DATE: August 13, 2001

---------------------

SSN: -----------

Applicant for Security Clearance

APPEAL BOARD DECISION

APPEARANCES

FOR GOVERNMENT

Martin H. Mogul, Esq., Department Counsel

FOR APPLICANT

Douglas G. Andrews, Esq.

Administrative Judge Robert R. Gales issued a decision, dated March 7, 2001, in which he concluded it is not clearly consistent with the national interest to grant or continue a security clearance for Applicant. Applicant appealed. For the reasons set forth below, the Board affirms the Administrative Judge's decision.

This Board has jurisdiction on appeal under Executive Order 10865 and Department of Defense Directive 5220.6 (Directive), dated January 2, 1992, as amended.

Applicant's appeal presents the following issues: (1) whether the Administrative Judge's adverse conclusions are arbitrary, capricious, or contrary to law; and (2) whether the Administrative Judge erred by considering an Adjudicative Guideline that was not alleged in the Statement of Reasons issued to Applicant.

The Defense Office of Hearings and Appeals issued a Statement of Reasons (SOR) dated October 17, 2000 to Applicant. The SOR was based on Guideline E (Personal Conduct). A hearing was held on January 25, 2001. The Administrative Judge issued a written decision, dated March 7, 2001, in which he concluded it is not clearly consistent with the national interest to grant or continue a security clearance for Applicant. The case is before the Board on Applicant's appeal from the Judge's adverse decision.

1. Whether the Administrative Judge's adverse conclusions are arbitrary, capricious, or contrary to law. The Administrative Judge made findings of fact about Applicant's termination from a position as a safety and security officer with a hospital in October 1997 based on his unauthorized accessing of patient records on a hospital computer system on approximately 10-20 occasions. The Judge concluded Applicant's unauthorized accessing of patient records demonstrated questionable judgment, untrustworthiness, and unreliability, and warranted an adverse security clearance because Applicant failed to demonstrate rehabilitation.

On appeal, Applicant indicates that he accepts the Administrative Judge's findings of fact, but challenges the Judge's adverse conclusions. In challenging the Judge's adverse conclusions, Applicant argues: (a) the Administrative Judge erred by not accepting Applicant's explanation for his conduct; (b) the Judge gave undue weight to the fact Applicant was terminated from his position in October 1997; (c) the Judge failed to consider Applicant's case under the factors enumerated under Directive, Section 6.3; (d) the Judge failed to address or consider evidence of extenuating circumstances; (e) the Judge failed to give due consideration to mitigating evidence; (f) the Judge failed to fairly apply the whole person concept; and (g) the Judge erred by concluding Applicant's conduct warrants an adverse security clearance decision.

On appeal, the Board reviews an Administrative Judge's conclusions to determine whether they are arbitrary, capricious, or contrary to law. See Directive, Additional Procedural Guidance, Item E3.1.32.3. Even if a Judge's findings of fact are supported by the record evidence or are not challenged on appeal, the Board must determine whether the inferences and conclusions the Judge drew from those findings are reasonable when those inferences and conclusions are challenged on appeal. ⁽¹⁾ Applicant's arguments raise such a challenge in this appeal.

(a) Applicant's explanation for his conduct. Applicant argues the Administrative Judge erred by not accepting his explanation for his conduct because: (i) there is insufficient record evidence to contradict or refute Applicant's testimony, (ii) the Judge improperly relied on his negative assessment of Applicant's credibility as a substitute for record evidence; and (iii) Department Counsel did not present direct evidence that Applicant knowingly and intentionally violated the hospital policy concerning patient records. These arguments fail to demonstrate the Judge erred.

An Administrative Judge is not compelled, as a matter of law, to accept the testimony of a witness at face value merely because it is unrebutted. Rather, a Judge must assess the credibility of the witness and weigh the witness's testimony in light of the Judge's assessment of the witness's credibility, as well as the record evidence as a whole. ⁽²⁾ Accordingly, there is no merit to Applicant's argument that the Judge should have accepted his statements and testimony because they were not rebutted.

