The document had been subjected to other review processes earlier this year.
In other words, the draft almost undoubtedly had been forwarded, replied to, distributed.
Just the sort of procedures and reviews that many of us go through with work-related materials (although most of us aren't dealing with nuclear infrastructure information).
The point -- and it's one that can't be made too often -- is that every employee and recipient of confidential or proprietary information has to think hard, and think hard more than once before forwarding, replying or otherwise acting on that information.
That advice -- policy! -- needs to be reinforced constantly; particularly as e-mail volumes rise and it grows ever easier to mistakenly hit "reply all" and share private (and perhaps confidential) thoughts with an entire distribution list.
"There's many a slip 'twixt the cup and the lip" the old chestnut goes, but there's many a slip 'twixt the mouse and the click, too.
How long since you've spelled out the e-mail policy and practices you expected from your employees?
Good time to do so again -- just make sure your distribution list includes only those recipients who should be on it.