This week, the Department of Homeland Security’s inspector general said in an oversight report that U.S. Customs and Border Protection (CBP) officials have failed to use adequate cybersecurity measures and safeguards to protect travelers’ data. The report says that from July 2017 to December 2019, personal data was left vulnerable to hackers in the Mobile Passport Control (MPC) app used by over 10 million U.S. and Canadian citizens. Specifically, the agency did not conduct security and privacy reviews/assessments, nor implement protective hardware/ software settings.

The report surmises, “Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ [personal information] at risk of exploitation.”

The Office of the Inspector General made the following eight recommendations, which the CBP agreed to implement:

1: Update policies and procedures to ensure CBP scans all app update versions and that they are scanned prior to release by developers.

2: Update policies and procedures to codify scan processes and define the roles and responsibilities necessary to ensure scans are complete as required, and review those scan results for vulnerabilities.

3: Update the policies and procedures to include processes to conduct required security and privacy compliance reviews on a specific schedule and timeframe, track reviews completed, and centrally store review documentation.

4: Receive all necessary information from developers to complete an adequate privacy and security assessment.

5: Develop a capability to review access logs, define the periodic review time frame, and perform the required reviews according to the defined time frame.

6: Complete the required privacy evaluation review.

7: Update the policies and procedures to include a process to conduct internal audits and perform the required audits.

8: Adhere to DHS policy and fully implement the Defense Information Systems Agency Security Technical Implementation Guide control categories for the servers supporting the MPC program, request waivers as appropriate, or fully document any exception obtained when deviating from policy requirements.

View the full report here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.