0120131158
06-11-2013
Debra B. Lessans, Complainant, v. Ray H. LaHood, Secretary, Department of Transportation, Agency.
Debra B. Lessans,
Complainant,
v.
Ray H. LaHood,
Secretary,
Department of Transportation,
Agency.
Appeal No. 0120131158
Agency No. 2010-23568-MARAD-02
DECISION
Complainant filed a timely appeal with the Equal Employment Opportunity Commission (EEOC or Commission) from a final Agency determination (FAD) dated December 27, 2012, finding that it was in compliance with the terms of the settlement agreement into which the parties entered. See 29 C.F.R. � 1614.402; 29 C.F.R. � 1614.504(b); and 29 C.F.R. � 1614.405.
BACKGROUND
At the time of events giving rise to this complaint, Complainant was employed with the Agency's Maritime Administration in Washington, DC.
Believing that the Agency subjected her to unlawful discrimination, Complainant contacted an Agency EEO Counselor to initiate the EEO complaint process, and thereafter filed a formal complaint. On December 12, 2011, Complainant and the Agency entered into a settlement agreement to resolve the matter.
The settlement agreement provided, in pertinent part, that the Agency "will observe appropriate safeguards against unauthorized disclosures of privacy related information concerning Ms. Lessans...," and included substantial consideration in other terms not at issue here.
By letter to the Agency dated November 13, 2012, Complainant alleged that the Agency breached the settlement agreement. Complainant wrote that two weeks prior, she was informed by a current Agency employee that private information on Complainant was on a "shared network drive" accessible to almost half the Agency's employees. Specifically:
* The Director of Human Resources for the Maritime Administration kept on her "network folder" (referred to as the H or I drive or home drive) Complainant's official personnel file (OPF), which contained personally identifiable information (PII) on her and her family such as social security numbers, birthdates, and address;
* The "network directory" of the above Director and the Associate Administrator for Administration in the Maritime Administration, to whom the Director reported, had many memorandums and letters concerning her; and
* Many Maritime Administration Employees in Codes MAR 3001 and 500 maintained excel spreadsheets on "shared drives" of all Agency employees, including herself, listing names, social security numbers, birth dates, disability status, and so forth, accessible to almost half the Agency's employees, which were not password protected or encrypted.
To back up her claim of wide access, Complainant included screen shots of the above information, demonstrating some of it contained PII.2
In January 2012, prior to her notice of breach, Complainant retired from her position of Supervisory Financial Analyst with the Agency. She asked the Agency to comply with the settlement agreement, pay her compensation for the breach, and that the Agency take steps to ensure that she and her family not be subject to identity theft and compensate her and her family if it became a victim.
Thereafter, the Agency's Maritime Administration investigated her claim of privacy information lapses. Its Chief Information Officer (CIO) stated that all Maritime Administration employees are obligated to protect PII and sensitive personally identifiable information (SPII) which comes into their possession by virtue of their work, and take annual training on this.
The CIO explained that a "personal drive" is a network based store which only the named user and any information technology (IT) professional with certain administrative rights can access, which is referred to as the user's home drive and usually designated as the H or I drive. He explained that a "shared drive" is a network based file store which may be accessed by a group of users with administrative permission to access the shared store. The CIO stated that at no time was there a shared drive to which both the Director of Human Resources and the Associate Director for Administration had access, an apparent reference to a special drive.
The CIO stated that he conducted research using the screen shots, and determined the files connected to the first two bullets were stored on one or more personal network drives which should not have been accessible to anyone other than the individual to whom the drive was assigned (and IT professionals with certain administrative rights). He stated access protections for some personal drives failed, allowing an employee without administrative rights to access data on them. In his December 11, 2012, declaration explaining all this, the CIO stated that IT professionals addressed and corrected the network issues causing security lapse on the personal drives, which he referred to as "permission problems."
The CIO went on to state that without knowing how Complainant obtained the information on bullet 3, it is difficult to determine where it was stored. He indicated that assuming it was on the network area assigned to users in MAR 300 and 500 as Complainant wrote, people in MAR 700, where she worked, should not have had access.
The Agency also submitted an affidavit by the Director of Human Resources for the Maritime Administration. She stated that to protect PII and SPII, she stores such data on her hard drive or her personal network drive, not on any shared network drive.3
In its FAD, the Agency found that it breached the settlement agreement, but timely cured the breach by correcting the permissions problem which caused the security lapse within the 35 calendar time period allowed by 29 C.F.R. � 1614.504.
