49 CFR 15.9 - Restrictions on the disclosure of SSI.
(a) Duty to protect information. A covered person must -
(1) Take reasonable steps to safeguard SSI in that person's possession or control from unauthorized disclosure. When a person is not in physical possession of SSI, the person must store it a secure container, such as a locked desk or file cabinet or in a locked room.
(2) Disclose, or otherwise provide access to, SSI only to covered persons who have a need to know, unless otherwise authorized in writing by TSA, the Coast Guard, or the Secretary of DOT.
(3) Refer requests by other persons for SSI to TSA or the applicable component or agency within DOT or DHS.
(4) Mark SSI as specified in § 15.13.
(5) Dispose of SSI as specified in § 15.19.
(b) Unmarked SSI. If a covered person receives a record containing SSI that is not marked as specified in § 1520.13, the covered person must -
(1) Mark the record as specified in § 15.13; and
(2) Inform the sender of the record that the record must be marked as specified in § 15.13.
(c) Duty to report unauthorized disclosure. When a covered person becomes aware that SSI has been released to unauthorized persons, the covered person must promptly inform TSA or the applicable DOT or DHS component or agency.
(d) Additional requirements for critical infrastructure information. In the case of information that is both SSI and has been designated as critical infrastructure information under section 214 of the Homeland Security Act, any covered person who is a Federal employee in possession of such information must comply with the disclosure restrictions and other requirements applicable to such information under section 214 and any implementing regulations.