Applicant correctly notes that an Administrative Judge cannot use a credibility determination as a substitute for record evidence. ⁽³⁾ However, our review of the Judge's decision and the record evidence in this case persuades us that the Judge did not commit that kind of error in this case. There is nothing improper about the Judge deciding whether Applicant's statements and testimony are credible and worthy of belief. It is within the bounds of the Judge's discretion to discount a witness's testimony based on a negative assessment of the witness's credibility. And, as discussed in the next paragraph, Applicant's statements and testimony about his intent or state of mind are not the only evidence that the Judge had before him to evaluate Applicant's unauthorized accessing of patient records.

Applicant correctly notes that his intent or state of mind when he accessed the patient records as a hospital safety and security officer is a crucial issue in this case. Applicant also correctly notes that his statements about his intent or state of mind when he accessed the patient records are important evidence. However, an applicant's statements about his or her intent or state of mind are not binding or conclusive on an Administrative Judge. Rather, a Judge must consider an applicant's statements in light of the record evidence as a whole, including the Judge's assessment of the applicant's credibility. ⁽⁴⁾ An applicant's intent or state of mind can be shown through indirect or circumstantial evidence, and a Judge may make findings about an applicant's intent or state of mind that run contrary to the applicant's statements and testimony when such findings have a rational basis in the record evidence. ⁽⁵⁾ Accordingly, the Judge was not bound by Applicant's statements about his intent or state of mind when he accessed the patient records. ⁽⁶⁾ Rather, the Judge had the responsibility to consider the record evidence as a whole when making findings of fact about Applicant's intent or state of mind.

(b) Significance of Applicant's termination in October 1997. Applicant argues the Administrative Judge gave undue weight to the fact that he was terminated from his position as a safety and security officer with a hospital in October 1997 based on his unauthorized accessing of patient records on a hospital computer system. This argument is not persuasive.

Absent a showing that an Administrative Judge acted in a manner that is arbitrary, capricious, or contrary to law, the Board will not disturb a Judge's weighing of the record evidence. ⁽⁷⁾ A review of the decision below shows that the Judge did not give undue weight or significance to the fact that Applicant was terminated from his position in October 1997. Rather, a review of the decision shows the Judge considered that fact in conjunction with the nature of Applicant's position and duties with the hospital, the facts and circumstances surrounding Applicant's unauthorized accessing of patient records, and Applicant's explanations for that conduct. The Judge's analysis is consistent with his obligation to consider the record evidence as a whole. See Directive, Section 6.3.

(c) Application of Section 6.3 factors. Applicant also argues the Administrative Judge failed to consider his case under the factors enumerated under Directive, Section 6.3. In support of this argument, Applicant offers his interpretation of the record evidence with respect to each of the factors enumerated under Section 6.3. Applicant's argument fails to demonstrate the Judge erred.

The Administrative Judge did not specifically cite or refer to the Section 6.3 factors in his analysis of Applicant's case. However, a review of the decision below shows the Judge considered the nature and seriousness of Applicant's conduct, including the circumstances surrounding it (Section 6.3.1), the frequency and recency of Applicant's conduct (Section 6.3.2), Applicant's age (Section 6.3.3), Applicant's motivation and state of mind when he accessed the patient records (Section 6.3.4), the presence or absence of rehabilitation (Section 6.3.5), and the likelihood that Applicant might engage in similar conduct again (Section 6.3.6). Because a reading of the Judge's decision shows the Judge considered Applicant's case in terms that track the substance of the Section 6.3 factors, the Judge's failure to explicitly cite each of those factors does not demonstrate error.

(d) Extenuating circumstances. Applicant argues the Administrative Judge failed to address or consider evidence of extenuating circumstances. In support of this argument, Applicant asserts: (i) there is no record evidence that Applicant received any guidance or training about what computer use was authorized or not; (ii) there is no record evidence that Applicant received training about the hospital's policy concerning the confidentiality of patient records; (iii) the hospital had no system of graduated disciplinary measures and gave Applicant no warning before it terminated him; and (iv) a hospital manager interviewed by the Defense Security Service (DSS) stated he believed Applicant did not mean any harm by accessing the patient records, indicated he had recommended against Applicant's termination, stated he would rehire Applicant, and recommended Applicant for a position of trust.

