WASHINGTON — The Department of Homeland Security finalized a new rule Tuesday that broadens its ability to investigate insider threats by eliminating key Privacy Act protections for all past and current employees regardless of their security clearance.
DHS said removing the significant privacy protections from the Insider Threat Program, which aims to fight threats to DHS from its employees, is necessary to conduct criminal, civil and administrative enforcement. The Privacy Act provisions alert the subject of an investigation of its existence, DHS said, undermining law enforcement efforts and compromising an investigation’s confidentiality.
The rule also allows the agency to expand the scope of employee information collected to include things that may not be necessary or relevant.
“It is impossible to determine in advance what information is accurate, relevant, timely and complete,” DHS said.
Originally, the program focused on the unauthorized disclosure of classified information by only employees with active security clearances.
In June, DHS announced that it would broaden the Insider Threat Program to investigate all individuals who have ever been involved with DHS facilities, information, equipment, networks or systems. It will cover all records that DHS perceives as being a threat to information security, personnel security or systems security.
DHS has been plagued by a slew of allegations from whistleblowers inside DHS in recent months. Last month, an intelligence employee was silenced about Russian interference in the U.S. election because it “made the president look bad,” according to his formal whistleblower complaint. The complaint alleged that senior DHS officials asked analysts to alter intelligence reports in support of the administration’s political agenda.
Also in September, a whistleblower claimed that Immigration and Customs Enforcement performed hysterectomies on immigrant women at the Irwin County Detention Center in Georgia. The complaint alleged “jarring medical neglect” including refusal to test detained immigrants for COVID-19, shredding medical requests and fabricating medical records.
A critic of the new rule said the Insider Threat Program has repeatedly been misused to target whistleblowers.
“We’ve seen insider threat programs either target or vilify whistleblowers who made lawful protected disclosures to protected audiences who are cleared to receive those disclosures,” said Tom Devine, legal director of the whistleblower advocacy group the Government Accountability Project.
The rule will allow DHS to further clamp down on whistleblowing by silencing would-be whistleblowers from speaking up about alleged waste, fraud or abuse, Devine said.
Members of the public who commented on the rule during the official comment period said the exemptions evade Privacy Act safeguards, allowing the collection of records that are irrelevant and unnecessary while preventing individuals from accessing them and failing to disclose how they obtained them. Another commenter proposed that DHS limit the scope of information collected, exclude individuals not under investigation and eliminate routine uses.
In response to the comments, DHS said it “strives to be transparent regarding all insider threat collections and uses,” but that the rule will remain in place.
Implementing the final rule means insider threat investigators won’t need to inform DHS employees that their information is being collected or ask for their consent. Doing so would impair ongoing investigations by potentially revealing witnesses or evidence, DHS said. Giving employees access to records would be “detrimental to homeland security,” agency officials said.
DHS will be permitted to collect data not directly relevant to internal threats.
“In the interests of effective law enforcement, it is appropriate to retain all information that may aid in establishing patterns of unlawful activity,” DHS said.
Devine said information exempted from the Privacy Act can be used to retaliate against whistleblowers.
“They’ll have a blemish on their record that could impact their security clearance or their status as an insider threat,” he said.