Morning Security Brief: White House Announces Cybersecurity Plan, TWIC Fails a Test, and DHS Must Keep Accurate Records
The Obama Administration launches its new cybersecurity plan, the government's port security credential is questioned, and the government can be held liable for keeping inaccurate computer records.
♦ President Obama’s new cybersecurity plan urges government officials to work with private industry to share information about security breaches and new cyberthreats. The plan would also establish a federal data breach reporting law, providing a unified set of steps to replace the patchwork of 47 existing state laws. Those operating critical infrastructure would work with the government to prioritize cyberthreats and propose risk mitigation strategies.
♦ The Transportation Security Administration (TSA) has failed to put the internal controls in place to protect its Transportation Worker Identification Credential (TWIC) program, according to a report by the Government Accountability Office (GAO). The GAO found that the TWIC program, designed to protect maritime and port facilities by limiting access to prescreened individuals, did not include steps to ensure that foundation documents such as birth certificates and driver’s licenses were authentic. The report noted that the TSA sends photocopies of the documents to a third party for verification but that many security features, such as holograms, cannot be verified from a photocopy. In a covert testing program, GAO was able to access secure areas of ports using counterfeit TWIC cards and TWIC cards obtained fraudulently.
♦ The Department of Homeland Security (DHS) may not exempt itself from violations of the federal Privacy Act, according to a federal appeals court. The case stemmed from an incident in 2006 where Julia Shearson and her four-year-old daughter were detained as they tried to enter the United States from Canada. Shearson was handcuffed at gunpoint and separated from her daughter. After being questioned for several hours, Shearson was reunited with her daughter. Shearson’s name had erroneously appeared on a federal database as “armed and dangerous.” Shearson sued DHS under the Privacy Act, claiming that the agency was responsible for the false information in its database. The DHS claimed it had exempted itself from lawsuits based on inaccurate computer data. The U.S. Court of Appeals for the Sixth Circuit found in favor of Shearson, sending the case to trial on its merits. The appellate court ruled that the DHS could not exempt itself because the Privacy Act clearly states that the government must provide civil remedies for failure to keep accurate records.