07.10.08

Senate Judiciary Panel Examines Passport Breaches At State Department

The Senate Judiciary Committee today held a hearing to examine a report released late last week by the State Department Acting Inspector General about unauthorized access to the passport files of high-profile Americans by contractors and State Department workers.  Committee Chairman Patrick Leahy (D-Vt.) noticed the hearing Monday following the release of the report.

The Inspector General report stated that 85 percent of the passport records included in a sample of high-profile Americans had been searched at least once during a five and a half year period.  The report also found alarming security gaps in the State Department’s system, and revealed that the records of millions of ordinary Americans are in danger of being breached.  Acting Inspector General Ambassador Harold W. Geisel and Assistant Inspector General for Audits Mark W. Duda testified at Thursday’s hearing.  They were joined by a panel of privacy experts, includingMarc Rotenberg of the Electronic Privacy Information Center, Ari Schwartz of the Center for Democracy and Technology, and Alan Charles Raul of Sidley Austin LLP.

“Millions of Americans entrust their personal information to the State Department in order to obtain passports and other services, and our government has a duty to protect the private information of its citizens,” said Leahy.  “The Inspector General’s findings raise serious concerns about possible violations of the Privacy Act and other federal laws meant to protect Americans’ privacy.”

Following press reports in March that the passport files of presidential candidates Sens. Barack Obama, Hillary Clinton, and John McCain had been inappropriately accessed, Leahy, joined by Sen. Arlen Specter (R-Pa.), sent a letter to Attorney General Michael Mukasey asking that the Department of Justice open a criminal investigation into the unauthorized conduct.  The Attorney General stated that the Justice Department would wait for the results of the State Department Inspector General’s report before taking action. 

“We both strongly believe that our government has a duty to protect the private information of its citizens,” Leahy and Specter wrote in March.  “The Justice Department should not wait to be handed ‘a box full of evidence,’ as you said at your recent briefing, before determining whether Federal laws were broken.”

At an oversight hearing before the Senate Judiciary Committee Wednesday, Mukasey testified that the Inspector General’s office had referred the matter to the Justice Department, and that the criminal division was investigating the matter.

Leahy has been a longtime leader in privacy issues.  Last year, Leahy and Specter introduced the Personal Data Privacy and Security Act, which was passed by the Judiciary Committee in May 2007.  Leahy has since urged the Senate to take up the legislation.  Following the passport file breaches in March, Leahy and Specter sent a letter to the Majority and Minority Leaders urging the Senate consider the legislation. 

# # # # #

 

Statement Of Sen. Patrick Leahy (D-Vt.),

Chairman, Senate Judiciary Committee,

Hearing On “Passport Files: Privacy Protection Needed For All Americans”

July 10, 2008

Today, the Committee holds an important hearing on the unauthorized access of Americans’ passport files.  Millions of Americans entrust their personal information to the State Department in order to obtain passports and other services, and our government has a duty to protect the private information of its citizens.  But, sadly, the State Department has failed to honor this duty, leaving millions of ordinary Americans vulnerable to privacy violations, identity theft and other crimes.

Last week -- while Americans were celebrating Independence Day – the State Department’s Acting Inspector General issued a report finding that State Department workers and contractors repeatedly accessed the passport files of entertainers, athletes and other high-profile Americans without proper authorization.  This disturbing revelation of passport snooping comes after press reports in March that the passport files of three presidential candidates – Senators Obama, Clinton and McCain -- were improperly accessed by State Department contractors. 

The Inspector General’s findings raise serious concerns about possible violations of the Privacy Act and other Federal laws meant to protect Americans’ privacy.  According to the report, 85 percent of the passport records included in a sample of high-profile Americans had been searched at least once -- and many files were searched multiple times -- during a five and a half year period.  In fact, one individual’s passport records were searched 356 different times by 77 different users, according to the report. 

More significantly, the Inspector General’s report reveals that the records of millions of ordinary Americans are also vulnerable to privacy breaches.  There are no checks in the system to even determine if the passport files of ordinary Americans are accessed.  Although these passport files contain sensitive personal information, including name, date and place of birth, and Social Security numbers, the Inspector General’s report found widespread control weaknesses at the State Department -- including a general lack of policies, procedures, guidance and training -- to prevent and detect the unauthorized access of Americans’ passport files. According to the report, the Department’s Passport Information Electronic Records System (PIERS) contains the passport records for approximately 127 million passport holders.  As more Americans need a passport just to travel to visit family and friends in our neighboring countries, like Canada, due to the Western Hemisphere Travel Initiative, the number of passport files to protect grows. 

The State Department could not readily identify the universe of government workers and contractors who have access to this information.  The Inspector General estimates that this figure exceeds 20,000 government employees from various agencies and outside contractors.  The tip of the iceberg in this report is the fact that passport information is shared with other agencies and we have no idea what procedures are followed to protect information once it leaves the State Department.  The State Department Inspector General has referred this serious matter to the Justice Department, and I hope the Department’s Criminal Division will investigate this thoroughly.

The lax data security at the State Department is not unique.  A week does not go by without reports of personal data privacy breaches at government agencies and private businesses.  Just recently, front page headlines have delivered news about the theft of sensitive medical information from the National Institutes of Health, and earlier reports of data breaches have involved virtually every department of our Federal Government.  The Inspector General’s report is just the latest example of why swift action is needed on the Leahy-Specter Personal Data Privacy and Security Act – a comprehensive privacy bill that would help to prevent data security breaches and provide further protections in the handling of American’s private data by Federal agencies and government contractors.  I hope that the Senate will promptly consider and pass this bill, so that we can help make a difference for all Americans.

Data privacy and security at our federal agencies is a serious and growing problem that Congress must address.  To do so, we must not only understand what went wrong at the State Department, but also look forward to how best to prevent these kinds of privacy violations in the future.  I am pleased that the Department’s Acting Inspector General and Assistant Inspector General for Audits are here to share their findings.  We also have a distinguished panel of privacy experts to address this issue.  I thank all of our witnesses for coming and I look forward to a productive discussion.

# # # # #

For Background

 

Summary of the Leahy–Specter Personal Data Privacy and Security Act of 2007

 

  • Provides new measures to protect the privacy and security of personal data.  Provides Americans with notice when they have been harmed, and also addresses the underlying problem of lax security and lack of accountability in dealing with personal data.
  • Addresses the government’s use of personal data by: (1) requiring the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data and to include penalties in government contracts for failure to protect data privacy and security; (2) requiring Federal departments and agencies to audit the information security practices of commercial data brokers hired for projects involving personal data and to include protections and penalties in contracts with data brokers to protect data privacy and security; and (3) requiring Federal departments and agencies to conduct privacy impact assessments on their use of commercial databases to access personal data on U.S. persons, and to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers.
  • Adds unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud under 18 U.S.C. § 1030(a) (2).
  • Requires data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies.  There are exemptions for products and services already subject to access and correction rules under the Fair Credit Reporting Act, as well as companies subject to Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.  In addition, there are also exemptions for proprietary, fraud prevention tools and marketing data.
  • Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data.  There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.
  • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised.  The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting.  There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a significant risk of harm.
  • Provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches.  Imposes a criminal penalty in the cases were there is intentional and willful concealment of a security breach known to require notice.

 

# # # # #

Press Contact

David Carle: 202-224-3693