Did Arlington National Cemetery break the law?
Arlington National Cemetery this summer mailed to a Florida contractor two computer servers containing the personal data — including Social Security numbers — of thousands of deceased soldiers.?
A senior cemetery official ordered the servers to be mailed despite federal law and Army regulations that prohibit such unauthorized shipping, and despite the objections of the cemetery’s IT manager, who warned of possible privacy law violations. The close and curious relationship between the contractor, Optimum Technical Solutions, and the cemetery official was detailed by Salon yesterday.
For years, cemetery Deputy Superintendent Thurman Higginbotham has overseen a contractor-led effort to computerize burial records at Arlington to prevent the cemetery from losing track of remains. For years, Higginbotham has worked on the project with Bobbie Garrett, who had been employed by a contractor called Alpha Technology Group.
After Garrett and Higginbotham became the focus of an Army Criminal Investigation Command investigation launched in October 2008, investigators were unable to locate Garrett, who resigned from Alpha and apparently left the Washington area. The investigation, completed in May, found that Higginbotham and Garrett had hacked into a former employee’s government computer. Someone later impersonated the employee online, but investigators were unable to determine conclusively the identity of the impersonator.
As Salon reported yesterday, in March Garrett formed a new Florida-based company with a fellow former Alpha employee named Carlton Wells — and Higginbotham has now rehired Garrett to do more work computerizing Arlington’s burial records. The cemetery gave Garrett’s company, Optimum Technical Solutions of Jacksonville, Fla., a $193,000 contract on June 15 that runs through the end of September, according to government contracting records.
Salon has also learned that in June the cemetery mailed to Garrett’s new company in Jacksonville two computer servers that contain personal information on thousands of deceased service members and their families, in possible violation of government privacy rules.
Internal cemetery e-mails show that Higginbotham first sought to have the two computer servers mailed to Garrett’s company in May. (It is unclear why Higginbotham sought to send the servers to the contractor in May if the contract was not awarded until June 15, the date provided by the cemetery in an e-mail to Salon.) An IT manager at the cemetery warned Higginbotham that sending out the servers would violate Army regulations designed to protect privacy. “I just want to advise you that sending servers off-site to a contractor is completely insecure and not authorized,” the manager wrote to Higginbotham on May 27. “These servers cannot leave the site and it will violate Army regulations if they do.”
The manager objected to sending the servers because of the risk of losing what is called “personal identifiable information,” in the language of information security professionals. Writing back, Higginbotham insisted that “this is all a part of an ongoing contract” to computerize burial operations at the cemetery.
The IT manager warned again. “My job is to make sure that we don’t do something that will violate the guidelines so we don’t end up answering for it later,” the manager wrote back. “We cannot send servers offsite. Period,” he wrote. “I am letting you know this. Now, this is your choice. However, I have advised you against this.”
Higginbotham further insisted, and he was the boss. The manager mailed the servers to Garrett’s new company in late June and then resigned in frustration in mid-July. The IT manager asked that his name not be used, worrying it might muck up his interviews for a new job.
Federal agencies, including the Army, have their own privacy regulations designed to protect personal information. The government is also bound by the Privacy Act of 1974, which requires that the government take steps to protect private information from falling into the wrong hands.
The general rule with contractors is that they must maintain security protocols, such as secure facilities, that are as secure or more secure than their government clients’. “If the contractor does not implement as good or better safeguards, then there is a real problem there,” explained John Verdi, senior counsel at the Electronic Privacy Information Center.
The IT manager told Salon he worried about Garrett’s past record and doubted that that small, two-person company had adequate safeguards to protect the private data. Verdi called that a red flag. “If this guy doesn’t trust that this contractor is able to accommodate these security measures, then that is a massive problem,” he said.
Salon repeatedly asked the cemetery if the shipment of servers met privacy requirements. Cemetery spokesman Dave Foster replied only that “the servers and the data to support the application were part of the contract as Government furnished equipment.”
Veterans’ advocates who have followed the Salon series on Arlington National Cemetery said they have grown frustrated with an inadequate response to the myriad of problems raised by the articles. “We continue to be concerned about the revelations at Arlington and we have yet to see an adequate response from Congress or the Army,” said Paul Rieckhoff, executive director of Iraq and Afghanistan Veterans of America. “Despite national reporting on this, there has yet to be an official response from the president. It is clear that these are not isolated incidents and there are deep-rooted problems at Arlington.”