[Code of Federal Regulations] [Title 12, Volume 4] [Revised as of January 1, 2005] From the U.S. Government Printing Office via GPO Access [CITE: 12CFR403.11] [Page 499-500] TITLE 12--BANKS AND BANKING CHAPTER IV--EXPORT-IMPORT BANK OF THE UNITED STATES PART 403_CLASSIFICATION, DECLASSIFICATION, AND SAFEGUARDING OF NATIONAL SECURITY INFORMATION--Table of Contents Sec. 403.11 Enforcement and investigation procedures. (a) Loss or Possible Compromise. Any person who has knowledge of the loss or possible compromise of classified information shall immediately report the circumstances to the Security Officer of the Bank. In turn, the originating agency shall be notified about the loss or compromise in order that a damage assessment may be conducted and appropriate measures taken to negate or minimize any adverse effect, and prevent further such loss or compromise. An immediate inquiry shall be initiated by the Bank for the purposes: (1) Of determining cause and responsibility and (2) taking corrective measures and appropriate administrative, disciplinary, or legal action. (b) Reporting and Investigating Unauthorized Disclosures. (1) Employees who have reason to believe that an unauthorized disclosure of classified information has occurred shall report the disclosure to their supervisor, who shall inform the Security Officer. (2) The Bank shall promptly notify the Information Security Oversight Office at the General Services Administration, Washington, DC 20405, of all unauthorized disclosures of classified information. (3) If the Bank believes that it is the source of an unauthorized disclosure of classified information that it originated, it shall evaluate the disclosure under paragraph (b)(7) of this section. If the disclosure is serious, the Bank shall report the disclosure and the results of the evaluation to the Department of Justice together with notification that it is conducting an internal investigation. (4) If the Bank believes that it is the source of an unauthorized disclosure of classified information that it handled but did not originate, it shall report the disclosure to the Department of Justice and to the originating agency(ies) or department(s) for evaluation under paragraph (b)(7) of this section. If the Bank cannot determine the identity of the originating agency(ies) or department(s), it shall report the disclosure to the Department of Justice together with any information or reasonable inferences as to the identity of the originating agency(ies) or department(s). (5) If the Bank receives a request for an evaluation of information it originated, it shall, if the evaluation shows the disclosure was serious, inform the agency(ies) or department(s) from which the disclosure occurred of this conclusion and request that the agency(ies) or department(s) conduct an internal investigation. (6) If the Bank determines that an unauthorized disclosure of classified information has occurred but that it neither originated, handled nor disclosed the information, it shall report the disclosure to the likely originating agency(ies) or department(s). (7) In determining whether a disclosure is sufficiently serious to warrant reporting to the Department of Justice, the Bank, if it is the originating agency, shall ascertain the nature of the disclosed information, determine the extent to which it disseminated the information and evaluate the disclosure to determine whether it seriously damages its mission and responsibilities. In evaluating the damage caused by the disclosure, the Bank shall consider such matters as whether the disclosure jeopardizes an ongoing project, operation or source of information and to what extent the policy goals underlying the project or operation must be altered. (8) In any instance where the Bank is determined to be the source of an unauthorized disclosure and an evaluation by the Bank or the originating agency(ies) or department(s) determines the disclosure to be of a serious nature, an internal investigation will be initiated and an investigation report, containing such information as may be required by the Department of Justice, will be submitted to the Department of Justice within 15 days after notification from the originating agency or Department of Justice, but in any case no later than 30 days. If the investigation report is not completed within 15 days, the Bank shall submit as much of the required information as is available at that time and furnish [[Page 500]] additional information as it is developed. (9) Whenever the Bank determines during the course of an investigation that it is necessary to compel or induce the cooperation of an employee, the Bank shall first consult with the Department of Justice. The Department of Justice will coordinate with the Bank to determine the procedures the Bank may use to compel an employee's participation without foreclosing possible criminal proceedings. (10) The Bank shall maintain records of all disclosures that have been reported or investigated. (11) All employees shall cooperate fully with officials of the Bank or other agencies who are conducting investigations of unauthorized disclosures of classified information. (12) Employees determined by the Bank to have knowingly participated in an unauthorized disclosure of classified information or who have refused to cooperate with an investigation of such a disclosure shall be denied further access to classified information and shall be subject to other appropriate administrative sanctions. Prior to taking action against an employee in connection with the unauthorized disclosure or classified information, the Bank shall consult with the Department of Justice, Criminal Division.