Press Releases

WASHINGTON, DC – Today, Congresswoman Lori Trahan (MA-03), who previously announced an effort to update the Privacy Act of 1974 to better protect Americans’ sensitive data, and House Oversight and Government Reform Ranking Member Gerald E. Connolly (VA-11) demanded information from the National Labor Relations Board regarding potential violations of federal privacy laws by Elon Musk’s Department of Government Efficiency (DOGE) staffers at the National Labor Relations Board (NLRB).

“We write with an urgent request for information related to the disclosure by a National Labor Relations Board whistleblower that agency officials possibly affiliated with the Department of Government Efficiency may have illegally exfiltrated multiple gigabytes of sensitive data, including the personal information of Americans who reported unfair labor practices,” the lawmakers wrote. “We are deeply concerned that these actions may constitute violations of the Privacy Act of 1974, which can carry criminal penalties, and the Federal Information Security Modernization Act, which requires agency heads to notify Congress of major data breaches.”

The request follows a whistleblower at NLRB sounding the alarm about DOGE representatives removing approximately ten gigabytes of sensitive data, including the personal information of Americans who have previously reported unfair labor practices, and then attempting to cover up their actions. The data removed from the agency could also include companies’ proprietary information.

In addition to concerns about Musk’s conflicts of interest with his company SpaceX currently fighting NLRB complaints, the unverified and unreported exfiltration of Americans’ personal data could constitute violations of both the Privacy Act of 1974, which regulates how the federal government stores and uses Americans’ sensitive data, and the Federal Information Security Modernization Act (FISMA), which requires that federal agencies notify Congress when Americans’ data is breached.

“Based on our understanding of the whistleblowers’ disclosure, we are concerned that NLRB officials, especially those affiliated with DOGE, may have violated both the Privacy Act and FISMA. With respect to the Privacy Act, it is overwhelmingly likely that one or more NLRB employees–and not foreign actors or criminals–perpetrated the massive data exfiltration on March 4th, violating the Act’s disclosure requirements. Moreover, it appears that these officials did so without obtaining written consent nor receiving agency approval for an ‘exception’ to the consent requirement, meaning they could be subject to criminal penalties,” the lawmakers concluded. “And with respect to FISMA, it appears that the whistleblower discovered a ‘major incident’ under any definition of the term proposed by OMB. NLRB subsequently failed to notify Congress, in apparent violation of its statutory requirements: as of writing, neither the House Oversight and Government Reform Committee nor House Education & the Workforce Committee have received notification with the required information about the incident.”

The lawmakers are requesting answers to the following questions by May 16, 2025:

1. All reports, communications, and written documentation produced during NLRB’s investigation into Mr. Berulis’s concerns that Tim Bearese, the NLRB’s acting press secretary, confirmed took place in a statement to National Public Radio (NPR).
2. A signed attestation that NLRB determined the events which Mr. Berulis discovered qualify as a “major incident” under the definitions proposed by OMB or, alternatively, an explanation of why the NLRB did not make such a determination.
3. Why has the NLRB failed to notify relevant Congressional committees as required by FISMA, including the House Oversight and Government Reform and House Education & the Workforce Committees?
4. For each official who holds, or has previously held since January 20th, 2025, access to NLRB information technology systems:

a.    What is the nature of that employee’s relationship with NLRB?

                                      i.        If the employee is full-time, to what other agencies are they detailed?

                                     ii.        If the employee is detailed to NLRB, from what agency are they detailed?

                                    iii.        If the employee is a contractor, what firm do they work for?

b.    For each NLRB system that the employee previously had access to, currently has access to, or will have access to:

                                      i.        What level of access to the system does the employee currently possess?

                                     ii.        Who provided such access to the system?

                                    iii.        What was the justification for providing such access to the system, especially if no other agency official had previously been granted the same level of access?

                                   iv.        When was access to the system provided?

                                     v.        What training, including security and privacy, were provided to the employee regarding their access to the system? Did this training take place before or after access was provided?

                                   vi.        To the extent that access to the system was provided under a Privacy Act exception, what exception was invoked?

                                  vii.        What security controls were implemented, if any, as a result of your granting the employee their access to the system?

                                 viii.        Did the NLRB official who granted access to the system consider the cyber, operational, or privacy risks before doing so?

                                   ix.        Has the employee modified, copied, shared, or removed any records from the system?

                                     x.        Has the employee modified the system in any way?

                                   xi.        Has the employee granted, revoked, or otherwise modified access to the system for any other users?

c.     Can you commit to preserving all system logs related to access, development, exfiltration consistent with the Federal Records Act?

d.    Can you commit to otherwise documenting all critical decisions related to information technology systems at NLRB?

A copy of the letter sent today can be accessed HERE.

This request for information follows an effort Trahan led last month requesting an independent investigation into DOGE’s alleged mishandling of Americans’ sensitive data housed in the Treasury Department’s payment system. In March, Trahan announced that she will be introducing legislation to rewrite the Privacy Act for the first time since its passage in 1974.

###