The Federal Emergency Management Agency (FEMA) has helped millions of disaster survivor registrants following Hurricane Harvey, Hurricane Irma, Hurricane Maria, and the California wildfires in 2017.
However, 2.3 million of these survivors who registered for the agency's Transitional Sheltering Assistance (TSA) program now face another potential life-changing event: the loss of their sensitive data.
The OIG, or Office of the Inspector General, found FEMA has been violating privacy laws by giving a third-party vendor more than 20 unnecessary data fields on disaster victims.
Much of the data falls under what's defined as Sensitive Personally Identifiable Information (SPII):
"Which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual," says the OIG report on FEMA.
This is not just another case of data being exposed with no signs of compromise. The OIG says FEMA's vendor only keeps short-term logs. So there's no way to know if the data has been compromised or not.
The agency assembled a Joint Assessment Team to look into what's happened with the SPII, and this is what they found:
"According to FEMA, these assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days."
And here's more proof of something we hear at SecureWorld conferences all the time. Privacy and cybersecurity are very often linked.
"FEMA indicated it has begun to implement measures to assess and mitigate this privacy incident, including deploying a Joint Assessment Team of cybersecurity personnel to the contractor’s facilities.
The Joint Assessment Team also identified several security vulnerabilities. As of March 2019, four vulnerabilities had been remediated and the contractor was developing remediation plans for the remaining seven."
The security vulnerabilities were discovered during a visit to the vendor's facilities in February 2019. FEMA says it had a number of teams involved.
FEMA says it no longer shares the unnecessary disaster victim information with its vendor.
And it has notified the OIG that it will complete remediation on all security issues it has discovered with a self-imposed deadline of June 2020.
Do you think that seems like a reasonable time frame or is that excessive?
[Hurricane image credit: NOAA]