Archives page

Posts Tagged ‘Chief Privacy Officer’

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE
Read More

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE

The week of April 7, 2014, with little notice or fanfare, the Department of Homeland Security issued its first annual Executive Order 13636 Privacy and Civil Liberties Assessment Report 2014. The report addresses the privacy and civil liberties impacts of certain agencies’ undertakings with respect to critical infrastructure cybersecurity and resilience. It is revealing as much for what it says, as it doesn’t say, with regard to the protection of privacy and civil liberties in the Executive Branch. The report is a study of contrasting approaches to privacy and civil liberties among first tier federal agencies.

On February 12, 2013, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience. Combined, the documents call for the federal government to work with the private sector to strengthen the security and resilience of the Nation’s infrastructure – the vast majority of which is privately owned – and do so in a way that protects the privacy and civil liberties of Americans.

As set forth in the EO 13636 Report, departments and agencies are required to do the following:

  • Develop a technology-neutral voluntary cybersecurity framework;
  • Promote and incentivize the adoption of cybersecurity practices;
  • Increase the volume, timeliness, and quality of cyber threat information sharing;
  • Explore the use of existing regulation to promote cyber security; and
  • Incorporate strong privacy and civil liberties protections into every initiative to secure our CI.

Additionally, PPD-21 requires that departments and agencies:

  • Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time;
  • Understand the cascading consequences of infrastructure failures;
  • Evaluate and mature the public-private partnership;
  • Update the National Infrastructure Protection Plan to take into account cyber aspects of infrastructure; and
  • Develop a comprehensive research and development plan.

The Department of Homeland Security (DHS) is the lead agency under the EO and PPD. And, under Section 5 of the Executive Order, Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS, in consultation with the Privacy and Civil Liberties Oversight Board and in coordination with the Office of Management and Budget, are responsible for issuing a privacy and civil liberties assessment, with contributions from the privacy and civil liberties officials of the other agencies covered under the Executive Order (the Departments of Commerce, Defense, Health and Human Services (HHS), Justice, Transportation, Treasury, and Energy; the Office of the Director of National Intelligence (ODNI); and the General Services Administration (GSA)).

“Protections” include the Fair Information Practice Principles and any other privacy or civil liberties policies, principles or frameworks. The Fair Information Practice Principles to be used are those found in Appendix A of the National Strategy for Trusted Identities in Cyberspace, which mirrors the DHS Fair Information Practices (FIPPs), set forth in DHS Privacy Policy Guidance Memorandum 2008-1, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security.

At close to 50 pages, DHS’s section was the most comprehensive, robust assessment contained in the report. The two DHS offices addressed their authorities, frameworks, and involvement with the Administration’s critical infrastructure cybersecurity efforts, and then the four areas in which DHS was carrying out its responsibilities under EO 13636 and PDD 21: Cybersecurity Information Sharing–Sharelines; Expansion of the Enhanced Cybersecurity Services Program; the DHS Private Sector Clearance Program; and the DHS Loaned Executive Program. For each of the four areas, the DHS assessment provided a concise discussion of the agency’s actions, past and present, and the implications for privacy and civil liberties. Importantly, DHS addressed in very meaningful ways the circumstances under which it would use PII. After each area, the assessment listed recommendations to DHS, for a total of seven recommendations, many of which encourage increased transparency, oversight, and education.

The other departments and agencies assessments were far shorter, with far less detail. Significantly, many are sector-specific agencies in sectors with vast amounts of PII about American citizens. This month alone, the Government Accounting Office called out the SEC (GAO-14-419) to improve controls over financial systems and data, the IRS (GAO-14-405) and most notably, the overall lax Federal agency response to data breaches involving PII (GAO-14-487T). This sector-specific PII might well be the target of future cyber incidents, and it certainly would be connected to any future incidents, yet most of the other agencies required by the E.O. could only muster cursory assessments under 10 pages in length.

For example, Treasury, the sector-specific agency for banking and finance, lightly assessed its involvement in four pages with three programs, Critical Infrastructure Private Sector Clearance Program, Voluntary Critical Infrastructure Cybersecurity Program, and Identification of Critical Infrastructure at Greatest Risk. Treasury provided no meaningful discussion of the FIPPs in its assessment, a requirement of the Executive Order.

