[Senate Hearing 110-619]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 110-619
 
      PASSPORT FILES: PRIVACY PROTECTION NEEDED FOR ALL AMERICANS

=======================================================================


                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 10, 2008

                               __________

                          Serial No. J-110-105

                               __________

         Printed for the use of the Committee on the Judiciary


                     U.S. GOVERNMENT PRINTING OFFICE

44-368 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001


                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts     ARLEN SPECTER, Pennsylvania
JOSEPH R. BIDEN, Jr., Delaware       ORRIN G. HATCH, Utah
HERB KOHL, Wisconsin                 CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California         JON KYL, Arizona
RUSSELL D. FEINGOLD, Wisconsin       JEFF SESSIONS, Alabama
CHARLES E. SCHUMER, New York         LINDSEY O. GRAHAM, South Carolina
RICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas
BENJAMIN L. CARDIN, Maryland         SAM BROWNBACK, Kansas
SHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma
            Bruce A. Cohen, Chief Counsel and Staff Director
           Stephanie A. Middleton, Republican Staff Director
              Nicholas A. Rossi, Republican Chief Counsel


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Feingold, Hon. Russell D., a U.S. Senator from the State of 
  Wisconsin, prepared statement..................................    43
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     1
    prepared statement...........................................    52
Specter, Hon. Arlen, a U.S. Senator from the State of 
  Pennsylvania...................................................     3

                               WITNESSES

Duda, Mark W., Assistant Inspector General for Audits, Department 
  of State, Washington, D.C......................................     6
Geisel, Harold W., Ambassador and Acting Inspector General, 
  Department of State, Washington, D.C...........................     4
Raul, Alan Charles, Partner, Sidley Austin, LLP, Washington, D.C.    17
Rotenberg, Marc, Executive Director, Electronic Privacy 
  Information Center, Washington, D.C............................    13
Schwartz, Ari, Vice President, Center for Democracy & Technology, 
  Washington, D.C................................................    15

                         QUESTIONS AND ANSWERS

Responses of Ambassador Geisel to questions submitted by Senators 
  Specter, Leahy and Kennedy.....................................    21
Responses of Alan Charles Raul to questions submitted by Senator 
  Specter........................................................    27
Responses of Marc Rotenberg to questions submitted by Senators 
  Specter and Feingold...........................................    31
Responses of Ari Schwartz to questions submitted by Senators 
  Feingold and Specter...........................................    36

                       SUBMISSIONS FOR THE RECORD

Duda, Mark W., Assistant Inspector General for Audits, Department 
  of State, Washington, D.C., statement..........................    38
Geisel, Harold W., Ambassador and Acting Inspector General, 
  Department of State, Washington, D.C., statement...............    45
Kennedy, Patrick F., Under Secretary of State for Management, 
  Department of State, Washington, D.C., letter..................    50
Raul, Alan Charles, Partner, Sidley Austin, LLP, Washington, 
  D.C., statement................................................    54
Rotenberg, Marc, Executive Director, Electronic Privacy 
  Information Center, Washington, D.C., statement................    57
Schwartz, Ari, Vice President, Center for Democracy & Technology, 
  Washington, D.C., statement....................................    79


      PASSPORT FILES: PRIVACY PROTECTION NEEDED FOR ALL AMERICANS

                              ----------                              


                        THURSDAY, JULY 10, 2008

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The Committee met, pursuant to notice, at 10:03 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Patrick J. 
Leahy, Chairman of the Committee, presiding.
    Present: Senators Leahy, Cardin, and Specter.

OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM 
                      THE STATE OF VERMONT

    Chairman Leahy. Good morning. Today, the Committee is going 
to hold an important hearing on the unauthorized access of 
Americans' passport files. Millions of Americans, including, I 
expect, every member of this Committee, entrust their personal 
information to the State Department in order to obtain 
passports and other services. We give a great deal of 
information, but we trust our Government to protect the private 
information of its citizens. But, sadly, the State Department 
has failed to honor this duty. They have left millions of 
ordinary Americans vulnerable to not only privacy violations 
but to identity theft that could come from that and other 
crimes.
    Now, last week--while Americans were celebrating 
Independence Day--the State Department's Acting Inspector 
General issued a report finding that State Department workers 
and contractors repeatedly accessed the passport files of 
entertainers, athletes, and other high-profile Americans 
without proper authorization. Now, I do not care whether it is 
a well-known person or someone we have never heard of. Either 
way it is wrong. And this revelation of passport snooping comes 
after press reports in March that the passport files of three 
Presidential candidates--Senators Obama, Clinton, and McCain--
were improperly accessed. Somebody running for office, as they 
do, give up enough of their privacy as it is. They ought to be 
able to count on their own Government protecting it.
    The Inspector General's findings raise serious concerns 
about possible violations of the Privacy Act and other Federal 
laws. And according to the report, 85 percent of the passport 
records included in a sample of high-profile Americans had been 
searched at least once--and many files were searched multiple 
times--during a 5\1/2\-year period. In fact, one individual's 
passport records were searched 356 different times by 77 
different people.
    The Inspector General's report reveals that the records of 
millions of ordinary Americans are also vulnerable to privacy 
breaches. There are no checks in the system to even determine 
if the passport files of the average American are accessed. 
Now, these files, just so we fully understand, contain name, 
date and place of birth, and Social Security numbers. As some 
of the experts on the Internet and data privacy know these are 
the kinds of facts somebody wants when they want to steal your 
identity. But the State Department does not have a general lack 
of policies, procedures, guidance, and training to stop it. 
According to the report, the Department's Passport Information 
Electronic Records System--PIERS--contains the passport records 
for approximately 127 million passport holders. Now that our 
Government is requiring us to have passports even to go into a 
friendly country, like Canada, the number of passport files to 
protect grows.
    The State Department could not readily identify the 
universe of Government workers and contractors who have access 
to this information. The Inspector General estimates that this 
figure exceeds 20,000 Government employees from various 
agencies and outside contractors. We might as well just post 
this stuff on billboards all over the country. And the tip of 
the iceberg in this report is the fact that passport 
information is shared with other agencies, and we have no idea 
what procedures are followed to protect information once it 
leaves the State Department. So here, sure, take all this 
information, bring it back someday. It has got to be better 
than that. The State Department Inspector General has referred 
this serious matter to the Justice Department. I made it very 
clear to the Attorney General yesterday that I hope the 
Department's Criminal Division will investigate this 
thoroughly. If criminal violations have occurred, people ought 
to go to jail.
    The lax data security at the State Department is not 
unique. A week does not go by without reports of personal data 
privacy breaches at Government agencies and private businesses. 
Just recently, we had front-page headlines with news about the 
theft of sensitive medical information from the National 
Institutes of Health, and earlier reports of data breaches have 
involved virtually every branch of our Federal Government. I 
just cannot imagine this. You might as well just open up the 
files and leave them out on the street corner and say, ``Here, 
help yourself.''
    The Inspector General's report is just the latest example 
of why we should have swift action on the Leahy-Specter 
Personal Data Privacy and Security Act. Senator Specter and I 
put this together. It is a comprehensive privacy bill that 
would help to prevent data security breaches and provide 
further protections in the handling of American's private data. 
And I hope that the Senate will promptly pass it.
    Data privacy and security at our Federal agencies is a 
serious and growing problem. We have to address it. So we have 
to understand not only what went wrong at the State Department 
but elsewhere. And I am glad the Department's Acting Inspector 
General and Assistant Inspector General for Audits are here to 
share their findings. And we have a distinguished panel of 
privacy experts. And then I hope we will end up passing the 
Leahy-Specter bill.
    [The prepared statement of Senator Leahy appears as a 
submission for the record.]
    With that, I will turn to Senator Specter.

STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM THE STATE 
                        OF PENNSYLVANIA

    Senator Specter. Thank you. Mr. Chairman, I commend you on 
calling this hearing so promptly. The Inspector General's 
report was issued on July 7th. This is July 10th. That is 
pretty unusual for an oversight committee to move into a field. 
But I think the implications of this matter warrant it.
    On every turn, we find that privacy is in jeopardy. 
Yesterday we enacted followup legislation on the Foreign 
Intelligence Surveillance Act, which goes further than we had 
in the past. And when you deal with national security, there 
are very weighty factors. But where you have snoopers, there is 
absolutely no justification for what they are doing. And, 
regrettably, when you take a look at all of the snoopers, it is 
sort of overwhelming.
    Just last month, sensitive information on about a thousand 
patients at Walter Reed Army Medical Center exposed a security 
breach. Last year, thieves stole a Transportation Security 
Administration computer containing information on some 100,000 
current and former employees. The Department of Agriculture 2 
years ago exposed 26,000 employees, contractors, and retirees 
to an invasion of privacy. Also in 2006, hackers stole data 
from the Defense Department system on 14,000 active-duty and 
retired servicemembers' independents. And the list goes on and 
on. There is obviously a great interest in personalities and 
high-profile people, but we have to do something very forceful 
to stop it.
    I was intrigued by one of the statistics in the IG's 
report, Inspector General's report, that the records of one 
individual were accessed a total of 356 times by 77 users 
between 2002 and 2008. I would like to know who that was. Maybe 
I would be interested in that myself.
    [Laughter.]
    Senator Specter. There must be something very fascinating, 
perhaps even lurid, about that particular individual.
    But one of the great values in our society is privacy, and 
vigilance is the cost of being effective at protecting it. So I 
am glad to see our Committee moving ahead, Mr. Chairman, and I 
am glad to cooperate with you in expediting this important 
hearing.
    Chairman Leahy. Well, it would be impossible to move 
forward on this without you, and you have been so good on the 
privacy bill. You know, in Vermont, we tend to respect our 
privacy a great deal, and I will put this story in perspective. 
I live on a dirt road, an old 1850s farmhouse we have had for 
over 50 years, a lot of land, fields, and whatnot. And 
adjoining farmers hayed the fields and so on since I was a 
teenager. And this was a story in the New York Times. It is the 
only thing I think was ever written about me that I have 
actually saved, even framed, and it goes almost this way.
    It was a Saturday morning. A little farmer was standing on 
the porch. A reporter in an out-of-State car pulls up and says, 
``Does Senator Leahy live up this road?'' He said, ``Are you a 
relative of his?'' He said, ``No. No, I am not.'' He said, 
``Well, are you a friend of his?'' ``Well, not really.'' ``Is 
he expecting you?'' ``No.'' ``Never heard of him.''
    [Laughter.]
    Chairman Leahy. So we love our privacy.
    Senator Specter. Well, Senator Leahy, as I understand it, 
the ``fahrm''--also know as the ``farm''--is expansive enough 
so that you can hide.
    Chairman Leahy. That it is.
    We are fortunate this morning. Our first witness is 
Ambassador Harold Geisel. Ambassador Geisel currently serves as 
the Acting Inspector General for the Department of State. He 
assumed the duties of Deputy Inspector General for the 
Department of State and the Broadcasting Board of Governors in 
June of this year. He is a career Department of State foreign 
service officer. He has dedicated more than 20 years to the 
Department. In 1994, Ambassador Geisel was assigned as Acting 
Inspector General of the State Department. He help the position 
of Deputy Assistant Secretary of State for Information 
Management from 1995 to 1996, during which he directed the 
development of the Department's first IT strategy plan. He 
served as our Ambassador to Mauritius in 1996 to 1999, received 
his bachelor's degree in liberal arts from Johns Hopkins 
University and his master's degree in finance from the 
University of Virginia. And I saw Senator Cardin of Maryland 
smile when I mentioned Johns Hopkins.
    Please go ahead, Ambassador.

  STATEMENT OF AMBASSADOR HAROLD W. GEISEL, ACTING INSPECTOR 
         GENERAL, DEPARTMENT OF STATE, WASHINGTON, D.C.

    Ambassador Geisel. Chairman Leahy, Ranking Member Specter, 
Senator Cardin, thank you for inviting me to discuss with you 
the privacy concerns reported in the results of our review of 
controls over access to passport records in the Department of 
State's Passport Information Electronic Records System, or 
PIERS. The full report has been provided to the Committee.
    In March 2008, media reports surfaced that the passport 
files maintained by the Department of State of three U.S. 
Senators, who were also Presidential candidates, had been 
improperly accessed by Department employees and contractors. On 
March 21, 2008, the Office of Inspector General, Office of 
Audits, initiated a review of Bureau of Consular Affairs 
controls over access to passport records and issued the final 
report 1 week ago, on July 2nd. The OIG made 22 recommendations 
to address the control weaknesses, and the Department concurred 
with 19 of them, partially agreed with one, and did not agree 
with two recommendations.
    OIG found many control weaknesses--including a general lack 
of policies, procedures, guidance, and training--relating to 
the prevention and detection of unauthorized access to passport 
and applicant information and the subsequent response and 
disciplinary processes when a potential unauthorized access is 
substantiated.
    As of April 2008, PIERS contained records on about 192 
million passports for about 127 million passport holders. These 
records include personally identifiable information, or PII, as 
it is known, such as the applicant's name, gender, Social 
Security number, date and place of birth, and passport number. 
PIERS also contains additional information, such as previous 
names used by the applicant, citizenship status of the 
applicant's parents or spouse, and scanned images of passport 
photos. PIERS offers users the ability to query information 
pertaining to passports and vital records, as well as to view 
and print original copies of the associated documents. As a 
result, PIERS records are protected from release by the Privacy 
Act of 1974. Unauthorized access to PIERS records may also 
constitute a violation of the Computer Fraud and Abuse Act.
    At the time of the publicized breaches, neither Consular 
Affairs nor the Department had implemented breach notification 
policies, procedures, or other criteria for reporting incidents 
of unauthorized access of passport records when they were 
detected. However, between March and May 2008, Consular Affairs 
and the Bureau of Administration took a number of corrective 
actions, including issuing interim guidance on the various 
steps to be followed and decisions to be made in response to a 
potential incident of unauthorized access to passport records 
and applicant personally identifiable information, and they 
issued a Department-wide PII breach response policy.
    While these immediate actions taken are commendable, OIG 
has recommended that the Department conduct the necessary 
vulnerability and risk assessments of all passport systems 
given the weaknesses and data vulnerabilities identified in 
this review of PIERS. Accordingly, OIG believes that the 
Department should make resources available to conduct the 
assessments as quickly as possible.
    OIG also recommended that CA ensure the accuracy of its 
Privacy Impact Assessments for PIERS and for all other passport 
systems to accurately reflect security controls for and risks 
to personally identifiable information.
    I would like to introduce Mr. Mark W. Duda, Assistant 
Inspector General for Audits, who led this review, and he will 
provide a summary of the findings.
    Thank you for the opportunity to present this timely 
information to you today. Following Mr. Duda's remarks, we 
would be happy to answer any questions you may have.
    [The prepared statement of Ambassador Geisel appears as a 
submission for the record.]
    Chairman Leahy. Thank you, Ambassador. And, of course, Mr. 
Duda, prior to being at the Department of State, was senior 
evaluator in the Department of Treasury Office of Inspector 
General, as well as auditor in charge at the Smithsonian 
Institution's Office of Inspector General. And, Senator Cardin, 
you will be interested in known he received a bachelor of 
science degree in accounting from the University of Maryland 
and a master of business administration from the University of 
Baltimore.
    Senator Cardin. I am glad to see that we are getting the 
best talent in the Nation working for us.
    [Laughter.]
    Chairman Leahy. Mr. Duda, why don't you go ahead, and then 
we will start with the questions.

