Page 268 - Ad Hoc Report June 2018
P. 268

 224 2 0 1 7
course of its work that defender concerns about confidentiality were not baseless when the AO itself breached confidential defender data. In response to a Committee request about general expert usage, a contractor at a helpdesk in the AO, working
in an entirely separate division from both the Defender Services Office and CMSO, accessed defender data and downloaded specific, non-anonymized, confidential, documentation and information that had been sealed by a court order in extremely high-profile cases, and sent it to a Committee member. Given the highly confiden- tial and client-sensitive nature of the materials, DSO would never have authorized the release of this information under its protocols. When the breach was discovered, this Committee’s Chair was informed; she then contacted the Committee member who had initially requested expert usage information and asked that the material be destroyed. Further, the confidential material produced was not even what had been requested, and was not responsive to the original request.
Laura Minor, director of the Department of Program Services at the AO at that time, responded to the breach by stating, “On so many levels this is bad.”1043
ffThe contractor was not covered by the MOUs which govern access and control of defender data. The MOU binds CMSO, DSO, the defenders, and NITOAD. CMSO and DSO are under the Department of Program Services at the AO. The contractor was in an entirely different division in the AO, the Department of Administrative Services, a division that has no agreement with defenders regarding access to and usage of their confidential informa- tion. Please see the AO organizational chart in Section 3.3 at p. 35
ffNITOAD, CMSO, DSO, and defenders were entirely unaware that Department of Administrative Services had built a “back door” into defender data and information. Furthermore, it appears that DPS had
or has greater access to more specific and detailed data than CMSO, DSO, NITOAD can currently access through the defender IT systems. An employee at DSO noted that the material was, “better than what we could provide through DSMIS.”
ffThere are established protocols for the access and release of any defender information. Release of data must be approved through DSO and, if the data are specific, the individual defender office for which that data was accessed. There is no process in DAS designed for clearing or vetting infor- mation before releasing it, nor any limits that the Committee is aware of on who that department can supply (and has supplied) data.
ffSuch third-party access could conceivably destroy privilege and confidentiality.
1043 Ms.Minorwasunawareofandnotresponsiblefortheunauthorizedaccessandreleaseofthe information.
No recommendation presented herein represents T H E A D H O C C O M M I T T E E T O R E V I E W T H E C R I M I N A L J U S T I C E A C T the policy of the Judicial Conference of the United States unless approved by the Conference itself.

   266   267   268   269   270