The Homeland Security Department acknowledges, in a privacy impact assessment (.pdf) updated Aug. 12, that the National Infrastructure Coordinating Center runs the risk of collecting and retaining more personally identifiable information than is needed for terrorism-related or criminal activity reports.

The NICC produces "Patriot Reports" when it receives possible evidence of suspicious activity around critical infrastructure. The reports are transmitted to other national security components, such as FBI, Justice Department and the DHS National Operations Center--potentially leading to the unauthorized use of the PII, according to the assessment.

Information collected from suspicious activity reporting that's transferred to a Patriot Report can include the reporting individual's contact information such as name, address, home phone or work phone. "An 'Amplifying Information' section, based on the information provided by the submitter, provides a contextual narrative of the event and as available: name, alias, height, weight, sex, build, race, complexion, eye color, hair color, hair style/length, ethnicity, distinguishing features and personal identifiers (e.g., driver's license number, passport, Social Security number, etc.) of the person(s) engaged and/or connected to the suspicious activity," according to the privacy impact assessment.

The risks associated with PII transmission are mitigated by the generation of both a redacted and an un-redacted NICC Patriot Report, the assessment adds.

"The redacted NICC Patriot Report, which has been scrubbed of any identifiable information including business information and PII, is distributed by posting to [Homeland Security Information Network-Critical Sectors]. The un-redacted NICC Patriot Report is disseminated internally to DHS and, externally to FBI and DOJ," explains the assessment.

The DHS document also seeks to justify the department's retention of PII records for 5 years if it is found to have a nexus to terrorism. If the record becomes part of an ongoing law enforcement investigation, it may be held for even longer. "Long periods of historical data is required to make good decisions on current events," according to the report.

For more:
- see the DHS privacy impact assessment (.pdf)

Related Articles:
IRS isn't always notifying taxpayers of PII breach, says TIGTA 
4,000 Social Security numbers potentially exposed in VA mismailing 
Hayden: Policymakers should consider a hardened, secure domain for critical services  
ACAMS cybersecurity weaknesses puts critical infrastructure data at risk, says OIG