Defense assessed of the Defense Industrial Base (DIB). Specific initiatives included: the DIB Cyber Security/Information Assurance (CS/IA) Program and the DIB Enhanced Cyber Security Services (DECS). Importantly, Defense noted that a “specific cyber incident may include PII that is incidental to, or embedded in, the information the DIB company has shared with [Defense] for cyber security analysis.” In the absence of a list of affected DIB companies, and the type and amount of PII that could be the subject of a cyber incident, the Defense assessment failed to provide a meaningful discussion of the privacy impacts associated with such sharing.

Justice’s assessment was surprisingly short, four pages, especially given that the Justice Privacy and Civil Liberties Officer is a senior position within the Department and an equal of DHS’s Chief Privacy Officer. The Justice assessment focused on iGuardian, “an unclassified web portal designed to accept cyber intrusion complaints from the private sector.” As the ACLU noted, Justice’s remark that only information that is “relevant” is maintained is dubious in a post-Snowden world, given that all information in the digital realm may be relevant to law enforcement and intelligence agencies.

Commerce’s very brief assessment focused on the National Institute of Standards and Technology’s (NIST) work on the Cybersecurity Framework in collaboration with industry. In fairness to Commerce, NIST has not yet issued its final version of the Framework, arguably limiting its ability to provide a thorough assessment of NIST’s efforts.

HHS – the sector-specific agency for health care – assessment ever so briefly touched on the various aspects of EO 13636 and PPD 21 with which it was involved: Cybersecurity Information Sharing; Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Greatest Risk. Transportation was the same, lightly touching on: Cybersecurity Information Sharing; Development of Cybersecurity Framework; The Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Risk. Energy’s assessment focused on its PPD-21 responsibilities related to the energy sector. Surprisingly, Energy failed to discuss those responsibilities from a civil liberties perspective.

ODNI assessed the implications of its issuance of “instructions for the Intelligence Community (IC) to ensure the timely production of unclassified cyber products to the U.S. homeland that identify a specific targeted entity”, otherwise known as “tearlines.” The ODNI assessment provided a passable discussion on the FIPPs, but in transitioning to the agency’s Intelligence Community responsibilities, it appeared to be accepting as true that any already collected PII was properly corrected. In light of the Snowden revelations and the bulk collection of telecommunications and internet service provider data, this part of the assessment rings hollow.

Finally, GSA addressed its responsibilities under the EO to work with Defense to make recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” GSA came to the remarkable conclusion that its joint report with Defense on acquisition “does not directly impact privacy and civil liberties as personally identifiable information (PII) is not collected, used, or disseminated.”

Taken as a whole, it is clear that privacy is not protected in an equal fashion across the Executive Branch. Many agencies do not grasp the policy implications of the FIPPs. Some did not even bother to address them. Lastly, there was an overall lack of transparency in the agencies’ critical infrastructure cybersecurity efforts. And that may be the most important aspect of this report: it shows how far tier one agencies have to go to get privacy right.

Contributing Author:  Hugo Teufel

Hugo TeufelHugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security.  An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.

DHS Releases Privacy Office’s Annual Report to Congress: Any Progress?
Read More

DHS Releases Privacy Office’s Annual Report to Congress: Any Progress?

In November, the Department of Homeland Security’s Privacy Office issued its annual report to Congress.  The report, which covers the period from July 2012 through June 2013, was a few months late.  The incoming Chief Privacy Officer (CPO), Karen Neuman, announced the release of the report.

