6 CFR § 29.9 - Investigation and reporting of violation of PCII procedures.
(a) Reporting of possible violations. Persons authorized to have access to PCII shall report any suspected violation of security procedures, the loss or misplacement of PCII, and any suspected unauthorized disclosure of PCII immediately to the PCII Program Manager or the PCII Program Manager's designees. Suspected violations may also be reported to the DHS Inspector General. The PCII Program Manager or the PCII Program Manager's designees shall in turn report the incident to the appropriate Security Officer and to the DHS Inspector General.
(b) Review and investigation of written report. The PCII Program Manager, or the appropriate Security Officer shall notify the DHS Inspector General of their intent to investigate any alleged violation of procedures, loss of information, and/or unauthorized disclosure, prior to initiating any such investigation. Evidence of wrongdoing resulting from any such investigations by agencies other than the DHS Inspector General shall be reported to the Department of Justice, Criminal Division, through the DHS Office of the General Counsel. The DHS Inspector General also has authority to conduct such investigations, and shall report any evidence of wrongdoing to the Department of Justice, Criminal Division, for consideration of prosecution.
(c) Notification to originator of PCII. If the PCII Program Manager or the appropriate Security Officer determines that a loss of information or an unauthorized disclosure has occurred, the PCII Program Manager or the PCII Program Manager's designees shall notify the person or entity that submitted the PCII, unless providing such notification could reasonably be expected to hamper the relevant investigation or adversely affect any other law enforcement, national security, or homeland security interest.
(d) Criminal and administrative penalties.
(1) As established in section 214(f) of the CII Act, whoever, being an officer or employee of the United States or of any department or agency thereof, knowingly publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law, any information protected from disclosure by the CII Act coming to the officer or employee in the course of his or her employment or official duties or by reason of any examination or investigation made by, or return, report, or record made to or filed with, such department or agency or officer or employee thereof, shall be fined under title 18 of the United States Code, imprisoned not more than one year, or both, and shall be removed from office or employment.
(2) In addition to the penalties set forth in paragraph (d)(1) of this section, if the PCII Program Manager determines that an entity or person who has received PCII has violated the provisions of this part or used PCII for an inappropriate purpose, the PCII Program Manager may disqualify that entity or person from future receipt of any PCII or future receipt of any sensitive homeland security information under section 892 of the Homeland Security Act, provided, however, that any such decision by the PCII Program Manager may be appealed to the Office of the Under Secretary for Preparedness.