The U.S. Federal Emergency Management Agency (FEMA) improperly shared the personally identifiable information (PII) of 2.3 million hurricane and disaster survivors with a contractor.
The Department of Homeland Security’s Office of Inspector General (DHS OIG) detected FEMA’s violation while auditing the agency’s Transitional Sheltering Assistance (TSA) program, a framework for temporarily sheltering individuals displayed by emergencies and natural disasters.
According to a DHS OIG management alert published on 19 March, FEMA identified 2.3 million survivors of Hurricanes Harvey, Irma and Maria as well as the California wildfires of 2017 who were eligible for assistance under the TSA program. It subsequently shared these individuals’ PII and sensitive personally identifiable information with a contractor that helps disaster survivors receive temporary lodging in participating housing. In the process, however, the agency directly violated its Performance Work Statement in that it did not ensure it shared only those data elements required by the contractor to perform its duties. Instead, it shared survivors’ physical addresses, banking data and other information which the contractor did not need to fulfill its work, thereby placing these individuals at risk of fraud and identity theft.
DHS OIG set out two recommendations for FEMA in its notice. First, it urges the agency’s Assistant Administrator for the Recovery Directorate to implement controls that will limit the types of information shared with contractors. Second, it suggests that the organization devise a process for properly destroying survivors’ PII and SPI pursuant to DHS policy.
FEMA has concurred with these recommendations. In fact, it’s indicated to DHS OIG that it’s already begun implementing measures to mitigate the privacy incident and prevent similar events from happening in the future. Lizzie Litzow, press secretary for the agency, confirmed this work in a statement:
Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.
Individuals who believe they were victims of the privacy incident described above should protect each of their web accounts with a strong and unique password, implement two-factor authentication (2FA) wherever it’s available and enable a trusted VPN. They can also follow these steps to further prevent identity theft.