[Federal Register Volume 82, Number 177 (Thursday, September 14, 2017)]
[Rules and Regulations]
[Pages 43174-43176]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-19483]
[[Page 43174]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
28 CFR Part 16
[CPCLO Order No. 008-2017]
Privacy Act of 1974; Implementation
AGENCY: United States Department of Justice.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The United States Department of Justice (DOJ or Department) is
issuing a final rule to amend its Privacy Act exemption regulations for
the system of records titled, ``DOJ Insider Threat Program Records,''
JUSTICE/DOJ-018. Specifically, DOJ is exempting the records maintained
in JUSTICE/DOJ-018 from one or more provisions of the Privacy Act. The
listed exemptions are necessary to avoid interference with efforts to
detect, deter, and/or mitigate insider threats. This document addresses
public comments on the proposed rule and codifies the claimed
exemptions.
DATES: This final rule is effective October 16, 2017.
FOR FURTHER INFORMATION CONTACT: Laurence Reed, DOJ Insider Threat
Program Manager, United States Department of Justice, Insider Threat
Prevention and Detection Program, 145 N Street NE., Washington, DC
20002, 202-357-0165, [email protected].
SUPPLEMENTARY INFORMATION:
Background
Executive Order 13587, Structural Reforms to Improve the Security
of Classified Networks and the Responsible Sharing and Safeguarding of
Classified Information (Oct. 7, 2011), requires the development of an
executive branch program for the deterrence, detection, and mitigation
of insider threats. The Presidential Memorandum, National Insider
Threat Policy and Minimum Standards for Executive Branch Insider Threat
Programs (Nov. 21, 2012), provides direction to executive branch
departments on how to develop insider threat programs. The Presidential
Memorandum states that an insider threat is the threat that any person
with authorized access to any United States Government resource
including personnel, facilities, information, equipment, networks or
systems, will use her/his authorized access, wittingly or unwittingly,
to do harm to the security of the United States. This threat can
include damage to the United States through espionage, terrorism,
unauthorized disclosure of national security information, or through
the loss or degradation of departmental resources or capabilities.
In accordance with the Privacy Act of 1974 (Privacy Act), on June
5, 2017, DOJ issued a System of Records Notice (SORN) in the Federal
Register at 82 FR 25812 (June 5, 2017), and a Notice of Proposed
Rulemaking (NPRM) at 82 FR 25751 (June 5, 2017), for the ``DOJ Insider
Threat Program Records,'' JUSTICE/DOJ-018. The system establishes
certain Department-wide capabilities to detect, deter, and mitigate
insider threats, and will be used to facilitate management of insider
threat inquiries and activities associated with inquiries and
referrals, identify potential threats to DOJ resources and information
assets, track referrals of potential insider threats to internal and
external partners, and provide statistical reports and meet other
insider threat reporting requirements. The system includes information
provided by individuals covered by this system and by DOJ. It may
include information lawfully obtained by the DOJ from any United States
Government entity, from other domestic or foreign government
organizations, or from private entities, which is necessary to
identify, analyze, or resolve insider threat matters. After
consideration of public comments, exemptions necessary to safeguard
this information and avoid interference with the responsibilities of
DOJ to detect, deter, and/or mitigate insider threats are codified in
this final rule.
Response to Public Comments
In its ``DOJ Insider Threat Program Records'' SORN and NPRM,
published on June 5, 2017, the Department invited public comment. The
period for public comment closed on July 5, 2017. The Department
received one comment, which addressed elements of both the SORN and the
NPRM. The Department has closely reviewed this comment and the
following discussion responds to the comment.
The comment primarily focused on the scope of information collected
by the system of records, the risk of compromise of such information,
and the disclosures described in the SORN's ``routine uses.'' As to the
information collected by the system, the Department has determined that
such information is necessary to create and maintain an effective
insider threat program that complies with presidential mandates and
federal law. The comment requests on page 7 that DOJ ``maintain only
records that are relevant and necessary to detecting and preventing
inside threats,'' yet correctly points out on page 3 that the
categories of records in the system include ``relevant''
counterintelligence and security databases and files, ``relevant
Unclassified and Classified network information,'' and ``relevant Human
Resources'' databases and files. DOJ is a law enforcement agency. While
it is not always possible to know in advance what information is
relevant and necessary for law enforcement and intelligence purposes,
as explained further below, DOJ requires its employees and agents to
take reasonable steps designed to ensure collection of relevant and
necessary information.
