In a memorandum dated May 25, 2007, the DEA responded to the OIG draft report. The DEA concurred with the majority of the OIG review results and the recommendations made to the Department. The DEA also provided comments on two technical and factual matters and made one comment on the report’s recommendations.

Summary of DEA Response and OIG Analysis

Comment 1. The DEA stated that on page 58 of the report the OIG noted that there were six incidents of PII losses at the DEA and two incidents involving losses of classified information. According to the DEA, its internal documents and DOJCERT and SEPS records showed that only one incident involving classified information occurred during the review period. Further, of the six incidents cited by the OIG as involving potential PII loss, only two were actual or suspected losses of PII. The DEA requested that we incorporate these revisions into the report.

OIG Analysis. We declined to incorporate the DEA’s suggested changes into the report. The numbers that the DEA cites are not reflected in the DOJCERT’s Archer Database, which we used for each of the nine components reviewed in our analysis. To determine whether an incident involved actual or potential loss of PII, we relied on Archer Database records that showed whether components had responded “Yes” or “Unknown,” respectively, when asked if an incident involved the loss of PII. To determine whether an incident potentially involved classified information, we relied on the incident descriptions in the database. In this review, we did not verify the database’s information with either DOJCERT or the components’ internal records. However, we added a footnote to the DEA appendix that includes the DEA’s numbers and explains why the OIG’s methodology may have produced different numbers.

Comment 2. The DEA stated that the report cites a DEA official as stating that “... in practice the Information Security Section Reports classified incidents to DOJCERT, not SEPS, and relies on DOJCERT to report those incidents to SEPS.” The DEA stated that it was unable to attribute this statement to any DEA official interviewed by the OIG. The DEA did acknowledge that its one classified incident was not directly reported to SEPS and should have been, but stated that it did not concur with the inference that it willfully failed to follow policies and procedures as a course of practice. Further, the DEA requested that all references to the DEA’s “practice” of reporting loss of classified information to DOJCERT and not to SEPS be removed from the report.

OIG Analysis. Upon reviewing the notes of the original interview and a follow-up email sent to us by the subject of the interview, we found that his comments could be subject to varying interpretations. We revised the language on pages 60 and 61 of the report to clarify the meaning of the information he provided.

Comment 3. The DEA stated that it “would not concur with recommendation number five [of the report] unless the definition of PII or the notification policy itself provided for an exception to notification, where notification would compromise an ongoing law enforcement investigation or matters of national security.”

OIG Analysis. The Department’s Office of Privacy and Civil Liberties is circulating a draft Department-wide notification policy that should address the DEA’s concerns in this matter.