regulatory requirements for a controlled shipment.
Grievant appealed to this Board on the grounds that the Department had failed to prove by preponderant evidence that his stated method of shipment of the hard drive was not, as he contended, compliant with the rules for a controlled shipment; that the Department had failed to take into account the mitigating circumstances of a toxic atmosphere and widespread wrongdoing at post; that the Department had misapplied the appropriate penalty considerations (Douglas factors) and chosen inapposite comparator cases; and that the penalty was disproportionate, as the hard drive was only SBU, in contrast with classified documents involved in the comparator cases.
The Board determined that the Department met its burden of proving the charges of Failure to Follow Proper Security Procedures and Failure to Safeguard Government Property, that the penalty imposed was not inconsistent with comparator cases, and that the Douglas factors were properly applied.

Photo by Pixabay on Pexels.com

Background via ROP:

Grievant is an FO-02 REDACTED who began his Foreign Service career as an REDACTED in 2001. At the time of the initial event giving rise to this grievance, he was serving as head of the management section in REDACTED a position he held from October 2012 until his voluntary curtailment in September 2013.

During the course of his assignment to REDACTED by his own account, a number of conflicts developed between grievant and the Chargé d’Affaires (Chargé), the General Services Officer (GSO), who reported to grievant, the Regional Security Officer (RSO) and other individuals at post. Grievant became frustrated that officials in Washington were not investigating or otherwise responding adequately, in his view, to his allegations of malfeasance, mismanagement and child abuse against various individuals serving in REDACTED Grievant decided to volunteer for an assignment at REDACTED , that required immediate voluntary curtailment from REDACTED.

Just before his departure from post in September 2013, grievant became concerned that a colleague or colleagues would attempt to retaliate against him for his claimed knowledge of irregularities in post management and individual malfeasance, or that a subordinate would file a grievance based on a negative EER written by grievant. He stated that he wished, in his own defense and to expose mismanagement, to bring with him numerous documents and emails proving his allegations, but was unable to “download” or print them, as they were too big. (The documents he stated he would need for this purpose included a .pst file of all emails he had sent or received in his time at post, as well as a number of other unspecified documents.) He therefore decided, under pressure of time, to remove the SBU hard drive from his computer and take it with him.1

Grievant states that he received oral permission to take the hard drive from a local employee in the IT section, whose name he did not know or remember. He chose not to inform or request permission from the Regional Security Officer (RSO) and the Information Systems Security Officer (ISSO) in REDACTED as required by the FAM, because the ISSO was away from post and grievant thought the RSO would refuse him permission because the documents grievant wanted to preserve implicated the RSO in wrongdoing. He stated that he needed to physically take the hard drive in order to “preserve the data” to potentially present to investigating authorities in Washington, and “my thought was to take everything I could should something come up.”2 He then took the hard drive with him upon departing post. After removing the hard drive and leaving post, grievant took no further action to report to any investigating body the alleged irregularities and malfeasance in REDACTED. He explained to the Deputy Assistant Secretary reviewing the proposed penalty that “since no one seemed to care, I didn’t.”3

A local employee subsequently reported his removal of the hard drive to the RSO. At some unspecified point after grievant’s arrival in REDACTED , the Regional Security Officer in REDACTED contacted him to request return of the hard drive.4 However, despite grievant’s assertions that he attempted to return it, the hard drive never arrived back in REDACTED. At some later point, the RSO reported the incident to Diplomatic Security (DS); in a subsequent DS interview on July 15, 2016, grievant stated that he had “attempted to return the drive via packaging sent back to the [REDACTED Embassy [diplomatic] pouch office on board a post support flight [a supply flight between REDACTED and REDACTED operated by a U.S. contracting company], ….”5 He had no further information during that interview about exactly how or when he had done so, or the current whereabouts of the hard drive.

In its decision, the FSGB concluded:

We therefore find that the Department’s choice of penalty, in a case involving both unauthorized removal of a sensitive item of media, and subsequent failure to return it, as required, via a controlled shipment, resulting in loss of the item and potential compromise of personally identifiable information pertaining to the U.S. diplomats serving abroad, is reasonable.64 The Department has a legitimate interest in ensuring the safeguarding and preservation of sensitive agency materials. As such, there is a clear nexus between the proven charges and the efficiency of the Service.

###