Skip to page content
Office of the Chief Information Officer
Bookmark and Share

SOL – Litigation Support System – FY 2012

Overview

  • The system name and the name of the DOL component(s) which own(s) the system:
    This system is the Litigation Support Systems (LSS) and is owned by the Office of the Solicitor.
  • The purpose/function of the program, system, or technology and how it relates to the component’s and DOL mission:
    SOL represents the Secretary of Labor and the Department of Labor (DOL) agencies in all legal proceedings and in all federal courts, except the Supreme Court, in cases arising under statutes giving attorneys for the Secretary of Labor independent litigating authority. Litigation is performed within various statutes that permit DOL program agencies to accomplish their agency mission. LSS contains evidence documents to support specific trial litigation cases.

    The PIA document is being updated as part of the FY12 annual review process.
  • A general description of the information in the system.
    The Litigation Support Systems (LSS) are a collection of separate case-specific databases designed to assist attorneys with litigation cases. These databases house evidence documents to support litigation activities and allow full text searching as well organizing, viewing, coding and reporting of the documents. Each database incorporates a full text search engine and document viewing capabilities using third party applications.

    The life of the database is equal to the life of the case. Any number of databases may be active at any one time to support on-going discovery and litigation. Individual databases may be active for years since information may be subject to court orders or renewed investigations. Once the case is closed, the database is removed from the network and archived permanently.

The two major processes supported by the system are the loading of evidence documents, and the viewing and analysis of documents through full-text searching. The technology supporting these processes includes Adobe Acrobat Reader (viewing), dtSearch (searching) and MS Access (database). The databases may contain evidence documents such as payroll records, employment records and legal documents. At a given point in time, some information may be considered privileged. These evidence documents may contain personally identifiable information (PII).

  • A description of a typical transaction conducted on the system.
    The typical transaction involves an attorney accessing the system to view an evidence document. Using the search features of LSS, the attorney identifies relevant information on the document that can be used to support development of the litigation strategy.
  • Any information sharing conducted by the program or system.
    SOL shares information with DOL program agencies, opposing counsel and the court.
  • A general description of the modules and subsystems, where relevant, and their functions:
    The Litigation Support Systems contains the following modules:

    Adobe Acrobat – a document reader for viewing the evidence document
    dtSearch – a search engine for performing full text searches.
  • Where appropriate, a citation to the legal authority to operate the program or system.
    5 U.S.C.§301. Departmental Regulations
  • A description of why the PIA is being conducted.
    The LSS contains PII on members of the public and therefore a Privacy Impact Assessment is required. Appropriate Privacy Act System of Record Notices (SORN) is published in the Federal Register. The Privacy Act requires that a SORN be published in the Federal Register when PII is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects PII on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The Litigation Support Systems collects PII on members of the public. These members of the public include claimants, complainants, beneficiaries, survivors, witnesses and parties that are relevant to the litigation case.

  • What are the sources of the PII in the information system?
    Evidence documents received as part of the discovery and trial litigation process are from parties to a case including plaintiff (claimants, complainants, beneficiaries, and survivors), defendant, opposing counsel and witnesses, and the DOL program agency who requested litigation support.
  • What is the PII being collected, used, disseminated, or maintained?
    • First and last name (member of the public)
    • Date of birth (member of the public)
    • Place of birth (member of the public)
    • SSN (member of the public)
    • Residential address (member of the public)
    • Personal phone number (member of the public)
    • Mailing address (member of the public)
    • Business address (member of the public)
    • Business phone number (member of the public)
    • Business e-mail address (member of the public)
    • Medical information (member of the public)
    • Legal documents (member of the public)
    • Payroll records (member of the public)
    • Employment records (member of the public)
    • Financial information (member of the public)
  • How is the PII collected?
    Evidence documents containing PII are collected as part of the discovery and trial litigation process through depositions, interrogations, interviews, and court ordered exchange of information.
  • How will the information be checked for accuracy?
    PII is contained within the evidence document. In many instances the accuracy of the information is validated as part of the litigation process and sometimes attested under oath as accurate by a party to the case.
  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?
    PII is collected as part of the discovery and litigation process. SOL represents the Secretary of Labor and DOL agencies in all legal proceedings and in all federal courts, except the Supreme Court, in cases arising under statutes giving attorneys for the Secretary of Labor independent litigating authority. Litigation is performed within various statutes that permit DOL program agencies to accomplish their agency mission.
  • Privacy Impact Analysis
    The PII stored in the LSS is subject to minimal risk because it is well protected by implementation of numerous security controls as defined by NIST SP 800-53 Recommended Security Controls for Federal Systems. Privacy awareness is administered annually through the DOL Information System Security and Privacy Awareness Training. This required training is provided to all DOL employees and contractors. Even without specific training, however, the risk of unauthorized disclosure and unauthorized access to the LSS data is minimal due to the existing security controls in place at the network and application level.

