The FBI is exposing sensitive and classified data because of “significant weaknesses” in its inventory management and disposal of electronic storage media, a recent audit has found.
In a public notification published on August 21, an audit by the US Department of Justice's (DOJ) Office of the Inspector General (OIG) found several flaws in the FBI’s data management, including documents from its investigations.
These flaws include:
- A lack of adequate policies and procedures or controls to account for electronic storage media extracted from larger devices and thumb drives
- A lack of labels on the FBI’s electronic storage media with the appropriate National Security Information (NSI) classification or Sensitive But Unclassified (SBU) levels
- Flaws in the FBI’s internal physical access and security controls in relevant areas
The OIG shared additional evidence, including pictures taken inside the FBI’s premises showing issues relating to the management and disposal of potentially sensitive documents.
The watchdog discovered that FBI staffers do not typically account for extracted internal hard drives, thumb drives and other media devices – a practice that it deemed inconsistent with FBI or DOJ policies to ensure accountability of media containing sensitive or classified information.
Recommendations for Better Sensitive Data Handling
In the public notification, the OIG addresses three recommendations to the FBI:
- Revise procedures to ensure all electronic storage media containing sensitive or classified information, including hard drives that are extracted from computers slated for destruction, are appropriately accounted for, tracked, timely sanitized, and destroyed
- Implement controls to ensure its electronic storage media are marked with the appropriate NSI classification level markings, in accordance with applicable policies and guidelines
- Strengthen the control and practices for the physical security of its electronic storage media at the facility to prevent loss or theft
The FBI has informed the regulator that it is addressing the issue and has developed a new policy to ensure the secure handling and destruction of sensitive electronic data.
This policy, currently undergoing final revisions, will mandate the proper labeling and safe disposal of classified and sensitive information. The FBI expects to implement this policy shortly.