WASHINGTON -- The Department of Homeland Security has finalized a new rule that broadens its ability to investigate insider threats by eliminating key Privacy Act protections for all past and current employees regardless of their security clearance.
The department said Tuesday that removing the privacy protections from the Insider Threat Program, which aims to fight threats to the agency from its employees, is necessary to conduct criminal, civil and administrative enforcement. The Privacy Act provisions alert the subject of an investigation of its existence, the Department Homeland Security said, undermining law enforcement efforts and compromising an investigation's confidentiality.
The rule also allows the agency to expand the scope of employee information collected to include things that may not be necessary or relevant.
"It is impossible to determine in advance what information is accurate, relevant, timely and complete," the department said.
Originally, the program focused on the unauthorized disclosure of classified information by only employees with active security clearances.
In June, the Department of Homeland Security announced that it would broaden the Insider Threat Program to investigate all individuals who have ever been involved with department facilities, information, equipment, networks or systems. It will cover all records the agency perceives as being a threat to information security, personnel security or systems security.
The Department of Homeland Security has been plagued by a slew of allegations from whistleblowers inside the agency in recent months. Last month, an intelligence employee was silenced about Russian interference in the U.S. election because it "made the president look bad," according to his formal whistleblower complaint. The complaint alleged that senior Homeland Security officials asked analysts to alter intelligence reports in support of the administration's political agenda.
Also in September, a whistleblower said Immigration and Customs Enforcement performed hysterectomies on immigrant women at the Irwin County Detention Center in Georgia. The complaint alleged "jarring medical neglect" including refusal to test detained immigrants for COVID-19, shredding medical requests and fabricating medical records.
A critic of the new rule said the Insider Threat Program has repeatedly been misused to target whistleblowers.
"We've seen insider threat programs either target or vilify whistleblowers who made lawful protected disclosures to protected audiences who are cleared to receive those disclosures," said Tom Devine, legal director of the whistleblower advocacy group the Government Accountability Project.
The rule will allow the Department of Homeland Security to silence would-be whistleblowers from speaking up about alleged waste, fraud or abuse, Devine said.
Members of the public who commented on the rule during the official comment period said the exemptions evade Privacy Act safeguards, allowing the collection of records that are irrelevant and unnecessary while preventing individuals from accessing them and failing to disclose how they obtained them. Another commenter proposed that the Department of Homeland Security limit the scope of information collected, exclude individuals not under investigation and eliminate routine uses.
In response to the comments, the department said it "strives to be transparent regarding all insider threat collections and uses," but that the rule will remain in place.
Implementing the final rule means insider threat investigators won't need to inform Homeland Security employees that their information is being collected or ask for their consent. Doing so would impair ongoing investigations by potentially revealing witnesses or evidence, the department said. Giving employees access to records would be "detrimental to homeland security," agency officials said.
The department will be permitted to collect data not directly relevant to internal threats.
"In the interests of effective law enforcement, it is appropriate to retain all information that may aid in establishing patterns of unlawful activity," officials said.
Devine said information exempted from the Privacy Act can be used to retaliate against whistleblowers.
"They'll have a blemish on their record that could impact their security clearance or their status as an insider threat," he said.