0043Firearms_Enforcement_Review_--_24_hour_destruct2

THE NICS 24 HOUR DESTRUCT REQUIREMENT

Since 2004, the FBI has been unable to expend any appropriated funds on activities (to include preliminary planning and assessment) that would lead to NICS retaining for more than 24 hours any information identifying the transferee in firearms transactions that have been issued a proceed response at the conclusion of a background check mandated by the Brady Act.

Background

From its inception, the Brady Handgun Violence Prevention Act contained a compromise between two competing goals: ensuring that persons prohibited from possessing firearms were not able to obtain them from licensed dealers, while at the same time protecting the privacy of legitimate gun owners from having information about their firearms purchases maintained in a form of federal registration. The balance struck was that for “proceeded” transactions, NICS was required to “destroy all records of the system with respect to the call (other than the identifying number and the date the number was assigned) and all records of the system relating to the person of the transfer.” 18 U.S.C. § 922(t)(2).

Although the Brady Act thus imposed a requirement that NICS destroy identifying information about “proceeded” transactions, it did not impose a time frame during which the destruction must occur. NICS addressed this quandary when the system first went operational in 1998. In order to ensure system integrity, NICS implemented a NICS Audit Log. The Log’s stated purpose was to “[satisfy] the statutory requirement of ensuring the privacy and security of the NICS and the proper operation of the system.” 63 FR 58303 (Oct. 30, 1998). Retention and destruction of information contained in the Log was governed by 28 C.F.R. § 25.9. The Log would contain, inter alia, “the name and other identifying information about the prospective transferee and the [NICS Transaction Number].”¹ However, in the case of proceeded transactions, all information other than the NTN and the date it was assigned was required to be destroyed “not more than six months after the transfer is allowed.” 63 FR 58311. The preamble noted that: “the Department determined that the general retention period for records of allowed transfers in the NICS Audit Log should be the minimum reasonable period for performing audits on the system, but in no event more than six months.”² The preamble also promised that, by February 28, 1999, the Department would publish another NPRM setting forth a further reduction of the retention period. 63 FR 58304

This significant concession did not satisfy critics of the Audit Log. The National Rifle Association (NRA) and others filed a lawsuit challenging the NICS Audit Log on the same day the regulation was otherwise scheduled to be effective, November 30, 1998. The NRA argued that retaining any personal identifying information in the NICS Audit Log for any length of time constituted a de facto system of firearms registration and violated the Brady Act’s mandate that purchaser information be destroyed. The NRA’s request for a preliminary injunction against implementation of the regulation was denied on January 27, 1999.

While the suit was pending, the Department kept its promise and published an NPRM proposing to reduce the retention period to no more than 90 days, half of the maximum period provided for under the existing regulation. 64 FR 10262 (Mar. 3, 1999). The NPRM noted that: “the Department has concluded that the shortest practicable period of time for retaining records of allowed transfers that would permit the performance of basic security audits of the NICS is 90 days.” 64 FR 10264. The NPRM also identified how information in the Audit Log would be used during the retention period.

Audits of the NICS will include (1) quality control audits of NICS examiners and call center operators to ensure the accuracy of responses given to FFLs; (2) audits of the system’s data processing to aid in the resolution of technical system problems; (3) audits of the use of NICS by state agencies serving as points of contact (“POCs”) for the NICS and/or using the NICS in connection with issuing firearms licenses or permits, to ensure that such agencies are accessing the NICS only for authorized purposes; and (4) audits of the use of the NICS by FFLs to ensure that FFLs are accessing the NICS only for authorized purposes and are not sending the NICS false data to evade the system.

64 FR 10263. In short, NICS saw the Audit Log as an essential tool in evaluating both its own performance and the extent to which the system was being abused or misused by others. Importantly, the Audit Log was not conceived as, or considered to be a law enforcement tool. Its governing regulations did not provide for use of the Audit Log for investigations or to generate law enforcement leads.