Even if Applicant did not receive any formal guidance or training about the hospital's policy concerning the confidentiality of patient records, it is untenable for Applicant to suggest that he could not be expected to know that he was not authorized to access patient records unless such access was necessary to carry out his official duties. Implicit in Applicant's argument is the premise that he could not be expected to know what he was not authorized to do unless specifically told by the hospital. That premise is not well founded. Even in the absence of specific formal guidance or training, there are some things that a reasonable person knows or should know are not proper to do. ⁽⁸⁾ A reasonable person knows or should know that patient records contain highly personal information that is private, confidential, and not accessible to persons without the consent of the patient or an authorized need for such access to carry out their duties or legal obligations. A reasonable person knows or should know that a safety and security officer is granted access to the equipment and facilities of his employer so that the safety and security officer can carry out his or her duties, not to engage in actions unrelated to his or her official duties. A reasonable person knows or should know that accessing a patient record on a computer system is the functional equivalent of picking up a patient's medical chart or file and reading it. Applicant's arguments to the contrary lack merit.

As discussed earlier in this decision, the Administrative Judge did not give undue weight to the fact that Applicant was terminated from his position in October 1997. And, in any event, Applicant fails to articulate how his unauthorized accessing of patient records could be extenuated by the fact that the hospital did not have a system of graduated disciplinary measures. Indeed, the specific details of the hospital's disciplinary system are irrelevant to evaluating the nature and seriousness of Applicant's unauthorized accessing of patient records.

The views of the hospital manager interviewed by the DSS were not binding or conclusive on the Administrative Judge. ⁽⁹⁾ The Judge had the responsibility of considering that favorable evidence in light of the record evidence as a whole and deciding what weight to give it. Applicant's argument that the Judge should have given more weight to the views of the hospital manager fails to demonstrate the Judge erred.

(e) Mitigating evidence. In support of the argument that the Administrative Judge failed to give due consideration to mitigating evidence, Applicant asserts: (i) apart from Applicant's unauthorized accessing of patient records, there is no other derogatory or disqualifying information in the record; (ii) the evidence of Applicant's good character, dependability, trustworthiness, and reliability outweighs "that single episode" in his life; (iii) Applicant has been honest and candid with the government throughout these proceedings; (iv) Applicant's performance as a security officer after he was terminated by the hospital has been favorable; (v) he presented favorable character evidence that shows his dependability, trustworthiness, and reliability; (vi) he has demonstrated rehabilitation; (vii) there is no evidence that Applicant's unauthorized access to patient records involved deceit, willful disregard of express hospital guidance or directives, or a repeat of conduct after receiving an adequate warning; and (viii) there is no record evidence that Applicant's use of the hospital computer to access patient records would constitute a "breach of confidentiality" in the absence of his disclosing patient information.

The security significance of Applicant's unauthorized accessing of patient records is not negated or diminished by the fact that the government has not proven he engaged in other misconduct. Furthermore, the absence of any evidence that Applicant acted with deceit or after receiving a warning from the hospital did not preclude the Judge from concluding Applicant's unauthorized accessing of patient records demonstrated questionable judgment, untrustworthiness, and unreliability. "Even if an applicant has not engaged in other conduct that has more serious negative security significance, the Judge still has the obligation to evaluate the security significance of the conduct the applicant did engage in." ISCR Case No. 99-0254 (February 16, 2000) at p. 3.

The evidence about Applicant's character and job performance cited by him did not compel the Administrative Judge to make a favorable security clearance decision. The Judge had to weigh the record evidence, both favorable and unfavorable, and decide whether the favorable evidence outweighed the unfavorable evidence or vice versa. ⁽¹⁰⁾ Furthermore, the Judge gave an explanation for why he concluded Applicant had not demonstrated reform or rehabilitation. Considering the record evidence in this case, that explanation is not arbitrary, capricious, or contrary to law.

Applicant's argument about what would constitute a breach of confidentiality fails to demonstrate the Administrative Judge erred. The confidentiality of a patient record is breached when it is accessed by an unauthorized person, regardless of whether the unauthorized person discloses the information from the patient record to other unauthorized persons. Furthermore, the Judge correctly noted the record evidence shows that Applicant was on notice that, as a hospital employee, he was not authorized to obtain information from a patient's record unless he had a need to know such information to perform his duties. Accordingly, it is untenable for Applicant to argue that his conduct did not constitute a breach of confidentiality of the patient records he accessed without authority.