Neuman came to the Department from a boutique privacy law firm, having replaced Mary Ellen Callahan, who left DHS to return to private practice in August 2012.  In the interim, Deputy Chief Privacy Officer for DHS, Jonathan Cantor, served as acting CPO.  The 2013 Annual Report is 89 pages long, and covers Privacy Office’s efforts in five key areas, or goals.  From the report, they are:
  • Goal 1 (Privacy and Disclosure Policy): Foster a culture of privacy and transparency, and demonstrate leadership through policy and partnerships;
  • Goal 2 (Advocacy): Provide outreach, education, training, and reports in order to promote privacy and openness in homeland security;
  • Goal 3 (Compliance): Ensure that DHS complies with federal privacy and disclosure laws and policies and adheres to the DHS FIPPs;
  • Goal 4 (Oversight): Conduct robust oversight on embedded privacy protections and disclosures in all DHS activities; and
  • Goal 5 (Workforce Excellence): Develop and maintain the best privacy and disclosure professionals in the Federal Government.
These goals align, mostly, with the six key functions of a public sector privacy office:  policy; compliance; oversight; incidents and breaches; education and training; and engagement and outreach.  Workforce excellence, while important at any organization, seems to be a curious goal for the Privacy Office, with barely a page of discussion on the goal in the main body of the report.
Importantly, the annual report makes clear that privacy at DHS is much broader than found in Privacy Act offices at most other Federal agencies.  The DHS Privacy Office has been at the forefront on privacy and privacy policy within the Federal Government, often out in front of the Office of Management and Budget, the entity charged with responsibility for the Privacy Act of 1974, the main privacy law applicable to the Federal government.
During the period of the 2013 annual report, the Privacy Office worked on, and issued Department-wide policy, in a number of areas, to include: information sharing with the Intelligence Community; research projects at the Department; and the conduct of Privacy Office investigations under expanded authority from the 9/11 Commission Act.  Under “advocacy” – encompassing the key functions of “education and training” and “engagement and outreach” – the Privacy Office set up a working group to consider unmanned aircraft systems (UAS) and worked together with the Civil Rights and Civil Liberties Office to inform civil society of the Department’s efforts with respect to Presidential directives on critical infrastructure.  The office also had substantial contact with data protection authorities, members of parliament, and officials from justice and interior ministries from around the Globe.
Compliance, the heart of any agency privacy program, showed significant improvements.  During the reporting period, the Privacy Office approved 87 Privacy Impact Assessments (PIA), under Section 208 of the E-Government Act of 2002, and 24 System of Records Notices (SORN), under the Privacy Act of 1974.  Among the PIAs was the first ever for a Federal agency on the use of UAS.  The Office also reviewed over 200 intelligence products and over 500 intelligence information reports, to assure that the minimum necessary amount of PII is disseminated in these intelligence documents.
On oversight, the Privacy Office conducted a comprehensive review of the Department’s compliance with the Automated Targeting System (ATS) PIA and SORN, and the joint US/EU Passenger Name Record Agreement prior to the European Commission’s 2013 Joint Review of PNR.  The Office also completed several Privacy Compliance Review reports on various Departmental programs, to include the use of social media for situational awareness, the E-Verify Self Check Program’s use of a third-party identity proofing service, and information sharing.
It is worth noting that the DHS Privacy Office Annual Report, a statutory requirement under the Homeland Security Act, is critical to the office’s oversight responsibilities.  The report also has been the source of friction between Congress and the Executive Branch in the ten years of the Department’s existence.   In the first few years, the Privacy Office had difficulty in getting out the annual report in a timely manner, with the second report covering a two-year period.  Congress, viewing the annual report as an independent means of receiving objective information from the Privacy Office of Departmental matters affecting the personal privacy of Americans, was concerned with delays in issuance of the annual report and, accordingly, mandated in annual appropriations bills that no appropriated funds be used by anyone outside of the Privacy Office to alter, direct that changes be made to, delay, or prohibit the annual report’s transmission to Congress.
Congress followed up on the appropriations language with an even clearer and stricter limitation on perceived interference with the annual report in the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act).  Section 802(e)(1) of the Act states that the CPO shall “submit reports directly to the Congress regarding performance of the responsibilities of the senior official under this section [the Chief Privacy Officer], without any prior comment or amendment by the Secretary, Deputy Secretary, or any other officer or employee of the Department or the Office of Management and Budget. . . . ”  The 9/11 Commission Act also gave the Privacy Officer greater independence, akin to an agency inspector general, stating that the Privacy Officer reports to, and is under the “general supervision of,” the DHS Secretary.
The 2007 annual report’s issuance was stayed pending an opinion from DOJ’s Office of Legal Counsel on the language of section 802(e)(1). The Office of Legal Counsel eventually published an opinion, stating section 802 would not preclude DHS or OMB review of the report prior to its release.  Since 2007, there have been no further disputes between Congress and the Executive Branch over the CPO’s independence, and the annual report has been released Congress and the public in September of each year.

Contributing Author:  Hugo Teufel

Hugo Teufel

Hugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security.  An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.