    The following are NIST SP 800-53 security controls that mitigate the risks associated with the amount and type of data collected:
  • Technical Controls
    • Access Control (AC):
      • Access Control Policy and Procedures
      • Account Management
      • Access Enforcement
      • Separation of Duties
      • Least Privilege
      • Unsuccessful Login Attempts
      • System Use Notification
      • Session Lock
      • Supervision and Review –Access
    • Audit and Accountability (AU):
      • Audit and Accountability Policy and Procedures
      • Auditable Events
      • Content of Audit Records
      • Audit Monitoring, Analysis, and Reporting
    • Identification and Authentication (IA):
      • Identification and Authentication Policy and Procedures
      • Authenticator Management

  • Operational Controls
  • Physical and Environmental Protection (PE)
  • Physical and Environmental Protection Policy and Procedures
  • Physical Access Authorizations
  • Physical Access Control
  • Awareness and Training (AT)
  • Awareness and Training Policy and Procedures
  • Security Awareness
  • Security Training
  • Media Protection (MP)
  • Media Protection Policy and Procedures
  • Media Access
  • Media Storage
  • Management Controls
  • Risk Assessment (RA)
  • Risk Assessment Policy and Procedures

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII:

PII

Use

First and last name, residential address, business address, business phone, business e-mail address, personal phone, mailing address

Used for communication purposes or to establish residency associated with litigation

SSN, Date of birth, Place of birth

Used to confirm identity and ensure proper payment of back wages and other recoveries

Legal documents, Employment records, Medical information, Financial information

Used to enforce DOL client agency statutes through litigation

  • What types of tools are used to analyze data and what type of data may be produced?
    The tool used to analyze the evidence documents containing PII is dtSearch. This product is a full-text search engine. The data produced by the search is a list of match hits (items that satisfy the search criteria) with the ability to navigate to the specific match hit within the document.
  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
    No. The system does not perform these tasks.
  • If the system uses commercial or publicly available data, please explain why and how it is used.
    An evidence document containing PII could be a document that is commercially or publicly available such as a marriage certificate. This information may be used as part of the discovery or trial litigation process.
  • Privacy Impact Analysis
    The operational storage and use of PII can create the risk of unauthorized access and disclosure. The use of PII stored in the LSS is subject to minimal risk because it is well protected by numerous technical security controls at the network and application level. Privacy data is also protected by ensuring that privacy awareness training is provided annually by DOL. The following are NIST SP 800-53 security controls that mitigate the risks associated with use and storage of PII data:
  • Technical Controls
    • Access Control (AC):
      • Access Control Policy and Procedures
      • Account Management
      • Access Enforcement
      • Separation of Duties
      • Least Privilege
      • Unsuccessful Login Attempts
      • System Use Notification
      • Session Lock
      • Supervision and Review –Access
    • Audit and Accountability (AU):
      • Audit and Accountability Policy and Procedures
      • Auditable Events
      • Content of Audit Records
      • Audit Monitoring, Analysis, and Reporting
    • Identification and Authentication:
      • Identification and Authentication Policy and Procedures
      • Authenticator Management