The Board rejects Applicant's assertion that he "committed no security breach in gaining access [to the patient records], because the means for access was granted to him as a security officer." Being provided the means for gaining access to the hospital computer system did not constitute authorization for Applicant to gain access to that computer system for purposes unrelated to the performance of his duties. To use an analogy: if Applicant were given a set of master keys for hospital offices and hospital file cabinets, Applicant would commit a security breach if he used those master keys to gain access to hospital offices or hospital file cabinets for purposes other than the performance of his duties. Even a hospital security officer must act within the limits of his or her authority and respect basic security principles.

(f) Whole person concept. Applicant also claims the Administrative Judge failed to fairly apply the whole person concept. In support of this claim, Applicant argues the Judge failed to set forth an express analysis of his case that enables him and the Board to determine whether the Judge in fact engaged in a whole person analysis as required by Directive, Sections E2.2.1 and E2.2.3. This argument lacks merit.

An Administrative Judge has broad discretion in writing his or her decision, but a Judge must issue a written decision that enables the parties and the Board to understand what findings the Judge is making, what conclusions the Judge is reaching, and sufficient explanation to show the Judge is engaged in reasoned decision making. ⁽¹¹⁾ In the decision below, the Judge explained the findings he made and the conclusions he reached, and set forth his analysis of Applicant's case sufficiently to show he was engaged in reasoned decision making that was consistent with the requirements of the Directive. Applicant's strong disagreement with the Judge's adverse conclusions is not sufficient to demonstrate the Judge failed to engage in the whole person analysis required by the Directive.

(g) Administrative Judge's adverse decision. Applicant contends the Administrative Judge erred by concluding his conduct warrants an adverse security clearance decision. In support of this contention, Applicant argues: (i) denial of security clearance is not mandated even if Department Counsel established its case with respect to Guideline E; and (ii) the record evidence as a whole does not support the Judge's conclusion that it is not clearly consistent with the national interest to grant or continue a security clearance for Applicant.

Applicant's argument concerning Guideline E fails to demonstrate the Administrative Judge erred. If an applicant's actions or circumstances fall under one or more of the Adjudicative Guidelines, the burden shifts to the applicant to present evidence to demonstrate extenuation, mitigation, or changed circumstances sufficient to warrant a favorable security clearance decision. ⁽¹²⁾ An applicant's burden of persuasion is a heavy one because there is no presumption in favor of granting a security clearance, ⁽¹³⁾ and a security clearance cannot be granted unless there is an affirmative finding that to do so would be clearly consistent with the national interest. ⁽¹⁴⁾ In this case, the Judge had a rational basis for the concluding Applicant's conduct fell under Guideline E. Furthermore, the Judge articulated a rational basis for his conclusion that Applicant failed to demonstrate extenuation, mitigation, or changed circumstances sufficient to overcome the negative security significance of Applicant's unauthorized accessing of patient records.

The Board construes Applicant's remaining argument as raising the question of whether there is a nexus between his unauthorized accessing of patient records and his suitability for access to classified information. The federal government must be able to repose a high degree of trust and confidence in persons granted access to classified information. Special trust and confidence were reposed in Applicant because of his position as a safety and security officer. Applicant violated that trust and confidence when he accessed patient records on the hospital's computer system without authority. Such a breach of a fiduciary duty provides a rational basis for the Administrative Judge's expressed doubts about Applicant's suitability for access to classified information and his adverse security clearance decision.

2. Whether the Administrative Judge erred by considering an Adjudicative Guideline that was not alleged in the Statement of Reasons issued to Applicant. Applicant argues: (a) the Administrative Judge erred by improperly considering Guideline M (Misuse of Information Technology Systems), which was not alleged in the SOR issued to Applicant; and (b) in considering Guideline M, the Judge erred by glossing over the distinction between intentional use and intentional misuse of a computer system.