  STATEMENT OF MARK W. DUDA, ASSISTANT INSPECTOR GENERAL FOR 
         AUDITS, DEPARTMENT OF STATE, WASHINGTON, D.C.

    Mr. Duda. Chairman Leahy, Ranking Member Specter, members 
of the Committee, thank you for the opportunity to discuss the 
results of our review of controls over access to passport 
records in the Department of State's Passport Information 
Electronic Records System, which is also known as PIERS. I will 
be referring to that acronym periodically.
    On March 21, 2008, following the first reported breach of a 
Presidential candidate's passport records and at the direction 
of the former Acting Inspector General, the Office of Inspector 
General, Office of Audits, initiated this review of the Bureau 
of Consular Affairs controls over access to passport records in 
PIERS. Specifically, this review focused on determining whether 
the Department: one, adequately protects passport records and 
data contained in PIERS from unauthorized access; and, two, 
responds effectively when incidents of unauthorized access do 
occur.
    During fiscal year 2007, the Department issued about 18.4 
million passports domestically and participated or assisted in 
the issuance of about 365,000 passports overseas.
    According to Consular Affairs officials, there were about 
20,500 users with active PIERS accounts as of May 2008, and 
about 12,200 of these users were employees or contractors of 
the Department. PIERS is also accessed by users at other 
Federal departments and agencies, including the Department of 
Homeland Security, the Federal Bureau of Investigation, and the 
Office of Personnel Management, to assist in conducting 
investigations, security assessments, and analyses.
    In our review, OIG found many control weaknesses--including 
a general lack of policies, procedures, guidance, and 
training--relating to the prevention and detection of 
unauthorized access to passport and applicant information and 
the subsequent response and disciplinary processes when a 
potential unauthorized access is substantiated.
    In some cases, Department officials stated that the lack of 
resources contributed to the lack of controls and to the 
Department's ability to assess vulnerabilities and risk. OIG 
described some security and management practices utilized by 
both the Internal Revenue Service and the Social Security 
Administration as examples where similar improvements could be 
made by the Department.
    OIG made 22 recommendations to address the control 
weaknesses found with safeguarding passport records. We did not 
verify instances of unauthorized access, but we did conduct a 
judgmentally determined study to identify the frequency with 
which the records for 150 high-profile individuals were 
accessed in PIERS between September 2002 and March 2008. Our 
results revealed several patterns that raised serious concerns 
about the potential for undetected unauthorized access to 
passport records. Of the 150 names included in the study, OIG 
found that the records of 127 individuals, or 85 percent, had 
been accessed at least one time. The results showed a total of 
4,148 hits to the passport information for these 150 
individuals. OIG made no determination as to whether the hits 
represented authorized or unauthorized access. Additionally, 
although an 85-percent hit rate appears to be excessive, the 
Department currently lacks any criteria to determine whether 
this is an unusually high rate.
    As stated by the Acting Inspector General, following the 
publicized passport record breaches, the Department implemented 
a number of corrective actions and has other efforts planned, 
as we have detailed in the report.
    Based on the responses from Department officials, of the 22 
recommendations made the Department has agreed with 19 of those 
recommendations; they partially agree with one recommendation; 
and they disagreed with two recommendations. To ensure adequate 
and timely action, OIG will conduct a full compliance followup 
review of the Department's implementation of the 
recommendations in this report, as well as Consular Affairs' 
process for reviewing possible unauthorized accesses by users 
as identified in our study.
    Thank you for the opportunity to appear before you today. I 
would be happy to answer any questions you have.
    [The prepared statement of Mr. Duda appears as a submission 
for the record.]
    Chairman Leahy. Well, thank you. As I sort of indicated 
before, I will start with you, Ambassador. I know the State 
Department has placed a number of celebrities on a special 
watchlist, and dignitaries watch out for that. I am just as 
concerned by the person we do not know the name of who lives 
down the street, works in a store, or whatever else, because 
they have also given all this information up. And it is one 
thing with a watchlist. They are not on that watchlist. Isn't 
it virtually impossible to know if the passport files of 
ordinary American citizens have been improperly accessed?
    Ambassador Geisel. Senator, that is really the key 
question. The answer is we have the ability to know if they 
have been accessed. We do not at this time know if they have--
whether the access is authorized or unauthorized, and a crucial 
part of our recommendations is that we have to know that.
    Chairman Leahy. Yes, because it is one thing to go and look 
back and say, OK, pick out passport number 2936000 or whatever 
and find that. But I am thinking of--for example, if somebody 
wants to--well, I will check on my neighbor or my former 
boyfriend or girlfriend, or somebody may have a more nefarious 
thing, I want to get this information, I know where this person 
lives, they are fairly wealthy, I want to get this information 
and sell it to somebody who will probably pay a lot of money 
for it because they are going to use it to clean out their bank 
account. I mean, there is nothing to ring alarm bells when that 
happens. Is that correct?
    Ambassador Geisel. As it stands right now, Senator, that is 
absolutely correct, and that is why I think one of our most 
important recommendations is that the Department take a look at 
software that does work, such as is used currently by the 
Internal Revenue Service or the Social Security Administration.
    Chairman Leahy. And we know in the past that the Internal 
Revenue Service had a problem with this. People were looking at 
the tax returns of movie actors and all, and usually it was 
just because it is kind of fun to find out. But if they can do 
that, they can also get the person who runs the local grocery 
store.
    Mr. Duda, the State Department has brought in a lot of 
contractors for this surge capacity in processing passport 
applications, especially when it decided that our neighbor to 
the north, Canada, the most friendly country we have ever been 
involved with, poses such a threat that we have all got to 
start having passports to go there. That is a political comment 
to the aside only because I think the policy is ridiculous. But 
as a result, a lot of outside people were hired.
    Is there a greater vulnerability to snooping if you are 
using outside contractors because you do not have the kind of 
leverage that you might have in the State Department? If you 
find a State Department employee doing it, they can be 
disciplined. They can be fired. They can be whatever else. But 
is there greater concern because we have had to rely so much on 
outside contractors?
    Mr. Duda. There could be, but there are actually controls 
