Those regulated by the Transportation Security Administration (TSA) are familiar with a range of TSA policies that govern agency relationships during enforcement actions. For example, the Voluntary Disclosure Program Policy (VDPP), the Resolution Corrective Action Policy for U.S. Locations, and the Vulnerability Mitigation Policy for U.S. Locations have served as the framework for addressing compliance incidents and their responsible response. Now, as of August 26, 2019, the TSA has implemented its new approach to these policy matters that is referred to as the Action Plan Program.
The Action Plan Program
The Action Plan Program has revised the TSA’s voluntary self-disclosure procedure under the VDPP to reduce vulnerabilities and increase security, compliance, and industry partnership. Now, regulated parties may self-disclose both noncompliance and security vulnerabilities. Additionally, parties may now make a disclosure even if the noncompliance or vulnerability is discovered by the TSA. As one would expect, noncompliance that is egregious, flagrant, continuous, wanton, in bad-faith, extraordinary, conspicuously bad, or that glaringly deviates from the TSA’s regulatory requirements will not be eligible for the Action Plan Program. The noncompliance or vulnerability also cannot include deliberate, intentional, or reckless deviations from the TSA’s regulatory requirements or activities involving criminal activity or fraud.
Updates to the Voluntary Disclosure Program
Like the VDPP, the Action Plan Program still applies to: aircraft operators, foreign air carriers, indirect air carriers, certified cargo screening facilities (including Third-Party Canine-Cargo Program—3PK9-C Program), airport operators, flight training providers, all freight and passenger railroad carriers, certain facilities that ship or receive specified hazardous materials by rail, and rail transit systems. These parties are collectively referred to as eligible parties. The Action Plan Program effectively helps eligible parties avoid the TSA’s traditional civil enforcement process. Traditionally, if an eligible party was determined to be noncompliant or failed to disclose a security vulnerability, the TSA would issue a sanction or impose a monetary civil penalty. While the VDPP also allowed eligible parties to avoid these typical sanctions, the Action Plan Program takes a much more collaborative approach to reaching a resolution.
Under the Action Plan Program, the eligible party will first disclose the noncompliance to the TSA. The Action Plan Program’s initial disclosure procedures are generally the same as the procedures under the VDPP, with the exception of several timing and specification revisions. The eligible party must then submit a Voluntary Disclosure Report. The Action Plan Program’s Voluntary Disclosure Report requires less detail and description than what was required under the VDPP.
Perhaps the most significant change between the Action Plan Program and VDPP is the corrective action process. In order to address noncompliance, a corrective action must be proposed and eventually implemented. Under the VDPP, the disclosing party had the responsibility of drafting the corrective action on its own, then submitting it for TSA review. However, now under the Action Plan Program, the eligible party and the TSA will work together to negotiate the corrective action and ultimate resolution. This procedure is now referred to as the action plan. It is imperative that an eligible party wishing to make a voluntary self-disclosure thoroughly review the Action Plan Program and carefully follow each step.
Choosing to Participate, and Expectations
Participation in the action plan is, of course, voluntary. As part of the negotiation with the TSA, the eligible party must still be prepared to discuss the general details it was required to disclose under the VDPP. For example, the party should expect to discuss the root cause of the noncompliance and submit supporting materials. Failure to properly follow certain Action Plan Program procedures could lead to the TSA issuing an Letter of Rejection, opening an investigation into the noncompliance, or ultimately imposing a sanction or civil monetary penalty.
Jonathan Todd is a partner in Benesch’s Transportation & Logistics Practice Group who regularly advises clients on air cargo security and related enforcement matters. You may reach Jonathan at (216) 363-4658 or jtodd@beneschlaw.com. Abby Riffee is an associate in the firm’s Litigation Practice Group. You may reach Abby at (614) 223-9387 or ariffee@beneschlaw.com.