It has been called the “uh-oh” e-mail: the e-mail that was sent to the wrong person or that contained an attachment not intended to be reviewed by the recipient. A 2010 survey of 250 business leaders found that 78 percent of them admitted to mistakenly e-mailing the wrong message to someone or unintentionally copying someone on a message. Most times, uh-oh emails will fill the sender with fleeting regret and embarrassment. But when a federal employee sends an uh-oh email that contains sensitive personnel or classified information, the consequences are more severe and could include termination.
In the wake of the U.S. Court of Appeals for the Federal Circuit’s recent decision in Wrocklage v. Department of Homeland Security (2014), many federal employees who have sent an uh-oh will likely be scrambling to find an effective message recall function. In this case, the court refused to sustain an unauthorized disclosure charge levied against the appellant, a Customs and Border Protection (CPB) officer. The appellant had sent an e-mail to a CPB Joint Intake Center to protest a fine levied against an elderly couple. Attached to this e-mail was a Treasury Enforcement Communication System (TECS) report that, in addition to detailing the fine, contained the Social Security number and other personal information of one of the fine’s recipients. The appellant also inadvertently carbon copied a congressional staffer on this e-mail. Upon realizing he had sent the TECS report to the staffer, he asked her to delete the e-mail without reading it, which she did.
The agency removed the appellant after an investigation found his e-mail with the TECS report sent to the congressional staffer represented a disclosure in violation of the Privacy Act. The Federal Circuit, however, disagreed with the agency’s interpretation of what qualifies as a disclosure. It found the appellant’s e-mail to the congressional staffer was not a disclosure because she never viewed the TECS report. “The correct interpretation of…disclosure as requiring not just transmission, but actual viewing or imminent viewing by another,” the court said. Consequently, after striking two of the three charges (i.e., unauthorized disclosure and lack of candor) against the appellant, the court vacated a decision by the Merit Systems Protection Board (MSPB) affirming the appellant’s removal and remanded the case for an appropriated penalty determination based on the sustained charge (i.e., improper possession of TECS information).
While federal employees can take steps, similar to those taken by the appellant in Wrocklage, to prevent an uh-oh e-mail from becoming a disclosure in violation of the Privacy Act, such steps may be less effective at saving their security clearance. Uh-oh e-mails could qualify as disqualifying factors under Guideline E (Personal Conduct) of the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information. An employee, whose uh-oh e-mail prompted a letter of denial or revocation, could argue that the message did not compromise classified information. But red flags could still be raised by his or her “unwillingness to comply with rules and regulations, or other characteristics indicating that the person may not properly safeguard protected information.”
The employee then, preferably with the help of an experienced security clearance representation attorney, could argue that the failure to follow rules and regulations was inadvertent. If it only happened one time, then this argument may mitigate the concern. But, if the employee has a history of inadvertently failing to follow rules and regulations, then this argument would probably not sufficiently mitigate the concern. Either way, perhaps the biggest uh-oh an employee could make is fighting a security clearance revocation or denial without the help of experienced counsel.
Neil McPhie is the Director of Legal Services for Tully Rinckey PLLC and the former chairman of the U.S. Merit Systems Protection Board. He concentrates his practice in federal sector employment and labor law and can be reached at firstname.lastname@example.org.