On appeal, Complainant does not contest that the Agency resolved unauthorized access to network personal drives by solving permissions issues. But she argues this does not go far enough to comply with the settlement agreement. Complainant contends that appropriate safeguards against unauthorized disclosures of sensitive PII requires that that any such information stored on the Agency's network be password protected and/or encrypted, and the Agency's failure to do so violates the settlement agreement, the Privacy Act, and FIMSA. She argues that a contract engineer or Agency employee with administrative privileges can still access her sensitive PII on network drives. Complainant requests that the Agency be required to comply with the settlement agreement. She argues that compliance requires that PII on network drives be encrypted. Complainant also argues that the Agency should pay her $12,075 so she can obtain identify theft protection and insurance from Equifax for herself and her family for 10 years.
In opposition to the appeal, the Agency submits a supplemental declaration by the CIO, dated February 25, 2013. He writes that at the time of his prior declaration, the Agency was still investigating the source of the screen shots connected to bullet 3 (the excel spreadsheets), and his office subsequently learned it was stored on network personal drives; and a shared network drive assigned to users in the Agency's Human Resources (HR) office, to which Complainant was not supposed to have access. The CIO indicated that as with the unauthorized access to personal drives, the unauthorized access to the shared network HR drive was caused by permission issues, which were corrected, and that the Agency directed the removal or encryption of the subject excel spreadsheets from the shared network HR drive.
The CIO writes that the only disclosure of information in Complainant's breach claim that he is aware of was the possible disclosure to Complainant by an unknown Maritime Administration employee and by Complainant herself.
ANALYSIS
EEOC Regulation 29 C.F.R. � 1614.504(a) provides that any settlement agreement knowingly and voluntarily agreed to by the parties, reached at any stage of the complaint process, shall be binding on both parties. The Commission has held that a settlement agreement constitutes a contract between the employee and the Agency, to which ordinary rules of contract construction apply. See Herrington v. Dep't of Def., EEOC Request No. 05960032 (December 9, 1996). The Commission has further held that it is the intent of the parties as expressed in the contract, not some unexpressed intention, that controls the contract's construction. Eggleston v. Dep't of Veterans Affairs, EEOC Request No. 05900795 (August 23, 1990). In ascertaining the intent of the parties with regard to the terms of a settlement agreement, the Commission has generally relied on the plain meaning rule. See Hyon O v. U.S. Postal Serv., EEOC Request No. 05910787 (December 2, 1991). This rule states that if the writing appears to be plain and unambiguous on its face, its meaning must be determined from the four corners of the instrument without resort to extrinsic evidence of any nature. See Montgomery Elevator Co. v. Building Eng'g Servs. Co., 730 F.2d 377 (5th Cir. 1984).
In its FAD, the Agency conceded that it breached the settlement agreement when permission issues created a security lapse, allowing employees of the Maritime Administration access, who were not supposed to have it to network personal drive(s) of others which had Complainant's and others PII and SPII. The Agency found that it cured the breach within the requisite 35 calendar days by plugging the holes -- resolving the permission issues. On appeal, the Agency writes that it subsequently learned that the security lapse also involved a shared HR drive, and it solved the matter by resolving permission issues and directing that the encryption or removal of the private data from the shared HR drive.
As an initial matter, we disagree with Complainant that compliance with the settlement agreement requires the encryption of her PII or SPII residing on network personal drives. The settlement agreement simply provides that the Agency "will observe appropriate safeguards against unauthorized disclosures of privacy related information concerning Ms. Lessans...." We agree with the Agency that the permission issues which created a security breach of Complainant (and others) PII and SPII constituted a breach of the settlement agreement because this ran counter to the observation of appropriate safeguards. But without more information on the meaning of the settlement language we decline to find it required the above encryption. The record does not show that passwords or encryption of PII or SPII on network personal drives were part of regular security protocols at the Agency, and Complainant, who was the Director of the Office of Marine Financing, was aware prior to the settlement agreement that her private information was on the Agency's network, but did not negotiate into the settlement agreement language about passwords or encryption.
On appeal, the Agency concedes that sometime after December 11, 2012, it discovered that the subject excel spreadsheets (which contained Complainant's and others' PII) resided on network personal drives and a shared network HR drive, and that the latter drive had similar permissions issues creating a security lapse. The Agency closed this security lapse by resolving the permissions issues and directing that the above data be encrypted or removed from the shared network HR drive. Given this, we find that the Agency is now exercising appropriate safeguards against unauthorized disclosures of privacy related information concerning Complainant, as delineated in the settlement agreement.
