Friday, March 21, 2008

Does the State Department Need A Deferred Prosecution Agreement?

With political candidates Obama, Clinton, and now McCain receiving word from the State Department that their passport files had been breached (see here, here), an interesting question will be whether the perpetrators of this activity can suffer consequences beyond the loss of their jobs.

Back in 1997, the First Circuit reversed wire and computer fraud convictions brought against an individual who was accused of browsing in an Internal Revenue Computer.   The court held that the government had not provided sufficient evidence that the accused had received "anything of value."  In reversing the conviction, the court found that "mere browsing" was not enough, even if the information viewed was "about friends, acquaintances, and political rivals," as the accused did not "printed out, record[ ], or use [] the information he browsed."  106 F.3d 1069 (1st Cir. 1997).

But the present happenings may be different as the Freedom of Information Act and the Privacy Act of 1974 may apply.  18 U.S.C. s 552(a) provides for misdemeanor penalties in certain circumstances. It states:

"(i)(1) Criminal penalties

Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000."

Exceptions are noted in the statute.  But the statute explicitly applies to contractors working for an agency.  Specifically the statute states:

"(m) Government contractors

(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency."

But there are more important questions that we should be asking here --  Why are we seeing security breaches of this nature? As this is not a new problem, what steps were taken to make sure that this didn't happen again?  Was there a corporate compliance program in place and why did it not work? It is pretty frightening that our State Department can have security breaches like this occurring on several occasions.  If someone did this haphazardly, perhaps in fun, punishing them may not be the answer.  The more important point is to educate those who work with these type of documents on the importance of their confidentiality. If this were a corporation, might the government be offering the corporation a deferred prosecution agreement, in order to make certain that there was future compliance with the law.

(esp)

http://lawprofessors.typepad.com/whitecollarcrime_blog/2008/03/are-passport-se.html

Computer Crime, Investigations, News | Permalink

TrackBack URL for this entry:

http://www.typepad.com/services/trackback/6a00d8341bfae553ef00e5517962308834

Listed below are links to weblogs that reference Does the State Department Need A Deferred Prosecution Agreement?:

Comments

The accusations, as far as I can see, though, are not about *disclosure* of protected information, but simply *accessing* the information. Further, they did not do it under false pretenses. Even if there is a policy that people should not go wandering around in records that are not part of their caseload, they did not falsify who they were, what they were doing, or why they were doing it. Thus, it doesn't seem to me that there would be much of a case for prosecution. Of course, a prosecutor can prosecute anything, but if one came to me with this, I wouldn't plead out.

The fact is that the State Department did pretty much what they should do. People broke policy and misused their authority. They were punished for it. I'm not sure what more people want. You can't make everything a felony.

Posted by: William Oliver | Mar 21, 2008 8:22:48 PM

Duh.

People with access are curious. Nine out of ten people would snoop through these records if they had access.

Don't be such a dork.

Posted by: Danaidh | Mar 21, 2008 8:28:59 PM

I'm not convinced this is much of a story at all. I don't agree with snooping around in State Department files, but just what is in one's "Passport File"? I went back and checked out a passport application and, with the exception of a SSN, there's simply nothing there that's not on a driver's license. An actual passport has even less information than a driver's license. Does State track the countries you visit? Even this information would be easier to obtain for public figures elsewhere.
As WO pointed out, the system wasn't hacked, so it's overreaching to say the files were "breached." Some contract employee is terribly bored. The good news is that the system must work because they were caught.

Posted by: DavidL | Mar 21, 2008 9:50:02 PM

If government employees can without consequences leak details of top secret terrorist tracking programs to New York Times reporters for publication, why is anyone excited about snooping in passport information?

This incident did give Obama a chance to deflect attention away from Rev. Dr. Wright.

Posted by: Person of Choler | Mar 21, 2008 11:00:18 PM

I've quoted you and linked to you here: http://consul-at-arms.blogspot.com/2008/03/re-does-state-department-need-deferred.html

Posted by: Consul-At-Arms | Mar 22, 2008 2:19:40 AM

The contractors were given open access to the records in order to perform their jobs. Writing or modifying computer programs.

Posted by: M. Simon | Mar 22, 2008 3:30:18 AM

@Oliver:
You seem to miss the real point of the State Department data being used, directly or indirectly, in propaganda campaigns against the various candidates.
The military swears to "defend the Constitution of the United States against all enemies foreign and domestic", whereas these contractors are just picking up a paycheck.
There seems to be a lack of commitment amongst the contractors.

Posted by: C | Mar 22, 2008 5:24:57 AM

This is why the federal govt should have all health records....

Posted by: Andy Freeman | Mar 22, 2008 11:31:39 AM

Post a comment