(a) The Administrative Judge erred by discussing Guideline M because it was not alleged in the SOR and the SOR was not amended to allege Applicant's conduct under Guideline M. However, not every variance between an SOR and a Judge's findings and conclusions is fatal. When an applicant challenges such a variance on appeal (as Applicant has done in this case), the Board must review the case record as a whole to determine whether the applicant has demonstrated he was harmed in a prejudicial manner. ⁽¹⁵⁾ In this case, Applicant had fair notice that the government proposed to deny or revoke access to classified information based on his unauthorized accessing of patient records when he was a hospital safety and security officer, and Applicant had a reasonable opportunity to litigate the issues raised by the SOR allegation. A review of the decision below persuades the Board that the Judge's discussion of Guideline M was not dispositive. The Judge's findings and conclusions about Applicant's conduct under Guideline E provide a sufficient basis for the Judge's adverse security clearance decision. Furthermore, Applicant has not made any proffer or argument about how he was prejudiced in any meaningful way by the Judge's error.

(b) Because we conclude the Administrative Judge erred by discussing Guideline M, we need not address Applicant's second argument. No useful purpose would be served by addressing the merits of the Judge's dicta concerning Guideline M.

Applicant has failed to meet his burden of demonstrating error that warrants remand or reversal. Accordingly, the Board affirms the Administrative Judge's adverse security clearance decision.

Signed: Emilio Jaksetic

Emilio Jaksetic

Administrative Judge

Chairman, Appeal Board

Signed: Michael Y. Ra'anan

Michael Y. Ra'anan

Administrative Judge

Member, Appeal Board

Signed: Jeffrey D. Billett

Jeffrey D. Billett

Administrative Judge

Member, Appeal Board

1. See, e.g., ISCR Case No. 00-0593 (May 14, 2001) at p. 2; ISCR Case No. 99-0710 (March 19, 2001) at p. 4.

2. See, e.g., ISCR Case No. 99-0710 (March 19, 2001) at p. 4 and n.9; ISCR Case No. 99-0228 (March 12, 2001) at pp. 3-4; ISCR Case No. 99-0005 (April 19, 2000) at p. 3.

3. See, e.g., ISCR Case No. 98-0419 (April 30, 1999) at p. 3; ISCR Case No. 97-0356 (April 21, 1998) at p. 3.

4. See, e.g., ISCR Case No. 00-0423 (June 8, 2001) at p. 3; ISCR Case No. 00-0302 (April 23, 2001) at p. 3.

5. See, e.g., ISCR Case No. 00-0233 (February 14, 2001) at p. 4 (intent to falsify can be shown by circumstantial evidence despite applicant's denial of intent to falsify); ISCR Case No. 99-0424 (February 8, 2001) at p. 13 (applicant's denial of a preference for a foreign country is not dispositive and must be considered in light of facts and circumstances of an applicant's conduct and circumstances); ISCR Case No. 99-0597 (December 13, 2000) at p. 9 (applicant's statements about his reasons for getting a foreign passport do not preclude consideration of the natural, foreseeable consequences of applicant's use of such a foreign passport).

6. As will be discussed later in this decision, there are certain things about patient records and the duties of a safety and security officer that a reasonable person knows or should know.

7. See, e.g., ISCR Case No. 00-0417 (May 1, 2001) at p. 3; ISCR Case No. 99-0554 (July 24, 2000) at p. 6.

8. See, e.g., ISCR Case No. 99-0228 (March 12, 2001) at pp. 4-5 (applying concept of imputed knowledge and citing earlier Board decisions applying that concept); ISCR Case No. 98-0470 (April 19, 1999) at p. 3 (applicant's conduct should be evaluated in light of the reasonable person standard).

9. See, e.g., ISCR Case No. 99-9020 (June 4, 2001) at p. 7; ISCR Case No. 99-0481 (November 29, 2000) at p. 4; DOHA Case No. 96-0152 (January 14, 1997) at pp. 4-5.

10. See, e.g., ISCR Case No. 00-0417 (May 1, 2001) at p. 3; ISCR Case No. 99-0260 (April 12, 2000) at p. 3.

11. See, e.g., ISCR Case No. 99-9020 (June 4, 2001) at p. 6.

12. Directive, Additional Procedural Guidance, Item E3.1.15. See, e.g., ISCR Case No. 99-0254 (February 16, 2000) at pp. 2-3.

13. Directive, Item E2.2.2; Dorfmont v. Brown, 913 F.2d 1399, 1403 (9th Cir. 1990), cert. denied, 499 U.S. 905 (1991).

14. See Executive Order 10865, Section 2; Directive, Sections 3.2 and 4.2.

15. See, e.g., ISCR Case No. 99-0710 (March 19, 2001) at p. 3.