TSA suspends Registered Traveler enrollments

The Transportation Security Administration has suspended new enrollments for the largest vendor in the Registered Traveler program following the company's loss of a laptop PC that contained unencrypted personal information on 33,000 participants in the program.

The TSA said the vendor, Verified Identity Pass Inc., was found to be “not in compliance” with the agency’s requirement to encrypt sensitive personal information submitted by applicants and enrollees, according to TSA spokeswoman Ann Davis. Although the agency has authority to suspend the program overall and impose civil penalties, Davis said today neither additional action is now being considered.
 
The laptop was stolen from a locked office at San Francisco International Airport, Verified Identity Pass said in a statement. The personal information the laptop contained is protected by two levels of password protection and does not include Social Security numbers, biometric data or credit card information, the company said. The individuals affected were mostly new applicants along with a few members seeking re-enrollment.
 
“We don’t believe the security or privacy of these would-be members will be
compromised in any way,” Steven Brill, chief executive of the company, said in a statement.
 
The Registered Traveler program operates as a partnership between TSA, private vendors, and airport authorities. The enrollees pay a fee, supply personal information and undergo a background check, and then receive expedited service through security checkpoints at 17 participating airports. The enrollees verify their identities at airports through use of a biometric identification card. Verified Identity Pass said it has about 200,000 enrollees in the program.

The TSA said it started the suspension following the loss of the computer on July 26. The agency said it has instructed Verified Identity Pass to notify all the individuals whose data was stored in the computer, and to cease use of unencrypted computers until encryption can be installed. The agency also notified airport authorities to ensure their cooperation.
 
The company will be required to submit an independent audit showing that encryption is in place, and TSA will check the audits, before enrollment can resume. The actions do not affect current operations or current enrollees of Registered Traveler, TSA officials said.

The information on the missing laptop includes applicants’ names, addresses, birth dates and, for some applicants, driver’s license number, passport numbers or alien registration card numbers, the company said. The company said it provides identity theft warranty protection to cover damages from the loss of data.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.