  • Management Controls
    • Planning (PL)
  • Security Planning, Policy, and Procedures
  • Rules of Behavior
    • System and Services Acquisition (SA)
  • Systems and Services Acquisition Policy and Procedures
  • Software Usage Restrictions
  • Security Design Principles
  • Operational Controls
  • Awareness and Training (AT)
  • Security Awareness and Training Policy and Procedures
  • Security Awareness
  • Security Training
  • Media Protection (MP)
  • Media Protection Policy and Procedures
  • Media Access
  • Media Storage

Implementation of the above security controls is documented in the LSS System Security Plan (SSP). The SSP will address all of the control areas identified above, including how SOL employees are granted system access based upon their organizational role and need to know. The certification and accreditation process and continuous monitoring activities ensure that the implemented controls are operating effectively and producing the desired results.


Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?
    Each LSS database is for a specific litigation case. The database is maintained on the network as long as the case is active. At the conclusion of the case, the database is removed from the network and archived to CD/DVD once administrative closeout procedures have been completed.

    Information is retained in accordance with the SOL Records Schedule.
  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
    Yes. Records are retained and disposed of under the authority of the SOL Records Schedule contained on the DOL Website at: http://www.dol.gov/dol/records/; under schedule number N1-174-02-02 Office of the Solicitor.
  • How is it determined that PII is no longer required?
    The lead litigation attorney, based on litigation requirements unique to the case, determines whether PII is no longer required.
  • What efforts are being made to eliminate or reduce Personally Identifiable Information from the collection, storage or maintenance of a system if it is no longer required?
    Depending on the litigation requirements unique to the case, PII (e.g. SSN) is sometimes redacted.
  • Privacy Impact Analysis
    Whenever large amounts of personal data are stored for an extended period of time, there is a significant privacy risk. This risk is proportionally increased by the length of time in which the data is retained. The following are NIST SP 800-53 security controls that mitigate the risks associated with PII retention:
  • Operational Controls
  • System and Information Integrity (SI)
  • System and Information Integrity Policy and Procedures
  • Information Output Handling and Retention
  • Physical and Environmental Protection (PE)
  • Physical and Environmental Protection Policy and Procedures
  • Physical Access Authorizations
  • Physical Access Control
  • Media Protection (MP)
  • Media Protection Policy and Procedures
  • Media Access
  • Media Storage

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
    Evidence document that may contain PII may be shared internally with the DOL program agency that requested the litigation and SOL attorneys and paralegals assigned to the case. The evidence information is shared as part of the legal processes of discovery and trial litigation for a particular litigation case.
  • How is the PII transmitted or disclosed?
    On a limited basis evidence documents may be shared via email with the DOL program agency that requested the litigation.

    Users of the LSS database include attorneys and paralegals assigned to the case. These users view the evidence data that may contain PII via on-line screens.

    Evidence documents and search results can be printed from the LSS database. Portions of the database may be extracted for presentation at trial.
  • Privacy Impact Analysis
    The privacy risk lies in unauthorized disclosure based on methods of sharing. The following are NIST SP 800-53 security controls that mitigate the risks associated with internal sharing and disclosure:
  • Technical Controls
    • Access Control (AC):
      • Account Management
      • Access Enforcement
      • Separation of Duties
      • Least Privilege
      • Unsuccessful Login Attempts
      • System Use Notification
      • Session Lock
      • Supervision and Review –Access
    • Audit and Accountability (AU):
      • Auditable Events
      • Content of Audit Records
      • Audit Monitoring, Analysis, and Reporting
    • Identification and Authentication:
      • Authenticator Management

    • System and Communications Protection (SC):
      • Boundary Protection
      • Transmission Integrity
      • Transmission Confidentiality
  • Media Protection (MP)
  • Media Protection Policy and Procedures
  • Media Access
  • Media Storage

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    Evidence documents which may contain PII are shared externally with the federal court system, administrative tribunals, and other parties to the litigation case (e.g. opposing counsel).
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
    The sharing of PII that may be contained in evidence documents is compatible with the original collection. Electronic copies of evidence documents cannot be modified in any way as the integrity of the information must be maintained.

