(IOB Ufll GffifillBuUlfi Barry Colmirr Adimtted DC. MD, VA Emmi -- February 6. 2014 Ms. Karen Neuinari Chief Privacy Officer Department ofl-lomeland Security Washington, DC 20528 Re: BEBE-I Resciglthe LefleLemengr-s and Border Protection, Office of Internal Affairs lnformatinnesliaring Pilot Dear Ms. Neulnan. We represent James Tornsheck, the Assistant for the Office of Internal Affairs of Customs and Border Protection since June 2006 We respectfully request that the Department ofHoineland Security's Privacy Office (the "anacy Office") rescind the July 18, 2012 Letter by Mary Callahan (the "Callahan Letter" or "Letter"? concerning the SAREX Pilot.1 The Callahan Letter, which concerns the lA's handling of personally identifying erroneously found Mr Tornsheck in Violation of certain guidelines and goes well beyond the scope of any legitimate privacy concerns by questioning Mr Tomsheck's overall leadership The Callahan Letter has lmrmed and continues to harm Mr Toinsheck's reputatloir Accordingly, we respectfully request Withdrawal of the Callalrair Letter, on alternatively, that the Privacy Office issue a clarifying opinion regarding Mr. Tomsheck's efforts pursuant to the SAREX Pilot Backgrouan Mr Tomslie ck initiated the SAREX Pilot in connectlon With the CBP's expanded luring initiatives The SAREX Pilot was designedto comprehensively vet the integrity of prospective and cluieirt CBP employees It did so by harnessing the databases of other federal law enforcement agencies. By leveraging existing information, the SAREX Pilot rdennfied potennal vulnerabilities among potential and exrsting CBP employees Mr Tomshe ck spearheaded the SAREX pilot in an effort to maintain quality control while CBP The SAREX Pilot refers to the SAR Explortatzlon Imhathe Pilot Ms. Karen Neuman February 6, 2014 Page 2 ______________________ was attempting to aggressively expand the CBP frontline law enforcement officers, and during a time in which there was a significant increase in corruption arrests in CBP. Importantly, the Federal Bureau of Investigation (“FBI”) supported the SAREX Pilot. Information sharing with the FBI was necessary in order to utilize the comprehensive information compiled by the FBI in conducting periodic reviews. All of the information that Mr. Tomsheck’s office provided to the FBI was already in the FBI’s possession from the periodic reinvestigation process. The Callahan Letter The “Callahan Letter” appears to be highly unusual. Based on our knowledge, and to the knowledge of Mr. Tomsheck, this published admonishment is unprecedented. Mary Ellen Callahan, the previous Chief Privacy Officer for the Privacy Office of the Department of Homeland Security, issued the Callahan Letter on July 18, 2012 at the direction of Thomas Frost, the former chief investigator for the Office of Inspector General for DHS (“DHS OIG”). This is particularly relevant given that Mr. Frost and Deputy John Ryan, also from DHS OIG, were investigated for, among other things, promulgating erroneous reports of investigative activity as to misconduct cases involving DHS employees. For this reason, according to our understanding, Mr. Frost and Mr. Ryan subsequently were placed on administrative leave. Mr. Tomsheck himself was granted whistleblower status, and it appears that the Callahan Letter may be a form of retaliatory activity.2 Ms. Callahan determined in her letter, attached here, that she had “serious concerns about how the SAREX pilot was conducted and specifically about the attitude of CBP IA leadership.” Moreover, she observed that Mr. Tomsheck “seemed to believe that CBP IA’s mission exempts it from following applicable privacy law and DHS privacy policy.” She concluded, “I believe this attitude is likely to result in a culture of non-compliance in CBP IA.” The Callahan Letter fails to appreciate fully the context under which the SAREX Pilot arose, including the challenges in vetting the integrity of CBP employees and understanding the scope and magnitude of the various corruption issues. The Letter arose under troublesome circumstances, apparently aimed at impeding Mr. Tomsheck from vetting the integrity of CBP employees. 