Friday, March 21, 2008
With political candidates Obama, Clinton, and now McCain receiving word from the State Department that their passport files had been breached (see here, here), an interesting question will be whether the perpetrators of this activity can suffer consequences beyond the loss of their jobs.
Back in 1997, the First Circuit reversed wire and computer fraud convictions brought against an individual who was accused of browsing in an Internal Revenue Computer. The court held that the government had not provided sufficient evidence that the accused had received "anything of value." In reversing the conviction, the court found that "mere browsing" was not enough, even if the information viewed was "about friends, acquaintances, and political rivals," as the accused did not "printed out, record[ ], or use  the information he browsed." 106 F.3d 1069 (1st Cir. 1997).
But the present happenings may be different as the Freedom of Information Act and the Privacy Act of 1974 may apply. 18 U.S.C. s 552(a) provides for misdemeanor penalties in certain circumstances. It states:
"(i)(1) Criminal penalties
Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.
(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000."
Exceptions are noted in the statute. But the statute explicitly applies to contractors working for an agency. Specifically the statute states:
"(m) Government contractors
(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency."
But there are more important questions that we should be asking here -- Why are we seeing security breaches of this nature? As this is not a new problem, what steps were taken to make sure that this didn't happen again? Was there a corporate compliance program in place and why did it not work? It is pretty frightening that our State Department can have security breaches like this occurring on several occasions. If someone did this haphazardly, perhaps in fun, punishing them may not be the answer. The more important point is to educate those who work with these type of documents on the importance of their confidentiality. If this were a corporation, might the government be offering the corporation a deferred prosecution agreement, in order to make certain that there was future compliance with the law.