Dear Inspector General:
 
In the Information Age, many Americans are becoming increasingly concerned about their loss of individual privacy.  Although information technologies bring important benefits, from fostering economic growth to improving health and education, when improperly used, they can infringe upon cherished rights of individual privacy.  This is particularly true with respect to  governmental agencies.  Whether to provide health care, educate our children, protect public safety, or provide assistance to low-income individuals, Federal, state, and local governmental agencies collect, maintain, and share significant amounts of sensitive personal information.  The public shares this data with government with the expectation that it will only be used for appropriate governmental functions and in strict compliance with applicable privacy laws.

A number of Federal laws have been enacted to prevent and protect against the inappropriate collection, use, and disclosure by governmental agencies of sensitive personal information.  For example, the Privacy Act (5 U.S.C. §552a) establishes fair information practices governing the collection, use, and disclosure of individually identifiable information by Federal agencies.  Knowing and willful violations of the Privacy Act may be punished by criminal prosecution.

Recently, Congress amended the computer crime statute to provide criminal penalties for governmental employees who knowingly access a computer excess of their authority.  See 18 U.S.C. §1030(a)(2).  This means that the employee accessed a computer with authorization, but used that access to improperly obtain access to or alter information.  18 U.S.C. § 1030(e)(6).  The amendments were passed in response to reports of widespread instances of government employees accessing information in governmental computers (such as the DOJ National Crime Information Center or IRS tax records) for illegitimate reasons.  Under the new provisions, such violations are punishable by fine and up to a year in prison.  Where the violations are for personal financial gain, commercial advantage, in furtherance of any criminal or tortious act, or the value of the information exceeds $5,000, they are punishable by fine and up to 5 years in prison.  Violations which occur after a conviction for another offense under this section are punishable by fine and up to 10 years in prison.

Federal law also protects other specific information from unauthorized access and disclosure by governmental employees.  The unauthorized disclosure of taxpayer information, for instance, violates 26 U.S.C. §7213 and is punishable by a fine of up to $5,000 and up to 5 years in prison.

Although some violations, such as those resulting from mere inadvertence, are appropriately handled through administrative processes, should your agency develop evidence that an employee has violated the criminal provisions of one of these privacy laws, particularly where the violation is committed for personal financial gain, commercial advantage, in furtherance of a criminal or tortious act, or involves a repeat offense or serious abuse of the public’s trust, I would encourage you to refer the matter to the local U.S. Attorney’s Office for appropriate action.  In the event your agency is not able to investigate the matter, please forward the matter to the local FBI office.  In addition, to ensure that the Department of Justice properly focuses on these matters, we request that you forward a copy of any such referral to the appropriate individual listed below:

 For 1030(a)(2) offenses:

  Chief, Computer Crime & Intellectual Property Section
  Criminal Division
  U.S. Department of Justice
  Washington, DC 20530.

 For Tax Offenses:

  Chief, Criminal Enforcement Office
  Tax Division
  U.S. Department of Justice
  Washington, DC  20530

 For Privacy Act Violations:

  Chief, Public Integrity Section
  Criminal Division
  U.S. Department of Justice
  Washington, DC  20530
 
The Department of Justice is committed to enforcing federal privacy laws, particularly those protecting against the abuse of information collected and maintained by governmental agencies.  If you have any questions about this issue, please do not hesitate to contact John Bentivoglio, Chief Privacy Officer, Department of Justice, (202) 514-2707.
 
       Sincerely,
 
 

       Eric H. Holder, Jr.

 Go to . . . CCIPS home page || Privacy Issues in the High-tech Context page