A Privacy Act System of Records Notice (SORN) has been published in the Federal Register.

  • How is the information shared outside the Department and what security measures safeguard its transmission?
    Evidence documents that may contain PII are shared with the federal court system, administrative tribunals, and other parties to the case through document filings that are made via email or through the court’s electronic filing system.
  • Privacy Impact Analysis

The privacy risk is unauthorized disclosure of PII through transmission of information or through theft or loss of portable media (CD, DVD, flash drive, external drive) or portable devices (laptop).

E-mails used to transmit evidence documents are subject to network infrastructure security controls, and the DOL OCIO Appropriate Use: A Guide for Use of Personal Computers and Government Equipment Including E-mail and the Internet, June 2000, v1.0.

The security of the court’s electronic filing systems has not been assessed. It is assumed that some type of security protections are in place. Protections may vary by court location.

SOL has unique requirements to communicate with legal parties outside of DOL. As indicated in the DLMS 9-1202, DOL Safeguarding Sensitive Data Including Personally Identifiable Information, SOL users are not required to encrypt portable media containing DOL sensitive information in support of litigation activities, under various statutes, or in response to court/tribunal requirements or orders, or congressional requests. All other SOL information must be encrypted. SOL computers have Roxio software in addition to the PointSec for PC software. Roxio software allows SOL users to create CD/DVDs that are not encrypted. The encryption exemption increases exposure to unauthorized disclosure of PII.


Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?
    Yes The Privacy Act requires that a SORN be published in the Federal Register when PII is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier. A privacy Act System of Record Notice (SORN) has been published in the Federal Register.
  • Do individuals have the opportunity and/or right to decline to provide information?
    No. SOL represents the Secretary of Labor and DOL agencies in all legal proceedings and in all federal courts, except the Supreme Court, in cases arising under statutes giving attorneys for the Secretary of Labor independent litigating authority. SOL has the right to subpoena information as part of the litigation process and to use the information as appropriate to support the SOL litigation strategy.
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
    No. SOL represents the Secretary of Labor and DOL agencies in all legal proceedings and in all federal courts, except the Supreme Court, in cases arising under statutes giving attorneys for the Secretary of Labor independent litigating authority. SOL has the right to subpoena information as part of the litigation process and to use the information as appropriate to support the SOL litigation strategy.
  • Privacy Impact Analysis
    Notice is provided to individuals via the SORN published in the Federal Register. Based on SOL’s authority to litigate, to subpoena information, and to refuse FOIA requests based on the Freedom of Information Act (FOIA) and Privacy exemptions associated with litigation, individuals may have limited control on the uses of their information and the right to decline to provide information.

