University of California hit with $3M fine for breach

The U.S. Department of Energy has proposed levying a fine of $3 million on the University of California, Berkeley, and a separate $300,000 fine on Los Alamos National Security (LANS) for their alleged failures to protect classified information in an October 2006 security breach.

In addition, Secretary of Energy Samuel Bodman ordered LANS to undertake specific actions to bolster its physical and IT security. A failure to implement the required measures within the prescribed time frame could result in the imposition of additional civil penalties of up to $100,000 per day for each violation, Bodman said in a compliance order issued today.

The formal enforcement actions against both organizations follow months of investigation into the breach in which a contract worker at Los Alamos National Laboratories (LANL) illegally downloaded and removed classified data from the site via a thumb drive. The university managed and operated LANL from 1943 to May 2006. LANS, which is a limited liability corporation that comprises Bechtel, the university, and two other firms, took over management of LANL in June 2006.

The university and LANS have 30 days to submit a written response to the notice of violations. A failure to do so would end their right to appeal the proposed penalties.

“Investigations revealed that management deficiencies of both contractors were a central contributing factor” in the 2006 breach, a DOE statement said. The agency noted that the proposed civil penalty of $3 million is the largest it has ever assessed.

In a formal Preliminary Notice of Violation addressed to Robert Foley, vice president of laboratory management at the University of California, the DOE listed five separate areas where the school failed to follow DOE requirements for protecting classified information. Those violations included a failure by the university to protect data ports, despite knowing about the vulnerability, and a failure to impose adequate escorting requirements to detect unauthorized access and removal of classified data. The school was also charged with violating the DOE’s physical security requirements, as well as rules regarding roles and responsibilities and oversight of subcontractors. The notice of violation was sent by the DOE’s National Nuclear Security Administration (NNSA).

In a similar notice to LANS, the NNSA listed many of the same violations. In addition, the NNSA said that LANS failed to stop the unauthorized reproduction of classified material both on paper and on removable electronic media and allowed the material to be stored in a private residence.

In a statement, LANL acknowledged the DOE findings and said it has begun to take steps to address the problems. “In addition to creating a new organization to oversee cybersecurity, the Laboratory has already taken important, aggressive actions to reduce the total amount of its classified holdings and to consolidate those holdings into as few areas as possible without damaging productivity,” LANL said.

On July 10, the laboratory certified a new “super vault-type room” for storing classified data. Classified removable media at the laboratory have also been reduced by more than 85 percent since 2003, while classified repositories have been cut by 23 percent. In addition, processes have been implemented for random searches of personnel entering and exiting classified areas of the laboratory, and for mandatory searches of all those entering and exiting data vaults.

“The Laboratory has committed to the DOE and the National Nuclear Security Administration to make security improvements consistent with those outlined in the compliance order,” the LANL statement said.

The university did not immediately respond to a request for comment.

The enforcement actions come just weeks after Rep. John Dingell (D-Mich.), chairman of the House Committee on Energy and Commerce, wrote a letter to Bodman asking why his committee was not informed of another LANL breach involving nuclear secrets in January. Dingell, whose committee was looking into the October 2006 breach, claimed that his committee had deliberately not been informed of the one in January.

“We find it unacceptable that throughout this period, several NNSA, Department of Energy, and LANL officials with specific knowledge of this incident met with us on multiple occasions, and a senior LANL official testified twice before the Subcommittee, without mentioning a word about this matter,” Dingell wrote.