The NRA continued to pursue its litigation, but the U.S. District Court for the District of Columbia granted summary judgment to the Attorney General on July 7, 1999. The court found that the Brady Act did not require the immediate destruction of information obtained from a proceeded firearm sale, and that the Attorney General’s plan for temporarily retaining and using that information in the NICS Audit Log was not unreasonable. The NRA appealed.

On July 11, 2000, the Court of Appeals for the D.C. Circuit affirmed the district court’s decision to dismiss the NRA’s lawsuit. National Rifle Association v. Reno, 216 F.3d 122 (D.C. Cir. 2000), cert. denied, 533 U.S. 928 (2001). The court reasoned that the Brady Act’s provision requiring the destruction of transferee information was ambiguous as to whether the destruction must occur immediately.³ The court also found that, under Chevron, the Attorney General’s interpretation of her authority (and obligation) to maintain the security and privacy of the NICS justified the creation and use of the Audit Log, as envisioned in the regulation. The NRA filed a petition for certiorari.

On January 21, 2001, the Department promulgated final revisions to the NICS regulations that included a 90-day maximum retention period for Audit Log information. These revisions were due to take effect on March 1, 2001, but the effective date was twice extended for 60-day periods. The U.S. Supreme Court denied the NRA’s petition for certiorari on June 25, 2001. The revised regulations were allowed to become effective eight days later.

However, on July 6, 2001, NICS issued yet another NPRM addressing the Audit Log. This new proposal “would require the destruction of all information in the Audit Log relating to the lawful purchaser or the transfer (other than the NTN, and the date of inquiry) on all allowed transactions prior to the start of the next business day following the date on which the “proceed” message was received by the initiator of the NICS check.” Although the NPRM mentions the twin concerns of individual privacy and a secure NICS, it does not explain how, with a 24-hour destruct policy, the Audit Log will continue to serve the purposes for which it was originally created, i.e., as a quality control measure for NICS performance and an indicator of potential NICS abuse by FFLs or POC states.

During the next two years, there was a robust debate about the effects of NICS proposed 24-hour destruct rule. In response to a request from Senator Richard J. Durbin (D. Ill.), GAO studied how the NICS would be affected if records related to allowed transfers were destroyed within 24 hours of the sale. GAO’s report was issued on July 10, 2002. GAO concluded that a 24-hour destruct rule would not adversely affect routine system audits. It also concluded, however, that implementing the rule would have adverse public safety consequences.

In particular, GAO noted that next day destruction would eliminate NICS as a source of potential information about transfers to prohibited persons. In short, NICS would have no ability to audit the accuracy of the response it provided to the FFL, if it later learns that a prohibited person may have obtained a firearm. GAO also determined that next day destruction would virtually eliminate the FBI’s ability to initiate firearms retrieval actions when it learns, after-the-fact, that a transfer should not have been allowed. GAO noted that, during the first six months that NICS employed a 90 day retention period, 235 firearm retrieval actions were initiated based on information obtained after the transfer was allowed. All but 7 of these would have been impossible had transferee information been deleted within 24 hours. The GAO also identified several collateral consequences with what it viewed as lesser potential impacts on public safety.

In 2003, legislation was proposed that would have required the immediate destruction of transferee information by NICS. In other words, as soon as a transfer was proceeded, transferee information would be deleted from the system. NICS studied the impact of this requirement, and identified significant economic costs and public safety consequences. The legislation was not enacted.

Finally, in 2004, as part of the Consolidated Appropriations Act of 2004, Congress imposed an appropriations restriction on NICS relative to its ability to retain transferee information in the NICS Audit Log or elsewhere beyond the next business day. The language provided that:

(a) None of the funds appropriated pursuant to this Act or any other provision of law may be used for –

. . . . . .

(2) any system to implement 922(t) of title 18, United States Code, that does not require and result in the destruction of any identifying information submitted by or on behalf of any person who has been

determined not to be prohibited from possessing or receiving a firearm no more than 24 hours after the system advises a Federal firearms licensee that possession or receipt of a firearm by the prospective transferee would not violate subsection (g) or (n) of section 922 of title 18, United States Code, or State law.