you can put in place. Obviously, if the Department is 
soliciting the services of a contractor, they are entering into 
a contract with a vendor, you know, the Department is paying 
the vendor. The Department writes the contracts. The Department 
can put whatever, you know, is legally feasible into a 
contract. And one of the things that can be put in the 
contracts is adequate controls to ensure that contractors have 
access to this data.
    Chairman Leahy. Has that been done?
    Mr. Duda. Partially.
    Chairman Leahy. Partially. And shouldn't we make sure that 
if we are going to have penalties, criminal or otherwise, that 
they be the same whether you are somebody in the State 
Department or somebody in a private contractor?
    Mr. Duda. Absolutely.
    Chairman Leahy. Thank you. And in that regard, Ambassador, 
the Attorney General suggested that DOJ will open a criminal 
investigation into the passport breaches involving the three 
Presidential candidates based upon the referral from your 
office. Are there going to be more referrals from your office?
    Ambassador Geisel. We don't comment on investigations, but 
there will certainly be referrals where we feel that a case can 
be made to the Justice Department and that the Justice 
Department has reasonable probability of achieving a good 
prosecution.
    Chairman Leahy. Both Senator Specter and I are former 
prosecutors, as are a number of the people on this Committee, 
and, frankly, in this kind of thing, I think some well-placed 
prosecutions with the use of the criminal code may be as much 
of a deterrent as you can imagine.
    Senator Specter?
    Senator Specter. Thank you, Mr. Chairman.
    Has anybody been caught?
    Ambassador Geisel. Yes, sir. Those were the referrals that 
were made.
    Senator Specter. And what happened as a result of their 
being identified, apprehended, and caught?
    Ambassador Geisel. Excuse me, sir.
    [Pause.]
    Ambassador Geisel. If these people have actually been 
referred to Justice, I--
    Senator Specter. No, I don't want to know ``ifs.'' I want 
to know if you have apprehended people and they have been 
caught. That is what I want to know.
    Ambassador Geisel. The answer is yes, sir.
    Senator Specter. And how many?
    Ambassador Geisel. Five so far, but it is very much of an 
ongoing investigation, and I am sure--
    Senator Specter. Only five.
    Ambassador Geisel. So far.
    Senator Specter. And have there been prosecutions against 
those individuals?
    Ambassador Geisel. I am not aware of what Justice is doing 
with those referrals.
    Senator Specter. Well, Ambassador, you ought to be. You 
ought to followup as to what the Department of Justice is 
doing. We would like to know that.
    Let me talk to the witness, if I may. I only have 5 
minutes. What is the motivation behind this, if you know? Is it 
just curiosity? Is it just snooping? Why so many invasions of 
privacy here?
    Ambassador Geisel. Well, I hope it is just snooping. I 
suspect--
    Senator Specter. No, no. I don't want to know what you 
hope. What evidence do you have as to what motivates people to 
do this?
    Ambassador Geisel. I don't think we know yet what motivated 
these particular people to snoop.
    Senator Specter. Well, have they been questioned? 
Obviously, they have been. What has the interrogation of these 
people disclosed?
    Ambassador Geisel. So far it is snooping, sir.
    Senator Specter. So far what?
    Ambassador Geisel. It is snooping, just as you said. It is 
snooping. It is peeping. We don't have any evidence that the--
which is what I worry about, that someone would do this, for 
instance, for the purpose of perpetrating identity fraud.
    Senator Specter. Well, is the Department of State making a 
real effort to push prosecutions? Prosecutor Leahy might say to 
you that if you get a conviction, you deter some people from 
doing it. I certainly would say that.
    Ambassador Geisel. Amen, Senator. I cannot think of a 
better way--I think there are two--
    Senator Specter. So what have you done to pursue 
prosecutions to try to have some deterrence?
    Ambassador Geisel. We have referred them to the Justice 
Department.
    Senator Specter. Have you followed up? We write lots of 
letters to the Department of Justice. Senator Leahy had a whole 
portfolio of them yesterday talking to the Attorney General. 
There has to be followup. This is a primary responsibility of 
the Department of State, and the Department of State ought to 
pursue it.
    Ambassador Geisel. I absolutely agree with you, Senator.
    Senator Specter. Well, what do you plan to do about it?
    Ambassador Geisel. I think the best answer is that we, A, 
intend to followup but, B, intend to put in a much better 
system or recommend--
    Senator Specter. Well, a better system we have talked 
about, but where you have the specific cases, would you give a 
report to the Committee within 30 days on the issue of followup 
and what has happened?
    Ambassador Geisel. Absolutely, sir.
    Senator Specter. I note that the penalty for looking for 
commercial advantage or financial gain is increased to 5 years. 
It is 1 year otherwise. Has there been any showing that any of 
these invasions of privacy were motivated by commercial 
advantage or financial gain?
    Ambassador Geisel. Not yet, sir, but as I said, that is our 
greatest worry.
    Senator Specter. Have you pursued the issue as to whether 
somebody is looking for financial gain?
    Ambassador Geisel. Yes, sir, but as I said, so far it 
appears to be peeping.
    Senator Specter. When you have the evidence of unauthorized 
disclosure, do you go to the individuals whose files have been 
tampered with to see if they have any indication that they have 
been prejudiced in any way by what has happened?
    Ambassador Geisel. That is part of an ongoing 
investigation, and I am sure you understand that I--
    Senator Specter. I understand. I am not asking you about 
specific cases. I am asking about procedures. I am not asking 
you about a specific case.
    Ambassador Geisel. Yes, sir.
    Senator Specter. I would not intrude on that.
    Ambassador Geisel. I understand. I don't know that we 
have--let me ask our people. Have we gone to specific 
individuals?
    The answer is--as you advised, I will not discuss it in 
detail, but the answer is yes, we have done so.
    Senator Specter. The answer is yes to which question?
    Ambassador Geisel. The answer is yes, we have spoken with 
individuals to see if they were affected by the--
    Senator Specter. I am not asking you about any specific 
individuals. Have you found any individuals who have been 
prejudiced aside from--just an invasion of privacy is a 
prejudice all by itself. But beyond that, have they lost 
financially? Have they had anything specific happen as a result 
of the unauthorized disclosure or snooping on their records?
    Ambassador Geisel. We have not--that is a negative, sir. So 
far, no one has advised that they have been adversely affected 
in a financial sense by the snooping.
    Senator Specter. Well, as a final comment--my red light is 
on--I would urge you to get tough about it and to followup.
    Ambassador Geisel. Absolutely.
    Senator Specter. And reports are not sufficient. When 
Congress is providing criminal penalties, you have a real 
hammer, and you ought to be using it. If you would supply in 
writing any recommendations you have for modifications of the 
