The U.S. Federal Emergency Management Agency (FEMA) improperly shared the personally identifiable information (PII) of 2.3 million hurricane and disaster survivors with a contractor.

The Department of Homeland Security’s Office of Inspector General (DHS OIG) detected FEMA’s violation while auditing the agency’s Transitional Sheltering Assistance (TSA) program, a framework for temporarily sheltering individuals displayed by emergencies and natural disasters.

According to a DHS OIG management alert published on 19 March, FEMA identified 2.3 million survivors of Hurricanes Harvey, Irma and Maria as well as the California wildfires of 2017 who were eligible for assistance under the TSA program. It subsequently shared these individuals’ PII and sensitive personally identifiable information with a contractor that helps disaster survivors receive temporary lodging in participating housing. In the process, however, the agency directly violated its Performance Work Statement in that it did not ensure it shared only those data elements required by the contractor to perform its duties. Instead, it shared survivors’ physical addresses, banking data and other information which the contractor did not need to fulfill its work, thereby placing these individuals at risk of fraud and identity theft.

DHS OIG set out two recommendations for FEMA in its notice. First, it urges the agency’s Assistant Administrator for the Recovery Directorate to implement controls that will limit the types of information shared with contractors. Second, it suggests that the organization devise a process for properly destroying survivors’ PII and SPI pursuant to DHS policy.

FEMA has concurred with these recommendations. In fact, it’s indicated to DHS OIG that it’s already begun implementing measures to mitigate the privacy incident and prevent similar events from happening in the future. Lizzie Litzow, press secretary for the agency, confirmed this work in a statement:

Since discovery of this issue, FEMA has taken aggressive (Read more...)