The T.S.A. said it took the action after a laptop containing unencrypted pre-enrollment information for about 33,000 Clear applicants went missing at San Francisco International Airport on July 26. The agency said that Clear -- which is owned by Steven Brill's Verified Identity Pass Inc. -- could resume enrolling applicants once it demonstrated that it is in compliance with rules that require that all personal data stored on computers be encrypted, even the basic initial enrollment information.
Clear has about 200,000 members, including the 33,000 people who were in the initial stages of processing after signing up online, Brill said in an interview tonight.
"We had a burglary in a locked, secured office," he said of the missing computer.
The information stored on the stolen computer consisted only of the applicants' names, addresses and dates of birth and, in some cases, drivers' license numbers and passport numbers.
No credit card numbers or Social Security numbers and "no biometrics of any kind" were stored in the files, he added.
Nor was any information on current members involved, he said.
Brill said that Verified Identity Pass promptly notified the T.S.A. of the burglary and has been working since to encrypt initial basic application information in the same way it routinely encrypts credit card, Social Security and other sensitive information it subsequently receives from applicants.
"There is no reason to believe this is anything other than the simple burglary of a laptop," Verified Identity said in a statement.
The vast majority of registered traveler members belong to the Clear program, which has been expanding aggressively. Smaller competitors operate programs in two airports.
Here is the T.S.A. announcement:
"TSA Suspends Verified Identity Pass, Inc. Clear Registered Traveler Enrollment
The vulnerabilities came to light after an unencrypted VIP laptop computer was discovered to be missing from San Francisco International Airport on July 26. The computer contained pre-enrollment records of approximately 33,000 customers.
TSA has instructed SFO to ensure that VIP immediately notifies the individuals impacted. In addition, SFO and all other airports using Clear have been instructed to ensure that VIP suspends enrollment, ceases use of any unencrypted computers and secures the devices until encryption can be installed. TSA requires RT service providers and sponsoring entities to encrypt all files containing participants’ sensitive personal information. Noncompliance with such requirements can result in actions including suspension of a program and possible civil penalties.
The suspension will protect consumers waiting to enroll in RT and allow VIP to bring its procedures into compliance. VIP will be required to submit an independent audit, verifying that the required security measures are in place. TSA will verify the audits before enrollment procedures can resume.
Verified Identity Pass Inc. will be responsible for notification and resolution surrounding this incident.
Current Clear customers will not be affected by this action and will not experience any disruption when using Registered Traveler.
TSA is contacting all RT service providers to reaffirm proper security measures are in place, including encryption of sensitive personal information of participants. TSA remains committed to partnerships with private sector entities that enhance the safety and convenience of the flying public."