Pub. L. No. 108-199, Division B, § 617, 118 Stat. 3, 95 (Jan. 23, 2004). This provision had an effective date of July 21, 2004.

As a result, three years after it was initially published, NICS issued final regulations amending 28 C.F.R. §25.9 to require next day destruction. 69 FR 43892 (July 23, 2004). That provision:

• Delineated the contents of the NICS Audit Log (e.g., time, date, ORI or FFL identifier, identifying information about prospective transferee, and NTN).

• Provided that Audit Log records for denied transactions would be retained for 10 years.

• Mandated that Audit Log records for “open” (i.e., unresolved) transactions be destroyed no more than 90 days from the date of the inquiry (except NTN and date of inquiry).

• Mandated that transferee identification information for allowed transactions be destroyed within 24 hours after the FFL is informed that the transaction may proceed. All other information must be destroyed within 90 days (except NTN and date of inquiry).

• Limited use of Audit Log information to analyze system performance, assist in resolving operational problems, support the appeals process, and support audits of the use and performance of the system.

• Prohibited access to Audit Log information pertaining to allowed transactions except by FBI personnel, and only to audit system usage and performance.

• Allowed Audit Log information that indicates a violation or potential violation of law to be shared with appropriate law enforcement authorities.

• Allowed NTNs and inquiry dates to be shared with ATF, as part of Individual FFL Audit Logs prepared upon request in anticipation of an FFL inspection.

The NICS appropriations restriction put in place in 2004 has been part of every subsequent appropriations bill. Most recently it was part of the Omnibus Appropriations Act for 2009, Pub. L. No. 111-8, Division B., § 511 (Mar. 11, 2009).

Effects of This Restriction

The primary purpose and function of NICS is to provide a real-time background check for persons seeking to purchase firearms from FFLs. NICS does not perceive that the 24 hour destruct rule substantially hinders its ability to efficiently and effectively perform that function.

NICS can still run routine system performance checks. That is, NICS can and does perform quality assurance (QA) checks for proceeded transactions processed earlier during a given day. When those checks indicate that a transaction should have been denied or delayed, that information can be referred to ATF for appropriate action. Whether the reason for the mistake appears to be a systemic problem or operator specific, corrective action can be initiated. But NICS can only perform QA checks on a modest percentage of proceeded transactions during any 24 hour period, and after 24 hours none at all.

Nevertheless, given the pace of proceeded transactions, and NICS resource constraints, maintaining transferee information for more than 24 hours would not necessarily translate to a higher rate of QA checks. Under existing regulations, the purpose of these checks is not and cannot be to identify prohibited persons who may have received firearms. That is a positive side effect. The fundamental purpose must be to measure system performance and identify training or performance deficiencies, so that corrective action may be taken. That purpose only requires a statistically significant ratio of QA checks to transactions processed, and NICS believes that a satisfactory ratio is regularly achieved despite the 24 hour destruct rule.

To be sure, GAO’s 2002 report examining the effects of next-day destruction noted that “non-routine” system audits would be hampered by a 24 hour destruct rule. GAO described, as one example, situations in which the FBI becomes aware of information that an individual is prohibited from possessing or receiving a firearm. The FBI reported to GAO that, in such cases, it sometimes went to NICS to see whether the Audit Log indicated an allowed transfer to a prohibited person. This audit of the system also produces law enforcement leads when transfers to prohibited persons are identified.⁴ Although existing regulations permit this use of the Audit Log, the 24 hour destruct rule does undermine its value as a source of this kind of law enforcement lead.

GAO also identified several peripheral effects of a 24 hour destruct rule, and there is no reason to believe that these effects are not occurring. Destroying transferee information within 24 hours diminishes the FBI’s ability to respond to legitimate inquiries about the outcome of background checks. For example, if a firearms sale is delayed, but ultimately resolved and proceeded within three days, purchasers sometimes contact the FBI to determine the reason for the delay.⁵ Because transferee information for these transactions is subject to the 24 hour destruct rule, the FBI has no ability to answer the question. More importantly, the FBI is unable to tell the purchaser whether the reason for the delay has been corrected, or whether future purchases are also likely to be delayed. Depending upon the frequency with which this problem arises, it might justify retaining transferee information for delayed transactions for some modest period of time.

