TSA asked to ensure safety of customer data after Clear closing

Computerworld - The chairman of the House Committee on Homeland Security has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of private data collected by a recently shuttered company that offered a registered traveler program.

In a letter to the TSA's acting assistant secretary, committee Chairman Bennie Thompson (D-Miss.) expressed his concern over the abrupt closure of Verified Identity Pass Inc.

For a $199 annual fee, New York-based VIP offered a service called Clear that was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance.

VIP was the largest of seven private companies approved by the TSA to operate a registered traveler program. VIP announced it was ceasing operations on June 21 because of financial reasons. The announcement prompted immediate concerns about the privacy and security of the detailed personal identity information, including fingerprints, iris scans and digital images, the company had collected on its approximately 260,000 customers.

In his letter last Friday, Thompson expressed similar concerns over the "handling" of personal identity data in the aftermath of the Clear shutdown. Though the registered traveler program is run by private companies, it is authorized by the TSA, which set specific requirements for the operators to follow, Thompson said. The requirements included the need for every operator of the service to collect details such as full legal names, home address, date and place of birth, gender, height, driver's license number, passport details and other information.

At the same time, the agency appears to have been silent on what steps should be taken if a company that collects the data were to go out of business, merge or be acquired by another company, Thompson noted.

"We are concerned about the security and safety of the information currently held by Clear," Thompson wrote. He asked the TSA to explain what role it will play in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." He also asked whether VIP had informed the TSA about its plans to shut down Clear, and whether the agency had asked the company about its plans for securing the personal data.

A TSA spokesman said the agency is in the process of drafting a response to Thompson's letter. The spokesman also pointed to an FAQ that the TSA posted on its Web site on Monday that directed questions about the Clear program back to the vendor.

"CLEAR has assured TSA that it is appropriately safeguarding the data," the FAQ noted. It also said that registered traveler service providers are required to use any collected data solely for the purpose for which it was intended unless customers had "expressly opted-in to other uses."

VIP, after initially offering no details on its plans for the collected data, has been more forthcoming over the past few days. In a note posted on the company's Web site, VIP assured customers that their information is being secured in conformance with the TSA's security and privacy requirements. The note also said that the company is using a "triple wipe" process to completely erase hard disks containing customer data at airports.

In addition, Lockheed Martin, the lead systems integrator for the Clear program, "remains committed" to protecting the privacy of information stored on VIP's central databases, the note said.

Despite such assurances, the company left open the possibility that the data could end up being acquired or sold to a third party, but only if it was going to be used for a registered traveler program.

"If the information is not used for a Registered Traveler program, it will be deleted," VIP said.

Read more about Security in Computerworld's Security Topic Center.