U.S. Customs and Border Protection Failed to Adequately Secure and Protect Traveler Data

Robinson+Cole Data Privacy + Security Insider

This week, the Department of Homeland Security’s inspector general said in an oversight report that U.S. Customs and Border Protection (CBP) officials have failed to use adequate cybersecurity measures and safeguards to protect travelers’ data. The report says that from July 2017 to December 2019, personal data was left vulnerable to hackers in the Mobile Passport Control (MPC) app used by over 10 million U.S. and Canadian citizens. Specifically, the agency did not conduct security and privacy reviews/assessments, nor implement protective hardware/ software settings.

The report surmises, “Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ [personal information] at risk of exploitation.”

The Office of the Inspector General made the following eight recommendations, which the CBP agreed to implement:

1: Update policies and procedures to ensure CBP scans all app update versions and that they are scanned prior to release by developers.

2: Update policies and procedures to codify scan processes and define the roles and responsibilities necessary to ensure scans are complete as required, and review those scan results for vulnerabilities.

3: Update the policies and procedures to include processes to conduct required security and privacy compliance reviews on a specific schedule and timeframe, track reviews completed, and centrally store review documentation.

4: Receive all necessary information from developers to complete an adequate privacy and security assessment.

5: Develop a capability to review access logs, define the periodic review time frame, and perform the required reviews according to the defined time frame.

6: Complete the required privacy evaluation review.

7: Update the policies and procedures to include a process to conduct internal audits and perform the required audits.

8: Adhere to DHS policy and fully implement the Defense Information Systems Agency Security Technical Implementation Guide control categories for the servers supporting the MPC program, request waivers as appropriate, or fully document any exception obtained when deviating from policy requirements.

View the full report here.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.