GAO also believed that the 24 hour destruct rule could increase the time it takes to conduct certain background checks. For non-prohibited persons who purchase multiple firearms on separate occasions, the availability of Audit Log information can speed second or subsequent purchases along, because the NICS examiner can avoid making repeat phone calls or queries to outside entities to obtain information needed to “proceed” the sale. In these cases, a longer retention period would increase NICS efficiency. However, this is really an argument in favor of permanent retention, rather than some defined shorter period.

The primary law enforcement effect of the 24 hour destruct rule is a negative impact on ATF’s ability to conduct firearms retrievals when NICS obtains post-proceed information indicating that a previous transaction should have been denied, or that the transferee has since become a prohibited person. NICS can obtain this information in a variety of ways – subsequent purchases by the same individual that reveal a new or previously unknown prohibitor, and new information provided to the NICS Index are the most common.⁶ If the NICS Audit Log retained transferee information for a longer period of time, newly acquired information could routinely be compared to the Audit Log, and disqualifying matches could be referred to ATF for investigation and possible firearms retrieval. With a 24 hour destruct rule, this ability is severely limited.

Moreover, because NICS is prohibited by the Brady Act from acting as a firearms registration repository (except for denied persons), it would be difficult to justify lengthening the NICS transferee information retention period in order to enhance its effectiveness as a law enforcement tool. Without question, NICS would be a more effective law enforcement tool if transferee information was retained for 90 days, rather than 24 hours. But six months would be better still, and permanent retention would be best of all. None of those options is consistent with the fundamental purpose of NICS. Nor are they allowed by the regulations that govern use of the Audit Log.

Those regulations do permit the creation of FFL specific audit logs, to assist the ATF in performing its inspection function. 28 C.F.R. § 25.9(b)(4). Even so, the 24 hour destruct rule has had a negative impact on the way in which ATF conducts FFL inspections. [to be added next week, after talking with ATF]

Additional Efforts within the Confines of the Restriction

NICS believes that there is limited room to further amend its regulations regarding transferee information retention without running afoul of its appropriations restriction. Nonetheless, the following proposals would be legally permissible:

• The retention period could be reduced from 24 hours to “immediate destruction,” consistent with proposals that have been considered by Congress in the past.

• Retention periods for Audit Log information that is not covered by the appropriations restriction (e.g., ORI or FFL identifier, “Open” transaction information, denied transaction information) could be modified – made longer or shorter.

• Subject to available resources, more comprehensive system audits could be conducted during each 24 hour period.

None of these proposals is under active consideration. An immediate destruct rule would create critical system vulnerabilities and would disallow any QA/audits on proceeded transactions, which would eliminate the positive side effect of identifying wrongful proceeds. NICS is satisfied with the existing retention periods for non-transferee information. And if additional resources are obtained, NICS would likely prioritize other needs over enhancing the system audit function.

As for potentially increasing retention time for proceeded transactions from 24 hours to some longer period, the Department could face obstacles in addition to the appropriations restriction. The court, in NRA v. Reno, held that regulations establishing a retention period of up to six months did not constitute an unreasonable interpretation of the Brady Act’s requirement that firearms transferee information be destroyed following a successful NICS check. That does not mean, however, that the Attorney General is necessarily free to re-impose a six month retention period, or even a 90 day period. ⁷

The court’s decision was based upon its understanding (as represented by the Department), that the retention period it was upholding was necessary to conduct reasonable system and performance audits, and to detect potential system abuse. If challenged – and it most certainly would be – any proposal to increase the transferee information retention period would need to be justified using the same criteria, not the salutary benefits that an increased retention period may provide to law enforcement. That may be a more difficult burden to carry after more than eight years of operations with a 24 hour destruct rule in place.