The Department of Homeland Security (DHS) has issued a new rule that will expand its insider threat program to cover “the categories of individuals to all individuals who have or had access to the Department’s facilities, information, equipment, networks, or systems.”
The final rule issued by the agency amends regulations to exempt portions of the DHS/All-038 Insider Threat Program System of Records from certain provisions of the Privacy Act.
Back in June, DHS announced a policy change that expanded the insider threat program to increase coverage to include those with past or current access to DHS information regardless of security clearance. The new rule covers all past and current DHS employees, contractors, and others who have access to agency systems.
In a Federal Register notice, DHS outlines the broadening of the insider threat program, and clarifies that the categories of records in the issued notice “will be modified to cover records from any DHS component, office, program, record, or source, including records from information security, personnel security, and systems security for both internal and external security threats.” It also clarifies and expands on “several previously issued routine uses.”
DHS sought public comment on the System of Records Notice and the Notice of Proposed Rulemaking that led to the rule change.
One commenter argued that DHS’ proposed use of these exemptions would circumvent Privacy Act safeguards and allow DHS to collect records that are not relevant and necessary, fail to disclose its sources of records, and prevent individuals from accessing and amending their records. DHS said it believes the final rule justifies the use of exemptions, but will strive to be as transparent as possible regarding all insider threat collections and uses.
