Univ. of California hit with proposed $3M fine for Los Alamos breach
The penalty is the largest ever sought by the DOE
Computerworld - The U.S. Department of Energy has proposed levying a fine of $3 million on the University of California and a separate $300,000 fine on Los Alamos National Security LLC (LANS), for their alleged failures to protect classified information in an October 2006 security breach.
In addition, Secretary of Energy Samuel Bodman today ordered LANS to undertake specific actions to bolster its physical and IT security. A failure to implement the required measures within the prescribed time frame could result in the imposition of additional civil penalties of up to $100,000 per day for each violation, Bodman said in a compliance order issued today.
The formal enforcement actions against both organizations follow months of investigation into the breach, in which a contract worker at Los Alamos National Laboratories (LANL) illegally downloaded and removed classified data from the site via USB thumb drives.
The university, which is based in Oakland, managed and operated LANL from 1943 to May 2006 through its laboratory management division. LANS, which is a limited liability corporation that comprises the university as well as Bechtel National Inc. and two other firms, took over management of LANL in June 2006.
The university and LANS have 30 days to submit a written response to the notice of violations. A failure to do so would end their right to appeal the proposed penalties.
"Investigations revealed that management deficiencies of both contractors were a central contributing factor" in the 2006 breach, a DOE statement said. The agency noted that the proposed civil penalty of $3 million is the largest it has ever assessed.
In a formal Preliminary Notice of Violation addressed to Robert Foley, vice president of laboratory management at the University of California, the DOE listed five separate areas where the university failed to follow DOE requirements for protecting classified information. Those violations included a failure by the university to protect data ports, despite knowing about the vulnerability, and a failure to impose adequate escorting requirements to detect unauthorized access and removal of classified data.
The university was also charged with violating the DOE's physical security requirements, as well as rules regarding roles and responsibilities and oversight of subcontractors. The notice of violation was sent by the DOE's National Nuclear Security Administration (NNSA).
In a similar notice to LANS, the NNSA listed many of the same violations. In addition, the NNSA said that LANS failed to stop the unauthorized reproduction of classified material both on paper and on removable electronic media and allowed the material to be stored in a private residence.
Chris Harrington, a University of California spokesman, said the school is "carefully reviewing" the enforcement notice from the DOE and would respond with its concerns and objections. "The content of our response will be informed by the fact that the incident at issue occurred in October 2006 -- after the University's management contract ended in May 2006," Harrington said via e-mail. "In addition, we will outline the actions the University took to strengthen security processes at the laboratory prior to the change in management to Los Alamos National Security LLC."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts