FDA Defends Monitoring Whistleblowers' Email

The U.S Food and Drug Administration (FDA) today said it monitored the private email accounts of nine agency whistleblowers starting in 2010 to determine whether any of them leaked confidential information to the public.

Six of the whistleblowers late last month filed a lawsuit alleging that the FDA violated their privacy and constitutional rights by secretly monitoring and collecting information from private email conversations.

The FDA had not denied monitoring the email.

The six complainants are scientists and doctors who have publicly disclosed what they call serious irregularities in the FDA device evaluation process.

The monitoring in question occurred when the employees used personal Gmail and Yahoo email accounts on work computers. The employees claim that information found during the email monitoring has been used against them.

The lawsuit has prompted U.S. Rep. Darrell Issa (R-CA), chairman of the Committee on Oversight and Government Reform, to send a letter to FDA Commissioner Margaret Hamburg seeking details on the agency's email surveillance activities.

Erica Jefferson, team leader for the FDA's Medical Products and Tobacco group, Friday said that the targeted email surveillance of the nine individuals started in April 2010, more than a year after the whistleblowers started complaining to Congress about the FDA's device clearance process.

The surveillance started after a device manufacturer told FDA officials that confidential and proprietary information had been leaked to the public, Jefferson said.

"The company believed that someone in the FDA may have been the source of that leak, and efforts were made to identify the source internally," Jefferson said via email. "Our monitoring was designed to determine whether confidential information had been inappropriately released."

According to Jefferson, the FDA monitors the computers of agency workers in compliance with the Federal Information Security Management Act (FISMA) requirements.

Jefferson added that FDA employees, including those that sued the agency, knew that workplace computers are subject to monitoring at any time. In fact, whenever FDA employees log on to their computers, they are required to consent to such monitoring, she said.

"We want to emphasize that we take very seriously our responsibility to protect confidential commercial information" received from companies the FDA regulates, Jefferson said.

The lawsuit is among the first to raise the issue of whether employers can legally monitor password protected, private email accounts of workers on employer-supplied machines.

In a letter to Hamburg on Thursday, Issa said that such monitoring can only be justified in cases where an employee is suspected of serious wrongdoing.

"In this case, the employees monitored by the FDA managers had done nothing wrong," he wrote. "The appearance of wrongdoing ... is heightened because the agency used the intelligence it gathered to build a case to retaliate" against the whistleblowers, Issa said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.