statute, I think the Committee would appreciate that.
    Thank you very much, Ambassador. Thank you, Mr. Duda.
    Thank you, Mr. Chairman.
    Chairman Leahy. Thank you.
    Senator Cardin?
    Senator Cardin. Thank you, Mr. Chairman. I certainly agree 
with your comments and Senator Specter's comments, and I want 
to followup on Senator Specter's points.
    First of all, I want to thank both of you for what you are 
doing in helping us to put in the right procedures to make sure 
this never happens again. But I just want to underscore the 
point that Senator Specter has made. When we had similar 
problems in other agencies--I think about laptops that were 
taken out of offices and that contained sensitive data that 
went missing--we were not clear as to what was being done with 
that sensitive information, which included Social Security 
numbers. We know that identity theft is one of the largest 
criminal problems we have in our community today. We know that 
the information contained in passport files would be very 
valuable for people who want to participate in identity theft. 
As Senator Leahy has said, we know that the information could 
be valuable for criminals who want information about potential 
targets. So the vulnerability is there with the information, 
and that is why it is particularly sensitive.
    I think your testimony has raised a lot more questions than 
we have the answers to. Obviously, someone who does this for 
curiosity to peep in someone else's records is wrong and needs 
to be disciplined. But if they are doing it for financial 
reward, if it is part of criminal activities, then that is a 
much more serious issue, and we want to know about that also.
    I also believe--and I know there is a large volume of 
people whose records have been unauthorized access. But I think 
to a certain degree those individuals are entitled to know 
that. And although in a criminal investigation you may be 
looking at a specific number of cases in order to get the 
cooperation of the individuals whose records were unauthorized 
accessed, but I do think if someone looked at my passport 
records, I have a right to know that.
    So are any steps being taken in order to notify the 
individuals whose records were unauthorized accessed so that 
they are on record, first, that that was done and, second, to 
be alerted to potentially being a victim to other types of 
activities such as identity theft?
    Ambassador Geisel. To date, Senator, the work that we have 
done, we are not yet at the point, as Mr. Duda explained, that 
we are certain that the access was unauthorized, although 
obviously when you are talking about numerous breaches, it 
seems a sure shot.
    The problem will be--well, we cannot notify anyone until we 
know that the access was unauthorized. In many cases, it would 
have been authorized. For example, someone who often crosses 
the border, the Homeland Security person will have a very good 
reason for going back to that file. But we have a lot more work 
to do.
    Mr. Duda. One of the things I wanted to point out is that, 
you know, management's responsibility is obviously to have a 
system in place, have the controls to prevent unauthorized 
access to, you know, PII information for all Americans. OIG's 
role obviously is to oversee that and do testing and so forth.
    In this review that we did, we identified such a large 
number of potential unauthorized accesses and a control 
environment that was limited, at best. We made significant 
recommendations which the Department largely agree with and is 
in the process of implementing. And one of the things they are 
doing right now, they have told us--CIA officials have told us 
that they are looking into all of the potential unauthorized 
accesses from our case study, and then once the determination 
that the Department makes, they will then make referrals to the 
Office of Inspector General.
    Senator Cardin. Let me make a recommendation. To the extent 
that you determine that someone's passport records were 
accessed, unauthorized, will you recommend that that individual 
be notified that his or her records were inappropriately 
accessed?
    Mr. Duda. Yes, absolutely. I don't know whether that will 
be a management responsibility, but OIG definitely--
    Senator Cardin. Will you let us know whether that 
recommendation is followed by the agency so that we know 
whether, in fact, those who were victimized are at least aware 
that they were victimized?
    Mr. Duda. Yes. One of the corrective actions the Department 
has already implemented is drafting a breach response policy, 
and I don't recall the exact specifics, but--
    Senator Cardin. I just want to make sure that we know 
whether the victims, those whose records were accessed 
inappropriately, will be notified, and whether you will be able 
to follow up to let us know whether that, in fact, was carried 
out by the agency.
    Ambassador Geisel. We will make that recommendation, 
Senator.
    Senator Cardin. I appreciate it.
    The second point, Mr. Chairman, just very quickly, we just 
finished acting on the FISA statute, and it just raises a 
question to me as to whether agencies are accessing passport 
records for mass data collections. Is any of this involved in a 
data collection system where there is routine information 
gathered on our passport records as part of homeland security 
or intelligence operations that you are aware of?
    Mr. Duda. Not that I am aware of, but one of our concerns 
in this review or any potential plans of sharing the data in 
PIERS or any of the other passport systems with other agencies 
for any purpose, we want to make sure that there are adequate 
controls in place.
    Senator Cardin. Will you also report back to us if your 
review shows that there is mass data collections from the 
passport records that are questionable from the point of view 
of whether they are authorized by statute?
    Mr. Duda. Absolutely.
    Senator Cardin. Thank you.
    Thank you, Mr. Chairman.
    Chairman Leahy. Thank you very much, and if we have other 
questions, we will submit them for the record. There is going 
to be a roll call vote fairly soon, so if we seem to be 
speeding along, that is why. But thank you both very, very 
much. It helps us highlight the concern that we have here.
    The next panel, if we could arrange to bring them up. This 
panel of people are certainly known to this Committee. Marc 
Rotenberg is the Executive Director of the Electronic Privacy 
Information Center, EPIC, in Washington, D.C. He teaches 
information privacy law at Georgetown University Law Center, an 
excellent school, having graduated from there. He has testified 
before Congress on such topics as encryption policy, consumer 
protection, computer security, communications privacy. He 
chairs the ABA Committee on Privacy and Information Protection. 
He has served on several national and international advisory 
panels, including expert panels in cryptography policy and 
computer security for the OECD, legal experts in cyber space 
law for UNESCO. He is a founding board member and former chair 
of the Public Interest Registry, which manages the .org domain. 
He also served as counsel, in full disclosure, an invaluable 
member of my staff on the Senate Judiciary Committee. He is a 
graduate of Harvard and Stanford Law School, the recipient of 
more awards than I could even name, but that includes the World 
Technology Award in Law.
    Mr. Rotenberg, please go ahead.

  STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
          PRIVACY INFORMATION CENTER, WASHINGTON, D.C.

    Mr. Rotenberg. Thank you very much, Mr. Chairman, Senator 
Cardin. I appreciate the opportunity to be here today.
    We have a particular interest in the privacy of personal 
information collected by Federal agencies, and as the recent 
news stories and the report from the Inspector General have 
made clear, the passport information that we are required to 
provide to the Government is not adequately protected. And we 
are particularly concerned about this because there are growing 
demands on personal information by the Federal Government, and 
with the increasing use of identification documents.
    So it is not simply the passport information of 
Presidential candidates or celebrities that is at issue. It is 
the personal information of people who apply for a driver's 
license, work in the Federal Government, or travel to Canada. 
And for these reasons, we think that more needs to be done to 
protect personal privacy, not only at the State Department but 
also across the Federal Government.
    Now, I think it is helpful to understand the background of 
the particular incident at the State Department to put in 
context what the Inspector General uncovered. It was back in 
1992 when State Department officials were found to be going 
through the passport files of then Presidential candidate Bill 
Clinton to try to find embarrassing information. And there was 
an investigation. The State Department subsequently dismissed 
employees who were engaging in this activity. This is precisely 
the concern about information that individuals provide to the 
Federal Government that will be misused, that will obtained by 
identity thieves, or that will be used in ways that are simply 
not appropriate.
    So it was because of that 1992 incident that alarm bells 
literally went off this spring at the State Department when it 
was determined that the passport files of Senators Obama, 
McCain, and Clinton had been improperly accessed. And I think 
it is worth noting that all three Senators made statements at 
the time about the importance of protecting the privacy of 
personal information. In fact, Senator Obama himself said, 
``One of the things that the American people count on in their 
interactions with any level of government is that if they have 
to disclose personal information, that it stay personal and 
stay private.''
    Now, the Inspector General's report, which was undertaken 
pursuant to the March release of the passport information, 
provides some useful information and some useful 
recommendations. But I should point out that much of the report 
has been redacted, that is to say, of the 22 recommendations 
contained in the IG's report, only six, in fact, are available 
for public review. There are many sections of the report that 
have literally been blacked out. If I may show the Committee, 
we have a few pages here from the report.
    [Displays documents.]
    This is a page labeled ``Sensitive but unclassified.'' The 
top half of the page references the FOIA exemption (b)(2) as 
the basis for withholding the information. The bottom does not 
even bother with the (b)(2) designation. It just blacks out the 
entire section of the report. This is problematic because, of 
course, to evaluate the adequacy of the recommendations made by 
the Inspector General, it is important to see the whole report.
    Now, we have made--and it is included in my complete 
statement--a series of recommendations. We do think there 
should be auditing so that whenever there is access, those 
access events will be recorded. We do think there should be 
improved oversight. We think there needs to be some independent 
evaluation of the privacy safeguards within the Federal 
agencies, including the State Department. But I think most 
importantly, the legislation S. 495, which you, Mr. Chairman, 
cosponsored along with Senator Specter and was favorably 
reported by this Committee, contains several very important 
provisions that, if in force, might have actually prevented 
this from occurring, because a big problem today at the State 
Department is that a lot of the information processing is being 
done by private contractors. The agency turns over to a private 
company the responsibility for producing the passports, for 
collecting the information for the passports, for inspecting 
the information. And it is in that process of outsourcing the 
Government function that the privacy concern arises. And so 
this legislation, S. 495, actually puts in place disciplinary 
requirements so that if these kinds of problems occur, people 
can be held accountable, opportunities to review the contractor 
relationship so that an agency can make a determination if the 
contractor is doing enough to protect personal privacy.
    One of the remarkable facts here is that just a few days 
before the State Department revealed that three Presidential 
candidates had their passport files improperly accessed, the 
agency had renewed its contract with Stanley, the privacy 
company, a 5-year deal for $570 million. I think if a company 
cannot protect the personal information of American citizens 
that it obtains, the agencies need to rethink some of those 
contracts.
    So thank you very much for the opportunity. I would be 
pleased to answer your questions.
    [The prepared statement of Mr. Rotenberg appears as a 
submission for the record.]
    Chairman Leahy. Thank you very, very much.
    Ari Schwartz is the Vice President and Chief Operating 
Officer of the Center for Democracy and Technology, CDT. He 
works to promote privacy protection in the Digital Age while 
expanding access to Government information through the 
Internet. He is the leader of the Anti-Spyware Coalition, in 
2006 was awarded the RSA Award for Excellence in Public Policy 
for his work in building the Anti-Spyware Coalition and other 
efforts against spyware. He has been named to the top five 
Influential IT Security Thinkers of 2007 by Secure Computing 
magazine, served as a member of the Department of Commerce 
National Institute of Standards and Technology Information, 
among others.
    So, Mr. Schwartz, I am delighted you are here because I am 
a bit of a bug or nag in my office on keeping spyware off our 
computers.

STATEMENT OF ARI SCHWARTZ, VICE PRESIDENT, CENTER FOR DEMOCRACY 
                 & TECHNOLOGY, WASHINGTON, D.C.

    Mr. Schwartz. Thank you very much, Senator Leahy, and 
Senator Cardin as well. Thank you for holding this important 
public hearing and for inviting me to participate.
    I would especially like to commend you, Mr. Chairman, on 
how you opened this hearing. While the news reporting on the 
subject of passport breach has focused on whether Presidential 
candidates or other celebrities had their passport records 
snooped through, the privacy and security of the passport 
records of average individuals has received considerably less 
attention, and you raised that in your opening statement and I 
appreciate that.
    As we heard earlier, there seems to be little to no 
protection on how to prevent or detect the truly nefarious 
activities which passport records such as stalking or identity 
theft that we could see with this kind of browsing.
    To address this problem, CDT suggests that Congress take 
the same approach that it did 11 years ago when it was found 
that IRS employees were browsing tax records. Congress should 
increase oversight and civil and criminal penalties on passport 
records. Just to send you to the right place, that is the 
Taxpayer Browsing Protection Act of 1997 that I know the 
Chairman and many other people on this Committee worked on.
    The illegal browsing of passport records of Americans by 
Government employees should be a major concern not only to the 
millions of passport holders but to all Americans as it 
suggests an inability of Government to protect privacy at the 
highest levels.
    The Inspector General's report pointed to many flaws in the 
State Department's ability to protect privacy. CDT has raised 
many of these same concerns over the past 3 years with the 
State Department. For example, the Inspector General found that 
the Privacy Impact Assessment for the passport data base was 
just inaccurate. CDT wrote to Secretary Rice over a year ago to 
raise concerns about Privacy Impact Assessments at the State 
Department, and particularly the E-Passport program. We never 
received a reply, and no changes to the PIAs were ever made. 
CDT has since found incomplete and inaccurate information in 
several other Privacy Impact Assessments on the Department of 
State website.
    The State Department must be held accountable for the 
failures of its privacy program and encouraged to provide 
resources and leadership so that it can be ensured that our 
privacy is being protected when held by the State Department.
    To prevent other serious breaches of public trust Congress 
will need to address the roots of the problem by more closely 
monitoring the State Department's collection of personal data.
    While the State Department has clearly been a failing 
agency across the board on privacy, there are several other 
failing agencies as well. For example, one agency that CDT 
spoke to told us that a privacy audit revealed that they had 
lost track of half of their Privacy Act system of records. They 
simply do not know where millions of personal records were that 
were originally brought in by this agency. One retiring 
security official from the Department of Interior explained 
publicly, while discussing that agency's constant failures in 
privacy and security reporting, ``We are promiscuous with our 
data. We don't know where our data is.''
    You can call this a privacy concern. You can call this a 
security concern. You can call it a data management concern. 
But to the American taxpayer, it is certainly called a failure.
    CDT agrees with GAO's recent analysis suggesting that the 
way to ensure privacy protection at agencies is through 
improvement in existing Government privacy laws, oversight, and 
leadership. To solve these problems beyond our initial State 
Department specific suggestions, CDT recommends that Congress 
work with the executive branch in the four following areas:
    No. 1, expanding Privacy Act coverage and closing Privacy 
Act loopholes.
    No. 2, improving the quality of Privacy Impact Assessments 
by Government agencies. This would also include Privacy Impact 
Assessments for Government use of commercial data, as required 
in the Leahy-Specter data breach bill, S. 495 as referenced 
earlier.
    No. 3, improving privacy leadership. This would include a 
permanent Chief Privacy Officer position at the Office of 
Management and Budget written into law, Chief Privacy Officers 
at all major component agencies, and the creation of an 
independent Chief Privacy Officer Council with a similar 
structure to the CIO and CFO councils.
    And, No. 4, increasing and improving privacy reporting and 
audits. I detail all these suggestions in my written testimony.
    In general, we believe that there is now consensus around a 
set of sound recommendations for action by Congress and 
executive branch to fill the gaps and loopholes in privacy law 
and policy. CDT urges the Committee and the Senate to work 
quickly so that the next President can have the right tools in 
place upon taking office and can get started immediately on 
strengthening privacy in the Federal Government.
    I look forward to working with you, and we thank you for 
your leadership on these important issues. Thank you for your 
attention, and I look forward to your questions.
    [The prepared statement of Mr. Schwartz appears as a 
submission for the record.]
    Chairman Leahy. Thank you very much.
    Alan Raul is a partner in the Washington, D.C., office of 
the international law firm Sidley Austin. He chairs Sidley's 
Information Law Privacy Practice Group, served as Vice Chairman 
of the White House Privacy and Civil Liberties Oversight Board 
from March 2006 through January 2008. He was the Associate 
Counsel to President Reagan from 1986 to 1988, where he 
represented the White House in connection with the Iran-contra 
investigation. He served as General Counsel to the Office of 
Management and Budget in the Executive Office of the President. 
He was nominated by President George H.W. Bush and confirmed by 
the Senate to the position of General Counsel at the U.S. 
Department of Agriculture from 1989 to 1993. He is a graduate 
of Harvard College, Harvard University's Kennedy School of Law, 
and to show there is no rivalry, the Yale School.
    Please go ahead.

