C-TPAT – Data Privacy Issues


Dear Friends:

We thought you should be aware of a recent development related to participation in the Customs-Trade Partnership Against Terrorism (“C-TPAT”) program.

Earlier this week, the Department of Homeland Security (“DHS”) proposed to (1) establish and maintain a new system of records concerning C-TPAT partners (i.e., members) and other entities and individuals within their supply chains, and (2) share this information with other parties, including other federal, state and local agencies and foreign governments. The public has 30 days to submit comments on these proposals, which are summarized below and attached here for your reference:

C-TPAT Notice 2013-05673

C-TPAT Notice

The new DHS system will collect information, including personally identifiable information (e.g., U.S. Social Security Numbers, IRS Business Identification Numbers, etc.) about current, prospective and former C-TPAT partners and other entities within their supply chains, as well as C-TPAT applicants that were determined to be ineligible for the program. The system will include information provided to DHS by C-TPAT applicants, including the applicants’ Supply Chain Security Profiles (which can be managed by the applicants/C-TPAT partners on a secure public portal). The information will also include derogatory vetting results, which are incorporated by DHS into “issue papers”. The latter category of information will be stored separately from the public portal on an internal C-TPAT SharePoint and will be accessible only by U.S. Customs and Border Protection (“CBP”) employees. The information collected will be retained for the period of active membership of a C-TPAT partner, plus five years. If there is information concerning the potential ineligibility of an applicant, this information will be retained for at least an additional 25 years.

DHS proposes to share the information described above with other federal, state, local, tribal, territorial, foreign or international government agencies on a “need to know” basis for the purposes of carrying out national security, law enforcement, immigration, intelligence or other homeland security functions. The proposal includes a list of parties that DHS may disclose the information to, including, among others:

  • The Department of Justice or other federal agencies conducting litigation, when it is relevant or necessary to the litigation and the United States, any agencies thereof or DHS employees are parties to, or have an interest in, the litigation;
  • Agencies or organizations for the purpose of performing audits or oversight operations authorized by law;
  • Foreign governments pursuant to arrangements between CBP and the foreign governments regarding supply chain security;
  • Third parties during the course of a law enforcement investigation, if necessary to obtain information pertinent to the investigation; and
  • The news media and public when there exists a legitimate public interest in the disclosure of the information.

If an individual applicant/C-TPAT partner requests its data, DHS will provide the individual’s application data and final membership determination. DHS, however, intends to claim exemptions from the Privacy Act of 1974 (5 U.S.C. §552a) to allow it not to disclose to an individual the fact that a law enforcement agency has sought particular records. In addition, DHS will not disclose to an individual applicant information regarding the potential ineligibility of the applicant for C-TPAT membership and any resulting issue papers.

These proposals are the latest example of how the C-TPAT program continues to evolve. As you know, C-TPAT is not authorized by statute or governed by any regulations. It was intended in the wake of 9/11 to be a voluntary government-private sector partnership. Over the past few years, however, the program has evolved from one that provided a certain amount of flexibility in implementation, to one that now contains much more rigid requirements.

While all companies should take steps to secure their international supply chains, participating in the program needs to be a decision point. Those that are considering applying for C-TPAT membership should carefully weigh the purported benefits of the program against the current (and constantly changing) requirements. We have a great deal of experience assisting clients obtain C-TPAT membership, conduct the required risk assessments and survive CBP supply chain verifications (including dealing with the inevitable CBP findings). We also have experience assisting compliant companies that have decided for a variety of reasons to withdraw from the program, do so successfully. If you have any questions about any of these issues, please let us know.

Best regards,



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s