Access, Redress, and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?
    An individual, or legal representative acting on his behalf, may request access to a record about himself by appearing in person or by writing to the Office of the Solicitor of Labor (SOL), Deputy Solicitor, 200 Constitution Avenue, NW, Washington, DC 20210. A requester in need of guidance in defining his request may write to the Assistant Secretary for Administration and Management, U.S. Department of Labor, 200 Constitution Avenue, NW, Washington, DC 20210–0002.
    The specific procedures for allowing an individual to gain access to their information are provided in Title 29 CFR Part 71.2.
  • What are the procedures for correcting inaccurate or erroneous information?
    An individual may submit a request for correction or amendment of a record pertaining to him. The request must be in writing and must be addressed to the Office of the Solicitor of Labor (SOL), Deputy Solicitor, 200 Constitution Avenue, NW, Washington, DC 20210. The request must identify the particular record in question, state the correction or amendment sought, and set forth the justification for the change. Both the envelope and the request itself must be clearly marked: “Privacy Act Amendment Request.”
    The specific procedures for correcting inaccurate or erroneous information are provided in Title 29 CFR Part 71.9.
  • How are individuals notified of the procedures for correcting their information?
    This information is published in the Federal Register entry for the system. Also, www.dol.gov provides “Important Web Site Notices” which contains the department’s Privacy and Security Policies. This is found on the initial page of the website or directly at http://www.dol.gov/dol/aboutdol/website-policies.htm.
  • If no formal redress is provided, what alternatives are available to the individual?
    When a request for correction or amendment is denied in whole or in part, the requester may appeal the denial to the Solicitor of Labor within 90 days of his receipt of the notice denying his request.
  • Privacy Impact Analysis
    There is minimal risk to the data integrity of PII stored in the LSS because it is well protected by numerous security controls at the network and application level. Data integrity is primarily accomplished because access to data is restricted to authorized personnel. Privacy data is also protected by ensuring that privacy and security awareness training is provided annually by DOL. Specifically, mandatory DOL Information Systems Security and Privacy Awareness Training are provided to all employees and contractors of SOL.
    The following are NIST SP 800-53 security controls that mitigate the risks associated with access, redress and correction and the accuracy of information:
  • Technical Controls
    • System and Communications Protection (SC):
      • Boundary Protection
      • Transmission Integrity
      • Transmission Confidentiality
  • Operational Controls
  • System and Information Integrity (SI)
  • Software and Information Integrity
  • Information Input Restrictions
  • Information Accuracy, Completeness, Validity, and Authenticity

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?
    SOL has documented Access Control procedures in place which ensures the access to the LSS is established in compliance with the DOL Computer Security Handbook. The applicable NIST SP 800-53 management, operational and technical controls access control requirements are implemented or are being implemented.
    Highlights of the SOL procedures include:
    • assignment of unique account name and passwords
    • complex password composition
    • password aging
    • password expiration
    • access provided strictly on the basis of approved authorizations
    • role-based security
    • least privilege access
    • automatic removal of inactive accounts
    • Rules of Behavior
  • Will Department contractors have access to the system?
    Yes, the LSS is accessed by developers and system administrators who are authorized contractors of the Department of Labor/Office of the Solicitor, for the purpose of developing, testing, administering and operating the system.
  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
    Annual mandatory DOL Information Systems Security and Privacy Awareness Training is provided to all employees and contractors of SOL.
  • What auditing measures and technical safeguards are in place to prevent misuse of data?
    Within the LSS there are specific user roles defined which provide varying levels of access to data stored in the LSS. Additionally, users are only allowed access to litigation cases to which they are assigned. Auditing functionality exists within the LSS that records user actions in audit logs. These audit logs are reviewed on a recurring basis for unusual and suspicious events. Audit logs are backed up for a specified period of time and are protected from access by unauthorized users.
  • Privacy Impact Analysis
    PII stored on the LSS is limited to information necessary for the Agency to carry out its duties and is well protected by numerous NIST SP 800-53 security controls. There is no direct connection between the LSS and the Internet. The LSS do not interface with any other systems except its host system, the ECN/DCN GSS.
    The following are NIST SP 800-53 security controls that mitigate the risks associated with unauthorized access:
  • Technical Controls
    • Access Control (AC):
      • Account Management
      • Access Enforcement
      • Separation of Duties
      • Least Privilege
      • Unsuccessful Login Attempts
      • System Use Notification
      • Session Lock
      • Supervision and Review –Access
    • Audit and Accountability (AU):
      • Auditable Events
      • Content of Audit Records
      • Audit Monitoring, Analysis, and Reporting
    • Identification and Authentication:
      • Authenticator Management

    • System and Communications Protection (SC):
      • Boundary Protection
      • Transmission Integrity
      • Transmission Confidentiality

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?
    LSS is in the Operations and Maintenance Phase. The project development life cycle used is the DOL Systems Development Life Cycle Management Guide. LSS will be decommissioned and replaced by the new Evidence Management System during FY12.
  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
    No.

3.11 Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • SOL has completed the PIA for LSS which is currently in operation. SOL has determined that the safeguards and controls for this moderate system adequately protect the information referenced in the LSS System Security Plan.
    SOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.