Suspicious Activity Reporting Final Rule

The Department of Homeland Security published their final rule to amend its regulations to exempt portions of a newly established system of records titled, “Department of Homeland Security/ALL – 031 Information Sharing Environment, in the Federal Register today. This rule goes into effect today.

This follows the submission of an NPRM back in September, upon which I previously reported. DHS received a few comments, mostly supportive, on that NPRM and they address those comments in the preamble to this final rule, clarifying a number of issues.

Justice Department Program

One important area of clarification that DHS makes in this rule document is that the underlying program that this rule supports, the Nationwide Suspicious Activity Reporting Initiative (NSI), is overseen by the Department of Justice (DOJ). Thus DHS is required to adhere “to the requirements established by the NSI requiring participants to apply the ISE-SAR Functional Standard Version 1.5 in determining whether a suspicious activity is an ISE-SAR” (75 FR 79947).

This clarification also has applications to the definition of one of the controversial terms used in the NPRM. The NPRM described the people who might have access to the collected information as “federal departments and agencies, state, local and tribal law enforcement agencies, and the private sector [emphasis added]” (75 FR 55290). In the preamble to this rule DHS explains that it “does not maintain a list of private sector partners or entities who are authorized NSI participants” as that responsibility rests with the DOJ system managers.

FOIA

One commentor wanted DHS to clarify which items of information would be protected under the Freedom of Information Act, requesting blanket exception be described for certain classes of information. DHS responded that this rule does not provide any exceptions to the FOIA disclosure rules. They also note that the “FOIA currently does not provide for a standard “blanket exception” for ISE-SARs data filed by a private-sector entity reporting an information-security related attack” (75 FR 79949).

DHS does note that that if an FOIA request was received asking for disclosure of information about a reported cyber security attack by a private sector organization that the current FOIA rules, for example “Exemption 4 which applies to trade secrets and commercial or financial information obtained from a person that is privileged or confidential may apply in this instance), would be applied when processing that request.

Personally Identifiable Information

A comment was received questioning the protection of personally identifiable information in the DHS ISE-SAR program. Again, DHS reminds the commentor that the use of personally identifiable information in the NSI is not governed by DHS rules. DHS does maintain that the information that it enters into the system will be via the “Summary ISE-SAR Information format, which excludes privacy fields or data elements that contain PII as identified in Section IV of the ISE-SAR Functional Standard”.

Further Questions

DHS notes that anyone with additional general questions about this rule and the associated “Department of Homeland Security/ALL – 031 Information Sharing Environment Suspicious Activity Reporting Initiative System of Records” should contact the DHS Office of Intelligence and Analysis or the DHS Privacy Office.