Rogue Email from Adjudicator

Hi, all. I have a really strange situation here.

2 weeks ago, I received an email from a address (civ) with the subject header “My CI case reviews for the week.” The email was sent to 8 individuals who appear to work for DoD CAF and me; I think the sender intended to add a 9th DoD CAF individual (presumably my adjudicator), but instead sent the email to my government email. Bit of a mistake, that.

The email contained my SSN as well as 8 others (and was NOT encrypted), and next to each SSN was the individual’s associated level of risk. The level of risk cited next to my SSN was “medium,” with the accompanying reason being “one contact of concern’s employer.” I truly have no idea what this means. Others were deemed “high” or “low” risk.

As mentioned, I believe that this email was supposed to go to the adjudicators associated with each case. How this guy managed to send it to me – in addition to not even bothering to encrypt an email chock full of PII – is totally beyond me. But now I have it.

I am a contractor, and my company has not taken what I feel to be appropriate action. As best I can tell, our security staff hasn’t done anything to either address the sending of this rogue email or interpret its contents for me. I am deeply, deeply concerned about being labeled a “medium” risk; I applied for a Secret clearance in September 2016 and have already been removed from one job because my investigation was taking too long. If a denial comes back, I will lose this job and presumably be out of luck. I have spent 2 years working on client site at various DoD installations, and it would feel unbelievably cruel to get canned now.

I write to ask if anyone has any insight or recommendations regarding (1) what this means, and (2) how I should handle this. My company did instruct me NOT to reply to the individual from whom I received the email, and I never received any follow up - so it’s safe to say that he has no idea the mistake was made. I appreciate any and all feedback.

That email is FOUO and if sent to an unintended recipient, that recipient has the ethical duty to make the sender aware. The right thing to do is notify your Company FSO who should immediately notify the sender about the PII breach, as that is a serious issue these days and is reportable to the responsible agency. The medium risk level refers to the position designation of your position and has nothing to do with derogatory information about you. I recommend you notify your FSO in writing and then delete all copies of the email from your account.

Thanks, Marko - that’s very helpful information. I will circle back with our FSO; I referred the email to him but have received no response. If I don’t get an affirmative response that the appropriate agencies have been notified, I will take it to a higher level within the company.