As to the risk of compromise, DOJ understands the increase in data
breaches across the public and private sectors. The Department has
established appropriate administrative, technical and physical
safeguards designed to ensure the security and confidentiality of
records and to protect against anticipated threats or hazards to their
security or integrity. The Department has implemented, and regularly
assesses and works to strengthen, privacy and security controls
required under federal law, regulations and policies, including the
Federal Information Security Modernization Act of 2014, standards
issued by the National Institute of Standards and Technology, and OMB
guidelines (e.g., Circular A-130, Managing Information as a Strategic
Resource). The Department's insider threat program is designed to
minimize the risks of unauthorized disclosures of information,
including a breach of personally identifiable information.
The Department has also determined that the disclosures described
in the SORN's routine uses are necessary to create and maintain an
effective insider threat program that complies with presidential
mandates and federal law. In sum, the Department has thoroughly
reviewed its program and determined that the SORN accurately describes
the existence and character of the system of records, in accordance
with the Privacy Act. For these reasons, no alterations will be made to
the SORN and the system of records will operate in compliance with the
representations made therein.
The comment also raised objections to some of the exemptions
proposed in the NPRM. While the comment noted a general objection to
claiming any of the exemptions allowed under 5 U.S.C. 552a(j) and (k),
specific objections were only raised for a few of the exemptions
claimed regarding 5 U.S.C. 552a(e), detailing agency requirements. The
Department addresses those objections in the following paragraphs.
[[Page 43175]]
5 U.S.C. 552a(e)(1), (d)(1)-(4), (e)(4)(G), (H), and (I), Relevant and
Necessary, Notification, Access Procedures, Record Source Categories
The comment asserted that the effect of claiming exemptions to 5
U.S.C. 552a(e)(1), (e)(4)(I), and (e)(4)(G) and (H) would be to
diminish DOJ's legal accountability, stating that ``DOJ claims the
authority to collect any information it wants without disclosing where
it came from or even acknowledging its existence.'' Contrary to the
comment, the Department follows the letter and spirit of the Privacy
Act in claiming these exemptions as a law enforcement and national
security-focused agency. The Department maintains a constant commitment
to protecting the privacy and civil liberties of all Americans.
Regarding 5 U.S.C. 552a(e)(1), the Department only collects
information it is legally authorized to collect. Moreover, as explained
below, it is not always possible to know in advance what information is
relevant and necessary for law enforcement and intelligence purposes.
The relevance and utility of certain information that may have a nexus
to insider threats may not always be fully evident until and unless it
is vetted and matched with other information lawfully maintained by the
DOJ. Nonetheless, DOJ requires its employees and agents to take
reasonable steps designed to ensure collection of relevant and
necessary information.
Regarding 5 U.S.C. 552a(e)(4)(I), the DOJ Insider Threat Program
Records system of records notice disclosed to the greatest extent
practicable the record source categories for the information in the
system. To the extent that Section 552a(e)(4)(I) is interpreted to
require more detail regarding the record sources in this system than
has already been published in the SORN, exemption from this provision
is necessary to protect the sources of law enforcement and intelligence
information and to protect the privacy and safety of witnesses and
informants and others who provide information to the Department.
The comment states that the Department is exempting itself from
providing individuals access to and amendment of records in the system,
which is under 5 U.S.C. 552a(d), and also implies the Department is
exempting itself from providing notice to individuals regarding the
procedures for access to and amendment of records, under 5 U.S.C.
552a(e)(4)(G) and (H). The Department proposed to exempt itself from
the access and amendment requirements of 5 U.S.C. 552a(d)(1), (2), (3),
and (4) because providing access and amendment rights to such records
could compromise or lead to the compromise of information classified to
protect national security; disclose information that would constitute
an unwarranted invasion of another's personal privacy; reveal a
sensitive investigative or intelligence technique; disclose or lead to
disclosure of information that would allow a subject to avoid detection
or apprehension; or constitute a potential danger to the health or
safety of law enforcement personnel, confidential sources, or
witnesses. Because the Department proposed to exempt itself from these
access and amendment requirements, it logically follows that the
Department also proposed to exempt itself from the requirement to
publish notice to individuals of how to avail themselves of these
access and amendment requirements under 5 U.S.C. 552a(e)(4)(G) and (H).
