Journey of Sandia's Privacy and Data Protection: Legal Insights 2010-2011

Data Privacy Legal Issues Sandia s Privacy Journey 2010-2011 October 20, 2011 DOECAA Fall Conference Washington, DC Rusty Elliott, Sandia Corporation Jim Byrne, Lockheed Martin Corporation Joanne Zimolzak, McKenna Long & Aldridge LLP Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy s National Nuclear Security Administration under contract DE-AC04-94AL85000.

In the late spring of 2010, Sandia learned: A large amount of Sandia data on an internal Sandia system had, for a time, been subject to incorrect access controls A portion of the data included some personal information regarding Sandia employees No evidence that the information ever became available outside of Sandia No evidence that anyone without a business reason ever saw it Yet, individuals with general access to the Sandia Restricted (Unclassified) Network could have viewed the information

Some of the issues we considered: Was there a cyber security incident? Had a data breach law been triggered? Had HIPAA notification been triggered? What are the notification requirements, if any?

Some legal authorities to consider: The Privacy Act of 1974 5 U.S.C. 552a Check to see if any Privacy Act Systems of Records are involved (See FAR 52.224-2 clause in M&O Contract) DOE O 206.1 DOE Privacy Program For NNSA NAP 14.1-C NNSA Baseline Cyber Security Program NAP 14.2-C NNSA Certification and Accreditation (C&A) Process for Information Systems Other applicable State and Federal laws regarding privacy and data protection

Conclusions: No cyber security incident Sandia worked closely with the NNSA Site Office Together we concluded no cyber security incident because the data stayed within Sandia JC3 (formerly, DOE-CIRC) was notified because of the PII content No applicable data breach law was triggered No HIPAA reporting requirement

Near term : SANDIA ELECTED, ANYWAY, TO SEND NOTIFICATION LETTERS TO THE AFFECTED PERSONS AND THEIR FAMILIES. Longer term: Sandia has conducted an extensive assessment of data protection and privacy at the facility Sandia has completed an 18-point action plan on PII management Plan addressed both logical and administrative controls A result was creation of new Chief Privacy Officer role Sandia is now positioned to proactively address privacy and related data protection challenges in an integrated and thoughtful manner

Sandias PII Action Plan Project Plan execution led by Sandia s Chief Information Officer; Plan also overseen by Deputy Laboratories Director for Mission Support Coordinated closely with NNSA Site Office Features of the plan included External Assessment by Lockheed Martin Evaluation of repositories of PII Actions specifically addressing HR, Medical & Benefits info management Selection and deployment of a data loss prevention tool Improvement of access control standards/implementation of monitoring tool and metagroup utility enhancements Development of PII legal expertise and creation of CPO Policy, procedures and training improvements Cyber security role enhancements Flow down of requirements to subcontractors PII Extract Management Internal and external privacy policy notifications