Passport Files Not Properly Protected, Says Gov’T Study

The study ‘found many control weaknesses…relating to the prevention and detection of unauthorized access to passport information.’ Passport Files Not Properly Protected, Says Gov’t StudyBy Cliff Montgomery – July 22nd, 2008This month, the inspector general for the U.S. State Department and the Broadcasting Board of Governors released a damning audit of America’s passport record controls.The study “found many control weaknesses–including a general lack of policies, procedures, guidance, and training–relating to the prevention and detection of unauthorized access to passport and applicant information.”This matter is terribly important, as passport records contain such “personally identifiable information…as the applicant’s name, gender, social security number, date and place of birth, and passport number.” There currently are about 127 million individuals holding U.S. passports, according to the study.The weaknesses in passport data protection surfaced in March of this year, when three individuals were caught snooping into the passport files of senators and presidential candidates Barack Obama (D-IL), Hillary Clinton, (D-NY) and John McCain (R-AZ). ran an interesting March story on that matter.But that spying lead to this eye-opening audit, which discovered essential weaknesses in the U.S. passport program. We quote some of the most pertinent sections of that report below:“In March 2008, media reports surfaced that the passport files maintained by the Department of State (Department) of three U.S. Senators, who were also presidential candidates, had been improperly accessed by Department employees and contract staff.”On March 21, 2008, following the first reported breach and at the direction of the Acting Inspector General, the Office of Inspector General (OIG), Office of Audits, initiated this limited review of Bureau of Consular Affairs (CA) controls over access to passport records in the Department’s Passport Information Electronic Records System (PIERS).”Specifically, this review focused on determining whether the Department (1) adequately protects passport records and data contained in PIERS from unauthorized access and (2) responds effectively when incidents of unauthorized access occur.”As of April 2008, PIERS contained records on about 192 million passports for about 127 million passport holders. These records include personally identifiable information (PII), such as the applicant’s name, gender, social security number, date and place of birth, and passport number.”PIERS offers users the ability to query information pertaining to passports and vital records, as well as to request original copies of the associated documents. As a result, PIERS records are protected from release by the Privacy Act of 1974. Unauthorized access to PIERS records may also constitute a violation of the Computer Fraud and Abuse Act.””With certain exceptions, the Privacy Act prohibits an agency’s release of information in an individual’s records that includes, but is not limited to, information on an individual’s education; financial transactions; medical, criminal, or employment history; and name or identifying number (i.e., Social Security number).””Under these provisions, PIERS records should be protected against any unauthorized access that could result in harm, embarrassment, or unfairness to any individual on whom information is maintained.””According to CA officials, there were about 20,500 users with active PIERS accounts as of May 2008, and about 12,200 of these users were employees or contractors of the Department. PIERS is also accessed by users at other federal agencies to assist in conducting investigations, security assessments, and analyses.”These other federal entities are located across the United States and include the Department of land Security (DHS), the Federal Bureau of Investigation (FBI), and the Office of Personnel Management (OPM).””OIG found many control weaknesses–including a general lack of policies, procedures, guidance, and training–relating to the prevention and detection of unauthorized access to passport and applicant information and the subsequent response and disciplinary processes when a potential unauthorized access is substantiated.”In some cases, Department officials stated that the lack of resources contributed to the lack of controls and to the Department’s ability to assess vulnerabilities and risk. OIG has made 22 recommendations to address the control weaknesses found.””Of the 22 recommendations made by OIG, the Department generally agreed with 19, partially agreed with 1, and did not concur with 2. Based on the responses, OIG considers 19 recommendations resolved and three recommendations unresolved.”To ensure that adequate and timely progress is achieved, OIG will conduct a follow-up compliance review of the Department’s implementation of the recommendations in this report, as well as CA’s process for reviewing possible unauthorized accesses by users as identified in OIG’s study.”Like what you’re reading so far? Then why not order a full year (52 issues) of thee-newsletter for only $15? A major article covering an story not being told in the Corporate Press will be delivered to your email every Monday morning for a full year, for less than 30 cents an issue. Order Now!