 STATEMENT OF ALAN CHARLES RAUL, PARTNER, SIDLEY AUSTIN, LLP, 
                        WASHINGTON, D.C.

    Mr. Raul. Thank you, Chairman Leahy, Senator Specter, 
Senator Cardin. Thank you for inviting me to testify on 
protecting the privacy of passport files maintained by the U.S. 
Department of State. It is an honor to appear before you this 
morning.
    I am testifying today in a personal capacity. As you noted, 
I am currently engaged in private law practice in Washington 
where I focus on privacy, data security, and Internet law. And 
until recently, I also served in a part--time capacity as Vice 
Chairman of the White House Privacy and Civil Liberties 
Oversight Board.
    This hearing arises because of a recent investigation and 
report by the State Department's Inspector General indicating 
that the passport files of high-profile individuals, including 
the files of three Presidential candidates--namely, Senators 
McCain, Obama, and Clinton--may have been improperly accessed 
by State Department employees and contractors. The State 
Department announced this week that it had terminated around 
five contractors in connection with what appear to be serious 
violations of personal privacy, Federal law, and internal 
controls.
    While the investigation continues, if the facts turn out to 
be as they now appear, there is no question that the standards 
of the Privacy Act of 1974 were not satisfied. To the extent 
agency employees and contractors accessed passport files with 
no official need to do so, they disrespected the privacy of 
affected passport holders and applicants and brought 
substantial disrepute upon their agency.
    The Privacy Act, the e-Government Act of 2002, and the 
Federal Information Security Management Act of 2002--FISMA--all 
require Government agencies to adopt and implement effective 
controls to prevent just the sort of invasion of personal 
information that occurred here.
    Moreover, each of these Acts authorizes the Director of the 
Office of Management and Budget to assist, guide, and oversee 
Federal efforts in the realm of privacy and information 
security. Congress and the White House should continue to 
support and encourage OMB's leading role in the field of 
privacy and information security.
    With regard to the specific incident at hand, it is not 
clear at this point whether any of the individuals whose files 
were accessed experienced any pecuniary losses or other actual 
damages that would support claims of civil liability under the 
Supreme Court's Doe v. Chao decision of 2004. However, if any 
agency employee or contractor ``willfully disclose[d] the 
material in any manner to any person or agency not entitled to 
receive it,'' or ``knowingly and willfully request[ed] or 
obtain[ed] any record concerning an individual from an agency 
under false pretenses,'' then they would be guilty of a 
criminal misdemeanor and fined up to $5,000.
    It is perfectly clear now, however, that existing law and 
applicable guidance should have prevented State Department 
employees and contractors from engaging in frolics and 
detours--or worse--through the passport files of politicians, 
prominent figures, or indeed, of any Americans. The fact that 
these files were subject to access for no good reason is highly 
troubling. We all expect the Government to do much better in 
safeguarding our personal information.
    Plainly, the State Department must redouble its efforts to 
conduct privacy impact and risk assessments, to communicate 
binding privacy policies to all parties handling personal 
information--both employees and contractors--provide its 
employees and contractors with meaningful privacy and data 
security training so they take these issues seriously, and 
ensure effective audit trails for accessing personal 
information, as well as establishing clear guidelines for 
disciplining and terminating employees and contractors who 
transgress. The State Department should also revisit its 
administrative, technical, and physical safeguards to prevent 
future abuse of passport files and other personal records.
    At the same time, care must be taken to avoid unduly 
restricting proper access to information that is essential for 
national security purposes. As the 9/11 Commission recommended, 
and Congress enacted, the country has a critical need to 
promote an ``information sharing environment'' that transcends 
traditional governmental boundaries in order to help prevent 
future terrorist attacks. But the relevant Government agencies, 
including the State Department, must effectively integrate 
protections for privacy and other civil liberties into this new 
information-sharing environment.
    In any event, if the executive branch wishes to hold the 
private sector, State governments, and foreign nations to high 
standards for information privacy and security, it needs to be 
a consistently good role model for privacy itself. To that end, 
the Government obviously has plenty of room for improvement 
under existing privacy laws and standards for information 
security.
    Thank you for considering my views.
    [The prepared statement of Mr. Raul appears as a submission 
for the record.]
    Chairman Leahy. Thank you. The vote has started. I want to 
ask one question, and then we will recess for a couple minutes 
to see if others are coming back.
    Mr. Rotenberg, last year Senator Specter and I introduced 
our Personal Data Privacy and Security Act. Now, this has a 
specific requirement that the General Services Administration 
has to evaluate the privacy security practices of potential 
Government contractors, but then put penalty provisions in if 
they fail to follow and fail to protect data privacy. Would 
this help?
    Mr. Rotenberg. Absolutely, Senator. As I was thinking about 
the legislation, which I believe you introduced in 2007, it 
occurred to me this was actually an example where the 
legislation was ahead of the problem. In other words, if these 
requirements had been put in place back in 2007, I believe the 
State Department would have been much more careful in its 
relationship with the private contractor, and I think the 
private contractor would have been much more diligent about the 
activities of its employees. And it was the failure to pass 
that legislation earlier that very well may have made possible 
this recent breach.
    So I hope the Senate--and the House, of course--act on 
this. I think it would prevent a lot of damage going forward. 
It is a very sensible approach to a real problem.
    Chairman Leahy. Mr. Schwartz, Mr. Raul, how do you feel 
about that?
    Mr. Schwartz. I strongly agree with that statement. It 
would definitely help privacy and security to have that kind of 
review, and the Government needs to ensure that their security 
efforts and the security efforts of their contractors are the 
best that there are. And I would actually take it a step 
further and say that the entire title of that bill, S. 495, 
Title 4, would have helped in this case. It has better auditing 
capability in that section, assuming that was not done in this 
case, and improvement of Privacy Impact Assessments, something 
that the Inspector General specifically pointed out in this 
case was a failure.
    Chairman Leahy. Mr. Raul?
    Mr. Raul. Chairman Leahy, due diligence of potential 
contractors with regard to their information security systems 
and processes is essential. I think that is recognized in other 
legislation like Gramm-Leach-Bliley, HIPAA, regulations under 
those statutes. I think there is existing guidance that Federal 
agencies should be doing it now.
    I think the message really need to be effectively 
communicated to the various departments and agencies that they 
need to take this seriously. So I would support strongly 
sending that message to all agencies.
    Chairman Leahy. Well, you know, my concern is we know how 
much there are attacks from outside our borders into all our 
different computer banks, and a lot of this has been reported 
in the press, and I will not go into some aspects of it for 
obvious reasons in an open session. So we have to guard against 
that, and we should, of course, for the obvious reasons--
national security and everything else.
    I hate to have to think we have to guard against our own 
people, and yet it seems possible. The Inspector General's 
report included 22 recommendations for improvements in the 
Consular Affairs Bureau of the State Department.
    We have that the Department is going to implement most of 
the recommendations. Is that going to be enough? Again, I am 
thinking about what we do with our own people. It is a whole 
different subject what happens when we have countries, not just 
bad actors outside but actually state-sponsored efforts to 
penetrate our computer systems.
    Mr. Rotenberg. Senator, I think the Inspector General's 
report is helpful, but I don't think it will be enough. It has 
recommendations to the agencies, some of which apparently the 
bureaus are disputing. I think there needs to be here a clear 
mandate about how the practices are going to change so that 
this does not happen in the future. And I think there needs to 
be a comprehensive approach that prevents this from happening 
in other Federal agencies.
    One of the realities right now is that security breaches 
are on the increase in the Federal Government, and without 
adequate safeguards to ensure particularly with private 
contractor access to personal data, I think this problem will 
continue to get worse.
    Mr. Schwartz. Mr. Chairman, I would say that the external 
security and the internal security are actually tied together 
and that you cannot really separate the two. It seems in this 
case, from what we know from the public reports, that the State 
Department did not know all the people that had access to it, 
and did not even list all the agencies that have access to it.
    Chairman Leahy. That really frosted me when I saw that.
    Mr. Schwartz. And then we also see--and I just said from 
other agencies, we know that agencies are losing systems. If 
they do not know where it is, that makes it more vulnerable to 
outside attack. You cannot secure something if you do not know 
where it is.
    These are all systems that have personal information of 
Americans in them, so I think that it is a major concern both 
for the internal threat that comes from this and the external 
threat as well.
    Mr. Raul. One of the critical components, Chairman Leahy, 
in any information security program is the conduct of a risk 
assessment, either incorporated in a Privacy Impact Assessment 
as required by the Federal Government, or in vulnerability 
assessments.
    From my review of the redacted version of the Inspector 
General's report, it is not clear whether the State Department 
had conducted sufficient risk assessments in this area. And it 
sounds like they were not sure who had access, what information 
they had. You know, that is unacceptable because risks, as you 
say, Mr. Chairman, can be either internal or external, and for 
various different motivations. And if an agency does not know 
what is at risk, it cannot possibly protect against it.
    Chairman Leahy. We will stand in recess. I keep looking up 
here. You are probably wondering what I am looking at. It is 
those five lights in the back which went on some time ago. That 
is the 5-minute warning. I am heading to the floor. Take care.
    We will stand in recess.
    [Whereupon, at 11:09 a.m., the Committee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]
[GRAPHIC] [TIFF OMITTED] 44368.001