Nonetheless, in the SORN for the Insider Threat Program Records,
DOJ provided notice of procedures to request access and amendment
because, to the extent that an access or amendment request relates to
information outside the scope of permissible exemptions, DOJ will
comply with applicable requirements. Also, when DOJ compliance with an
access or amendment request would not appear to interfere with or
adversely affect the purpose of the system to detect, deter, and/or
mitigate insider threats, the DOJ may waive the applicable exemption in
its sole discretion and provide appropriate access or amendment.
5 U.S.C. 552a(e)(5), Accuracy, Relevance, Timeliness, and Completeness
The comment asserts that the Department claiming an exemption to 5
U.S.C. 552a(e)(5), i.e., maintaining records ``which are used by the
agency in making any determination about an individual with such
accuracy, relevance, timeliness, and completeness as reasonably
necessary to assure fairness to the individual in the determination,''
means the Department ``objects to guaranteeing `fairness' to
individuals in the `Insider Threat' Database.'' The Department does not
agree with this characterization. The collection of information for
authorized law enforcement and intelligence purposes, including efforts
to detect, deter, and/or mitigate insider threats, follows lawful,
vetted investigative practices and procedures. In the investigative
process, the DOJ at times collects information that may not be
immediately shown to be accurate, relevant, timely, and complete. Law
enforcement and intelligence investigators and analysts need to be able
to collect the information they believe is necessary in their sound
professional judgment to fully analyze a situation and move an
investigation forward or close an investigation as appropriate. It
could impede the investigative process if DOJ were required to assure
relevance, accuracy, timeliness and completeness of all information
obtained throughout the course and within the scope of an
investigation. Additionally, some of the records in this system may
come from other domestic or foreign government organizations, or
private entities, and it would not be administratively feasible for the
DOJ to vouch for the compliance of these agencies with this provision.
Understanding the inherent challenges in the investigative context that
underlie DOJ's need to exempt this system from Privacy Act Sec.
552a(e)(5), DOJ nonetheless requires and trains its personnel to take
reasonable steps designed to ensure that records used by DOJ in making
a determination about an individual are maintained with such accuracy,
relevance, timeliness, and completeness as reasonably necessary to
assure fairness to the individual in the determination.
The Department has concluded that, in light of the reasonable steps
DOJ investigators and analysts are required to take in collecting and
maintaining the information needed to support DOJ's mission and
investigations, and in light of the compelling need to facilitate
thorough and expeditious investigations and activities to deter,
detect, and mitigate insider threats, exemption from the requirement of
5 U.S.C. 552a(e)(5) is appropriate for the Insider Threat Program
Records System.
Conclusion
Because insiders have heightened access, and could potentially use
that access, either wittingly or unwittingly, to do harm to the
security of the United States, the Department must be particularly
vigilant in its detection and investigation of insider threats.
Nonetheless, the Department takes seriously its obligations to protect
the privacy of Americans. As to the claimed exemptions, where DOJ
determines that compliance with an exempted Privacy Act provision would
not appear to interfere with or adversely affect the purpose of this
system to detect, deter, and/or mitigate insider threat, the applicable
exemption may be waived by the Department in its sole discretion.
[[Page 43176]]
List of Subjects in 28 CFR Part 16
Administrative practices and procedures, Courts, Freedom of
Information, Privacy Act.
Pursuant to the authority vested in the Attorney General by 5
U.S.C. 552a and delegated to me by Attorney General Order 2940-2008, 28
CFR part 16 is amended as follows:
PART 16--PRODUCTION OR DISCLOSURE OF MATERIAL OR INFORMATION
0
1. The authority citation for part 16 continues to read as follows:
Authority: 5 U.S.C. 301, 552, 552a, 553; 28 U.S.C. 509, 510,
534; 31 U.S.C. 3717.
Subpart E--Exemption of Records Systems Under the Privacy Act
0
2. Add Sec. 16.137 to subpart E to read as follows:
Sec. 16.137 Exemption of the Department of Justice Insider Threat
Program Records--limited access.
(a) The Department of Justice Insider Threat Program Records
(JUSTICE/DOJ-018) system of records is exempted from subsections 5
U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2) and
(3); (e)(4)(G), (H) and (I); (e)(5) and (8); (f) and (g) of the Privacy
Act. These exemptions apply only to the extent that information in this
system is subject to exemption pursuant to 5 U.S.C. 552a(j) or (k).