2 Mr. Tomsheck has been retaliated against on a prior occasion. In or around October 2011, the then-Deputy Commissioner for CBP lowered Mr. Tomsheck’s rating score, despite the fact Mr. Tomsheck exceeded all of his performance objectives for that year. That retaliatory action subsequently was overturned. Ms. Karen Neuman February 6, 2014 Page 3 ______________________ Concerns about the Callahan Letter The Callahan Letter levies serious allegations against Mr. Tomsheck, and overreaches by questioning his overall leadership and integrity even though the letter purportedly was limited to an evaluation of his compliance with various privacy guidelines. Mr. Tomsheck was attempting to discharge his duties of maintaining the integrity of the hiring process, ensuring that qualified and uncompromised individuals were hired. The SAREX Pilot was initiated to deal with concerns regarding growing corruption among employees and prospective employees deployed around the Southwest Border. As a practical matter, the CBP hiring schedule was so aggressive that SAREX had to be implemented quickly and effectively. Any deviations, therefore, from the standard privacy practices of the office arose from this urgency. It was not, as the letter suggests, a flagrant disregard of any such practices. Indeed, Mr. Tomsheck made good faith efforts to comply, as evidenced by the fact he secured the information via encryption of Excel files. That, in fact, appeared to be the established protocol at the time. Mr. Tomsheck also sought advice regarding concerns about the privacy issues from his own general counsel. The subjects of the SAREX pilot also were informed that the reinvestigation was occurring. Such notice appears to be inconsistent with the allegation that CBP IA “never sought nor received a response regarding any CBP employees” and that certain individuals “had not provided consent for a PR [Periodic Reinvestigation] by signing their Electronic Questionnaires.” The Callahan Letter, moreover, failed to account for systemic issues outside of Mr. Tomsheck’s control. It raised the following concerns: (1) failing to ensure that employee information transmitted to the FBI was limited to the Southwest Border; and (2) sending information to the FBI for employees who were not even due for a PR. 3 These concerns relate to the Integrated Security Management System (“ISMS”), which is referenced in the Letter. The Letter recognizes that ISMS was not entirely up-to-date, but does not note that the aforementioned issues were problems related to ISMS, which had been newly implemented in 2010-2011. ISMS was managed and operated by the Chief Security Officer of DHS, and it therefore was outside Mr. Tomsheck’s purview.4 These systemic issues, contrary to the Letter’s implication, are far 3 DHS does appear now to be recognizing the importance of continuous monitoring, and as we understand it, will be redesignating certain CBP law enforcement positions as national security positions to allow for continuous monitoring, instead of only allowing reinvestigations every five years. 4 For example, ISMS was not fully up to date and would list an agent as deployed in Tucson, Arizona, when, in actuality, he had been moved to Dublin, Ireland. Similarly, premature or Ms. Karen Neuman February 6, 2014 Page 4 ______________________ from a flagrant disregard for the privacy regulations. All it shows is a deficiency of a database that was outside Mr. Tomsheck’s control. The Letter also takes issue with the way the PIIs were transmitted. The encryption methods, based on our review, were, at the time, non-mandatory guidelines. Mr. Tomsheck transmitted the PIIs via an encrypted Excel spreadsheet that was password protected, and the passwords were subsequently transmitted in a separate communication, consistent with DHS privacy practice. Based on a review of the DHS privacy memoranda, this appears to have been sufficient.5 The Callahan Letter also omits the fact that the FBI already possessed the information CBP IA was transmitting. Conclusion The Callahan Letter emerged during a time when Thomas Frost and John Ryan, from the DHS OIG, opposed SAREX. Mr. Frost made the complaint regarding potential privacy issues, and also directed the Privacy Office to conduct its investigation and possibly craft the Letter itself. The Letter itself is an unprecedented and overreaching opinion. It chastises Mr. Tomsheck for attempting to discharge his duties in a challenging situation. Accordingly, we respectfully request that the Letter be withdrawn or be appropriately clarified. Sincerely, Barry Coburn untimely periodic reinvestigations occurred because ISMS was not completely current as to when the most recent reinvestigation had been conducted. 5 Notably, the methods of encryption Ms. Callahan assumes are mandatory appear, rather, to be advisory. Nowhere in the memoranda is it mandated that encryption be accomplished solely by those means. Ms. Karen Neuman February 6, 2014 Page 5 ______________________ cc: Adam Lee FBI Section Chief, Public Corruption and Civil Rights Thomas S. Winkowski Acting Commissioner of Customs and Border Protection