< Return To Hearing
July 10, 2008
Chairman Leahy, Senator Specter, and members of the Committee, thank you for inviting me to testify on protecting the privacy of passport files maintained by the U.S. Department of State. It is an honor to appear before you.
I am testifying today in a personal capacity based on my interest and background in privacy, information security and administrative law. I am currently engaged in private law practice in Washington, D.C., where I focus on privacy, data security and Internet law, as well as on government regulation and enforcement. Until recently, I also served in a part-time capacity as Vice Chairman of the White House Privacy and Civil Liberties Oversight Board. I am author of the book, "Privacy and the Digital State: Balancing Public Information and Personal Privacy" (Kluwer Academic Publishers, 2002), which discusses data protection for public records held by government agencies. I have also previously served as General Counsel of the U.S. Department of Agriculture, General Counsel of the Office of Management and Budget, and Associate Counsel to the President.
While the investigation apparently continues, if the facts turn out to be as they now appear, there is no question that the standards of the Privacy Act of 1974 were not satisfied. The Privacy Act states that: "No agency shall disclose any record . . . except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be . . . to those officers and employees . . . who have a need for the record in the performance of their duties." To the extent agency employees and contractors accessed passport files with no official need to do so, they disrespected the privacy of affected passport holders and applicants, and brought substantial disrepute upon their agency.
Moreover, each of these Acts authorizes the Director of the Office of Management and Budget to assist, guide and oversee federal efforts in the realm of privacy and information security. OMB's coordination of information privacy is reflected in its FY 2005 report to Congress under the e-Government Act. See http://www.whitehouse.gov/omb/egov/documents/Promoting_Information_Privacy_Sec208.pdf. Congress and the White House should continue to support and encourage OMB's leading role in the field of privacy and information security.
With regard to the specific incident at hand, it is not clear at this point whether any of the individuals whose files were accessed experienced any pecuniary losses or other actual damages to support claims of civil liability under the Supreme Court's Doe v. Chao decision in 2004. However, if any agency employee or contractor "willfully disclose[d] the material in any manner to any person or agency not entitled to receive it," or "knowingly and willfully request[ed] or obtain[ed] any record concerning an individual from an agency under false pretenses," they could be guilty of a criminal misdemeanor and fined up to $5,000.
Plainly, the State Department must redouble its efforts to conduct privacy impact and risk assessments, communicate binding privacy policies to all parties handling personal information, provide its employees and contractors with meaningful privacy and data security training, ensure effective audit trails for accessing personal information, and establish clear guidelines for disciplining and terminating employees and contractors who transgress. The State Department should also revisit its administrative, technical and physical safeguards to prevent future abuse of passport files and other personal records.
At the same time, care must be taken to avoid unduly restricting access to information that is essential for national security purposes. As the 9/11 Commission recommended, and Congress enacted, the country has a critical need to promote an "information sharing environment" that transcends traditional governmental boundaries in order to help prevent future terrorist attacks. But the relevant government agencies, including the State Department, must effectively integrate protections for privacy and other civil liberties into this new information sharing environment.