The Federal Emergency Management Agency (FEMA) mistakenly shared with an unnamed contractor sensitive personal data on 2.3 million victims of several recent hurricanes and California wildfires, the agency’s Office of Inspector General said in a March 15 report.
According to the IG, FEMA violated both the 1974 Privacy Act and Department of Homeland Security policy in sharing the data. The agency watchdog discovered the issue during an audit of FEMA’s Transitional Sheltering Assistance (TSA) program, which provided assistance to victims of the 2017 fires and three 2017 hurricanes–Harvey, Irma, and Maria–which devastated portions of Texas, Florida, Puerto Rico, and the U.S. Virgin Islands.
The TSA program provided short-term lodging in hotels for the victims, who were required to provide personally identifiable information (PII) and “sensitive” PII (SPII) when applying for assistance with FEMA.
The OIG said the “privacy incident” happened “because FEMA did not take steps to ensure it provided only required data elements,” to the contractor. Rather, the OIG said, FEMA should only provide the contractor with “limited information needed to verify survivors’ eligibility for the TSA program.”
A privacy incident, OIG said, is defined as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence when (1) a person other than the authorized user accesses or potentially accesses PII or (2) an unauthorized user access of potential accesses PII for an unauthorized purpose.” The term “encompasses both suspected and confirmed incidents involving PII, whether intention or inadvertent, which raises a reasonable risk of harm,” the OIG said.
And, warned the OIG, “without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
The OIG said FEMA concurred with two recommendations on actions the agency should take to safeguard both PII and SPII of the 2.3 million disaster survivors, and to prevent similar incidents in the future. It said it considers the recommendations to be “resolved and open” until they have been implemented.
Despite that, the data sharing issues are ongoing, and may not be fully fixed until June 2020.
As of March 15, the OIG said FEMA provided “and continues to provide” the contractor with “more than 20 unnecessary data fields for survivors participating in the TSA program,” including sensitive PII such as addresses and financial data including bank names, electronic fund transfer numbers, and bank transit numbers.
FEMA, the OIG said, stated in written comments that “it has begun to implement measures to assess and mitigate this privacy incident, including deploying a Joint Assessment Team of cyber security personnel to the contractor’s facilities.”
That cyber team documented removal of the sensitive data from the contractor’s system, and found no indication that the system has been penetrated within the last 30 days. But it also identified 11 vulnerabilities in the contractor’s system – four of which have since been addressed, with another seven to go.
Commenting on FEMA’s estimate of June 2020 for its own fixes, the OIG said, “Given the sensitive nature of these findings, we urge FEMA to expedite this timeline.”
FEMA told the OIG in a March 8 letter that it has taken “aggressive action” to deal with the problems and to improve protection of data collected by the TSA program. In a statement issued on Friday, FEMA said it is also instructing “contracted staff to complete additional DHS privacy training.”
The agency said its “goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs.”