[GRAPHIC] [TIFF OMITTED] 44368.002

[GRAPHIC] [TIFF OMITTED] 44368.003

[GRAPHIC] [TIFF OMITTED] 44368.004

[GRAPHIC] [TIFF OMITTED] 44368.005

[GRAPHIC] [TIFF OMITTED] 44368.006

[GRAPHIC] [TIFF OMITTED] 44368.007

[GRAPHIC] [TIFF OMITTED] 44368.008

[GRAPHIC] [TIFF OMITTED] 44368.009

[GRAPHIC] [TIFF OMITTED] 44368.010

[GRAPHIC] [TIFF OMITTED] 44368.011

[GRAPHIC] [TIFF OMITTED] 44368.012

[GRAPHIC] [TIFF OMITTED] 44368.013

[GRAPHIC] [TIFF OMITTED] 44368.014

[GRAPHIC] [TIFF OMITTED] 44368.015

[GRAPHIC] [TIFF OMITTED] 44368.016

[GRAPHIC] [TIFF OMITTED] 44368.017

[GRAPHIC] [TIFF OMITTED] 44368.018

[GRAPHIC] [TIFF OMITTED] 44368.019

[GRAPHIC] [TIFF OMITTED] 44368.020

[GRAPHIC] [TIFF OMITTED] 44368.021

[GRAPHIC] [TIFF OMITTED] 44368.022

[GRAPHIC] [TIFF OMITTED] 44368.023

[GRAPHIC] [TIFF OMITTED] 44368.024

[GRAPHIC] [TIFF OMITTED] 44368.025

[GRAPHIC] [TIFF OMITTED] 44368.026

[GRAPHIC] [TIFF OMITTED] 44368.027

[GRAPHIC] [TIFF OMITTED] 44368.028

[GRAPHIC] [TIFF OMITTED] 44368.029

[GRAPHIC] [TIFF OMITTED] 44368.030

[GRAPHIC] [TIFF OMITTED] 44368.031

[GRAPHIC] [TIFF OMITTED] 44368.032

[GRAPHIC] [TIFF OMITTED] 44368.033

[GRAPHIC] [TIFF OMITTED] 44368.034

[GRAPHIC] [TIFF OMITTED] 44368.035

[GRAPHIC] [TIFF OMITTED] 44368.036

[GRAPHIC] [TIFF OMITTED] 44368.037

[GRAPHIC] [TIFF OMITTED] 44368.038

[GRAPHIC] [TIFF OMITTED] 44368.039

[GRAPHIC] [TIFF OMITTED] 44368.040

[GRAPHIC] [TIFF OMITTED] 44368.041

[GRAPHIC] [TIFF OMITTED] 44368.042

[GRAPHIC] [TIFF OMITTED] 44368.043

[GRAPHIC] [TIFF OMITTED] 44368.044

[GRAPHIC] [TIFF OMITTED] 44368.045

[GRAPHIC] [TIFF OMITTED] 44368.046

[GRAPHIC] [TIFF OMITTED] 44368.047

[GRAPHIC] [TIFF OMITTED] 44368.048

[GRAPHIC] [TIFF OMITTED] 44368.049

[GRAPHIC] [TIFF OMITTED] 44368.050

[GRAPHIC] [TIFF OMITTED] 44368.051

[GRAPHIC] [TIFF OMITTED] 44368.052

[GRAPHIC] [TIFF OMITTED] 44368.053

[GRAPHIC] [TIFF OMITTED] 44368.054

[GRAPHIC] [TIFF OMITTED] 44368.055

[GRAPHIC] [TIFF OMITTED] 44368.056

[GRAPHIC] [TIFF OMITTED] 44368.057

[GRAPHIC] [TIFF OMITTED] 44368.058

[GRAPHIC] [TIFF OMITTED] 44368.059

[GRAPHIC] [TIFF OMITTED] 44368.060

[GRAPHIC] [TIFF OMITTED] 44368.061

[GRAPHIC] [TIFF OMITTED] 44368.062

[GRAPHIC] [TIFF OMITTED] 44368.063

[GRAPHIC] [TIFF OMITTED] 44368.064

[GRAPHIC] [TIFF OMITTED] 44368.065

[GRAPHIC] [TIFF OMITTED] 44368.066

[GRAPHIC] [TIFF OMITTED] 44368.067

[GRAPHIC] [TIFF OMITTED] 44368.068

[GRAPHIC] [TIFF OMITTED] 44368.069

                                 