Where DOJ determines compliance would not appear to interfere with or
adversely affect the purpose of this system to detect, deter, and/or
mitigate insider threats, the applicable exemption may be waived by the
DOJ in its sole discretion.
(b) Exemptions from the particular subsections are justified for
the following reasons:
(1) From subsection (c)(3), the requirement that an accounting be
made available to the named subject of a record, because this system is
exempt from the access provisions of subsection (d). Also, because
making available to a record subject the accounting of disclosures of
records concerning him/her would specifically reveal any insider
threat-related interest in the individual by the DOJ or agencies that
are recipients of the disclosures. Revealing this information could
compromise ongoing, authorized law enforcement and intelligence
efforts, particularly efforts to identify and/or mitigate insider
threats. Revealing this information could also permit the record
subject to obtain valuable insight concerning the information obtained
during any investigation and to take measures to impede the
investigation, e.g., destroy evidence or flee the area to avoid the
investigation.
(2) From subsection (c)(4) notification requirements because this
system is exempt from the access and amendment provisions of subsection
(d) as well as the accounting of disclosures provision of subsection
(c)(3). The DOJ takes seriously its obligation to maintain accurate
records despite its assertion of this exemption, and to the extent it,
in its sole discretion, agrees to permit amendment or correction of DOJ
records, it will share that information in appropriate cases.
(3) From subsection (d)(1), (2), (3) and (4), (e)(4)(G) and (H),
(e)(8), (f) and (g) because these provisions concern individual access
to and amendment of law enforcement, intelligence and
counterintelligence, and counterterrorism records, and compliance with
these provisions could alert the subject of an authorized law
enforcement or intelligence activity about that particular activity and
the interest of the DOJ and/or other law enforcement or intelligence
agencies. Providing access could compromise or lead to the compromise
of information classified to protect national security; disclose
information that would constitute an unwarranted invasion of another's
personal privacy; reveal a sensitive investigative or intelligence
technique; disclose or lead to disclosure of information that would
allow a subject to avoid detection or apprehension; or constitute a
potential danger to the health or safety of law enforcement personnel,
confidential sources, or witnesses.
(4) From subsection (e)(1) because it is not always possible to
know in advance what information is relevant and necessary for law
enforcement and intelligence purposes. The relevance and utility of
certain information that may have a nexus to insider threats may not
always be fully evident until and unless it is vetted and matched with
other information necessarily and lawfully maintained by the DOJ.
(5) From subsection (e)(2) and (3) because application of these
provisions could present a serious impediment to efforts to detect,
deter and/or mitigate insider threats. Application of these provisions
would put the subject of an investigation on notice of the
investigation and allow the subject an opportunity to engage in conduct
intended to impede the investigative activity or avoid apprehension.
(6) From subsection (e)(4)(I), to the extent that this subsection
is interpreted to require more detail regarding the record sources in
this system than has been published in the Federal Register. Should the
subsection be so interpreted, exemption from this provision is
necessary to protect the sources of law enforcement and intelligence
information and to protect the privacy and safety of witnesses and
informants and others who provide information to the DOJ. Further,
greater specificity of sources of properly classified records could
compromise national security.
(7) From subsection (e)(5) because in the collection of information
for authorized law enforcement and intelligence purposes, including
efforts to detect, deter, and/or mitigate insider threats, due to the
nature of investigations and intelligence collection, the DOJ often
collects information that may not be immediately shown to be accurate,
relevant, timely, and complete, although the DOJ takes reasonable steps
to collect only the information necessary to support its mission and
investigations. Additionally, the information may aid DOJ in
establishing patterns of activity and provide criminal or intelligence
leads. It could impede investigative progress if it were necessary to
assure relevance, accuracy, timeliness and completeness of all
information obtained throughout the course and within the scope of an
investigation. Further, some of the records in this system may come
from other domestic or foreign government entities, or private
entities, and it would not be administratively feasible for the DOJ to
vouch for the compliance of these agencies with this provision.
Dated: September 7, 2017.
Peter A. Winn,
Acting Chief Privacy and Civil Liberties Officer, United States
Department of Justice.
[FR Doc. 2017-19483 Filed 9-13-17; 8:45 am]
BILLING CODE 4410-NW-P