(a) Reporting of possible violations. Persons authorized to have access to PCII must report any suspected violation of security procedures, the loss or misplacement of PCII, and any suspected unauthorized disclosure of PCII immediately to the PCII Program Manager or a PCII Program Manager's Designee. Suspected violations may also be reported to the DHS Office of Inspector General. The PCII Program Manager or a PCII Program Manager's Designee will in turn report the incident to the appropriate security officer and to the DHS Office of Inspector General.

(b) Review and investigation of written report. The PCII Program Manager, or the appropriate security officer must notify the DHS Office of Inspector General of their intent to investigate any alleged violation of procedures, loss of information, and/or unauthorized disclosure, prior to initiating any such investigation. Evidence of wrongdoing resulting from any such investigations by agencies other than the DHS Inspector General must be reported to the United States Department of Justice, Criminal Division, through the CISA Office of the Chief Counsel. The DHS Office of Inspector General also has authority to conduct such investigations and will report any evidence of wrongdoing to the United States Department of Justice, Criminal Division, for consideration of prosecution.

(c) Notification to originator of PCII. If the PCII Program Manager or the appropriate security officer determines that a loss of information or an unauthorized disclosure of PCII has occurred, the PCII Program Manager or a PCII Program Manager's Designee must notify the person or entity that submitted the PCII, unless providing such notification could reasonably be expected to hamper the relevant investigation or adversely affect any other law enforcement, national security, or homeland security interest.

(d) Criminal and administrative penalties. (1) As established in 6 U.S.C. 673(f), whoever, being an officer or employee of the United States or of any department or agency thereof, knowingly publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law, any information protected from disclosure by the CII Act coming to the officer or employee in the course of his or her employment or official duties or by reason of any examination or investigation made by, or return, report, or record made to or filed with, such department or agency or officer or employee thereof, shall be fined under title 18 of the United States Code, imprisoned not more than one year, or both, and shall be removed from office or employment.

(2) In addition to the penalties set forth in paragraph (d)(1) of this section, if the PCII Program Manager determines that an entity or person who has received PCII has violated the provisions of this part or used PCII for an inappropriate purpose, the PCII Program Manager may disqualify that entity or person from future receipt of any PCII or future receipt of any sensitive homeland security information under 6 U.S.C. 482, provided, however, that any such decision by the PCII Program Manager may be appealed to the Director.