Given the later discovery of the shared network HR drive issue, we find that the Agency did not cure its breach of the settlement agreement within 35 days after Complainant notified it of the breach. As relief, Complainant requests that the Agency comply with the settlement agreement. Given Complainant's request, and the equities of this case, which show that the Agency took diligent action to find and close the security lapses which breached the settlement agreement, we find that no further action is required in this case. The Agency is now in compliance with the settlement agreement.
Further, we decline to find that curing the breach requires that the Agency pay $12,075 for 10 years of identity theft and protection insurance. Agency personnel, who Complainant correctly contended had improper access to her PII and SPII, are trained on their obligation to protect PII and SPII which may come into their possession by virtue of their work. There is no evidence that any of Complainant's PII or SPII was released outside the Agency, except to her. Moreover, Complainant does not cite any precedent which would authorize the Commission to order the Agency to pay additional money to Complainant as a way to cure a breach where such language is not included in the settlement agreement.
The FAD is AFFIRMED.
STATEMENT OF RIGHTS - ON APPEAL
RECONSIDERATION (M0610)
The Commission may, in its discretion, reconsider the decision in this case if the Complainant or the Agency submits a written request containing arguments or evidence which tend to establish that:
1. The appellate decision involved a clearly erroneous interpretation of material fact or law; or
2. The appellate decision will have a substantial impact on the policies, practices, or operations of the Agency.
Requests to reconsider, with supporting statement or brief, must be filed with the Office of Federal Operations (OFO) within thirty (30) calendar days of receipt of this decision or within twenty (20) calendar days of receipt of another party's timely request for reconsideration. See 29 C.F.R. � 1614.405; Equal Employment Opportunity Management Directive for 29 C.F.R. Part 1614 (EEO MD-110), 9-18 (November 9, 1999). All requests and arguments must be submitted to the Director, Office of Federal Operations, Equal Employment Opportunity Commission, P.O. Box 77960, Washington, DC 20013. In the absence of a legible postmark, the request to reconsider shall be deemed timely filed if it is received by mail within five days of the expiration of the applicable filing period. See 29 C.F.R. � 1614.604. The request or opposition must also include proof of service on the other party.
Failure to file within the time period will result in dismissal of your request for reconsideration as untimely, unless extenuating circumstances prevented the timely filing of the request. Any supporting documentation must be submitted with your request for reconsideration. The Commission will consider requests for reconsideration filed after the deadline only in very limited circumstances. See 29 C.F.R. � 1614.604(c).
COMPLAINANT'S RIGHT TO FILE A CIVIL ACTION (S0610)
You have the right to file a civil action in an appropriate United States District Court within ninety (90) calendar days from the date that you receive this decision. If you file a civil action, you must name as the defendant in the complaint the person who is the official Agency head or department head, identifying that person by his or her full name and official title. Failure to do so may result in the dismissal of your case in court. "Agency" or "department" means the national organization, and not the local office, facility or department in which you work. If you file a request to reconsider and also file a civil action, filing a civil action will terminate the administrative processing of your complaint.
RIGHT TO REQUEST COUNSEL (Z0610)
If you decide to file a civil action, and if you do not have or cannot afford the services of an attorney, you may request from the Court that the Court appoint an attorney to represent you and that the Court also permit you to file the action without payment of fees, costs, or other security. See Title VII of the Civil Rights Act of 1964, as amended, 42 U.S.C. � 2000e et seq.; the Rehabilitation Act of 1973, as amended, 29 U.S.C. �� 791, 794(c). The grant or denial of the request is within the sole discretion of the Court. Filing a request for an attorney
with the Court does not extend your time in which to file a civil action. Both the request and the civil action must be filed within the time limits as stated in the paragraph above ("Right to File a Civil Action").
FOR THE COMMISSION:
______________________________
Carlton M. Hadden, Director
Office of Federal Operations
June 11, 2013
__________________
Date
1 The Administration organization in the Maritime Administration is known as MAR-300, and has responsibility for the Maritime Administration's Office of Human Resources.
2 Complainant also alleged that the Agency violated the Federal Information Security Management Act (FISMA) and the Privacy Act, and asked that it comply with these statutes. The EEOC does not enforce these statutes.
3 The successor Acting Associate Administrator for Administration started acting in July 2011.
---------------
------------------------------------------------------------
---------------
------------------------------------------------------------
2
0120131158
U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION
Office of Federal Operations
P.O. Box 77960
Washington, DC 20013
2
0120131158