GovernmentExecutive.com

The State Department has failed to provide adequate controls to prevent unauthorized access to individuals' passport files, according to an inspector general's report released on Thursday.

The department has not established the proper policies, procedures and disciplinary actions to prevent employees and contractors, as well as those in other agencies, from accessing files in the computer system that the Bureau of Consular Affairs uses to process passports, according to a heavily redacted report. The system, called the Passport Information Electronic Records System, compromises citizens' privacy and leaves their personal information vulnerable to theft.

The system has a vast collection of data on Americans and contains records for about 127 million passport holders. Information such as the name, date of birth, Social Security number and citizenship status for applicants and family members is stored in the network. Agencies are required to secure such records under the 1974 Privacy Act and should be walled off from unauthorized access, the report said.

The security of passport information first attracted attention in March, when it was reported that contractors processing passports for State had inappropriately accessed the files of the three leading presidential candidates, Sens. Barack Obama, D-Ill.; John McCain, R-Ariz.; and Hillary Clinton, D-N.Y. The department announced at the time that the contractors had fired two employees and disciplined a third for accessing the candidates' files, and called for an investigation by the department's IG.

State detected the breaches because the files of high-profile individuals are programmed to flag system administrators if anyone accesses the file, with the first access occurring on Jan. 9. Senior State officials, however, were not informed of the breaches until March 20 because the contractors' immediate supervisors disciplined them and did not inform their managers. The IG is conducting a separate investigation into the specific conduct of the contractors who accessed the files.

The IG made 22 recommendations, most of which were redacted because the vulnerabilities in the system have yet to be fixed, according to Tom Burgess, director of congressional and public affairs for State's Office of the Inspector General. The redactions "would provide a roadmap" to the system's weaknesses, he said.

The IG found that Consular Affairs had not developed proper policies and procedures for managing the unauthorized access of files, nor had it trained employees on what constitutes unauthorized access or what the penalties are for doing this. In addition, the IG found that disciplinary actions were left to the discretion of the employee's supervisor, which meant penalties were applied inconsistently. Consular Affairs said it was unaware of actions taken against employees in other agencies who access files without permission.

The IG recommended that the bureau implement specific guidelines for handling violations, including reprimand, suspension, dismissal and prosecution. Consular Affairs disagreed with the recommendation, saying any policy developed would not be applicable to outside departments or contractors because they are not within the agency's jurisdiction.

State officials attributed some of the department's inability to develop security controls and to assess the system's vulnerability to a shortage of resources.

The department launched the passport system in April 1999 to speed up the processing time for passports and to make it easer to research applicants' records. About 20,500 individuals have an active account to use the system, according to Consular Affairs officials, and 12,200 of those were employees or contractors at State.

Other agencies such as the Homeland Security Department and the FBI use the system to investigate crimes, analyze security threats and notify the families of U.S. citizens who are injured or die abroad, among other purposes.

The report recommended that Consular Affairs implement security controls similar to those used by the Internal Revenue Service and the Treasury Inspector General for Tax Administration, which trigger alerts when an unauthorized person accesses a file. Consular Affairs agreed with the recommendation and is developing initiatives for monitoring, auditing and reporting such incidents.

COMMENTS

• As I read this story, the contractors were not fired by the government, they were fired by their employer for their infraction. Therefore this punitive action was likely because they violated the terms of their employment agreement with their employer. Such was likely not the terms of employment for government employees. However, It is reasonable to conclude that government employees received appropriate punishment for their error beyond a slap on the hand or no punishment as was suggested. Government employees have been fired and sent to prison for bad decisions... recently and in past history. The penalties for unauthorized disclosure of personal information as listed in the Privacy Act apply to all who commit such an infraction and no one is shielded by employment status. In that light, there should be a common set of rules which apply to this information because of the sensitivity associated with it and the rules should apply across the board. This is my opinion. Will Posted July 9, 2008 11:10 PM
• Large data systems in both government and business environments are most often built with functionality, speed, and accessibility as the main requirements. Security, especially the many _policy_ issues that arise, gets little regard, especially for an internal system like the one in question here. Had the "owners" of the data been asked the right questions AND been willing to work on meaningful answers, AND had the money been found to build in security, monitoring, and notification, there would be no story here. Well, at least not until the complaints about runaway federal IT spending got more press ;-) Old Dog Posted July 8, 2008 7:28 AM
• Not surprisingly we have 2 standards of discipline, contractors were terminated as they should be and our beloved CS were subject to more training. Gosh don't you love 0 accountability Dan ketter Posted July 7, 2008 2:11 PM