The U.S. Secret Service’s most recent scandal spectacularly illustrates the need to enforce restrictions on access to databases housing confidential information. According to a September 25, 2015, report from the Office of Inspector General (OIG), on March 25, 2015, a U.S. House of Representatives committee held a hearing to address a breach of White House security protocol. At the hearing, Rep. Jason Chaffetz (R-Utah) displayed what one senior agent considered suspicious animus toward Secret Service Director Joseph Clancy. Eighteen minutes into the hearing, because he was “curious,” the agent accessed a Secret Service database containing prior employment applications and searched for “Jason Chaffetz.” The agent found and reviewed a record indicating that Rep. Chaffetz had applied for a position with the Secret Service 12 years prior, and had been rejected by the agency at the time. The record contained Rep. Chaffetz’s personally identifiable information, including his Social Security number and date of birth.
In its subsequent investigation, the OIG had no trouble concluding that the agent violated the Privacy Act (5 U.S.C. § 552a) when he reviewed Rep. Chaffetz’ application record. The OIG also had no trouble concluding that multiple separate violations of the Privacy Act occurred when the same information was accessed by and disseminated among at least 45 other Secret Service agents. Additional violations occurred after agency Assistant Director Ed Lowery, while referencing subpoenas that Chaffetz had just issued to the agency, suggested that “[s]ome information that he might find embarrassing needs to get out. Just to be fair.” And, when two days later, the media began reporting that Rep. Chaffetz had unsuccessfully applied for employment with the Secret Service, another agent admitted that he had accessed Rep. Chaffetz’ confidential records in order to confirm to reporters the accuracy of the media reports.
The full extent of the consequences from the Chaffetz incident is not yet known. But what the OIG discovered in its investigation of the incident was that the Chaffetz violations were not the only violations within the Secret Service. Indeed, a footnote to the OIG report describes a separate incident wherein an agent passed information regarding an application rejection on to a media reporter, and the report references “other instances of apparent unauthorized access” that are the subject of ongoing investigations. The OIG report is critical, not only of the persons who accessed and disseminated confidential information, but also of those who became aware of the misconduct and failed to stop it or report it to their superiors.
The September 25 OIG report is a timely reminder of the importance of securing access to confidential information, strictly enforcing rules requiring lawful purposes in accessing such information, understanding the various ways in which dissemination of the content of confidential information can be violative, and spotting and stopping improper dissemination when it occurs. The need for vigilance is just as imperative, whether the record holder is a government entity or a private enterprise, as the consequences to both victim and enterprise can be serious, public and costly.