FEMA violated privacy law by releasing info of 2.3 million survivors of hurricanes, wildfire
FEMA didn't ensure it shared with a contractor only the data the contractor required to perform its official duties.
The Office of Inspector General of the U.S. Department of Homeland Security (OIG), while auditing the Transitional Sheltering Assistance (TSA) program of the Federal Emergency Management Agency (FEMA), has determined that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy by releasing personally identifiable information (PII) and sensitive personally identifiable information (SPII) of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.
Disaster survivors at risk for ID theft, fraud
Without corrective action, the OIG said, the disaster survivors involved in the privacy incident “are at increased risk of identity theft and fraud.”
Through the TSA program, FEMA provides transitional sheltering in hotels to disaster survivors displaced by emergencies or major disasters. When applying for FEMA disaster assistance, applicants are required to provide PII and SPII.
The OIG said that a privacy incident occurred because FEMA did not ensure it shared with a contractor only the data elements the contractor required to perform its official duties administering the TSA program. FEMA provided and continues to provide more than 20 unnecessary data fields for survivors participating in the TSA program, according to the OIG.
Data improperly released
The OIG added that, of the 20 unnecessary data fields, FEMA does not safeguard and improperly releases six that include SPII:
- Applicant street address.
- Applicant city name.
- Applicant Zip Code.
- Applicant’s financial institution name.
- Applicant’s electronic funds transfer number.
- Applicant’s bank transit number.
The OIG recommended that FEMA’s assistant administrator for the recovery directorate implement controls to ensure that the agency only sends required data elements of registered disaster survivors to contractors, and that the assistant administrator assess the extent of this privacy incident and implement a process for ensuring that PII, including SPII, of registered disaster survivors that had been improperly released was properly destroyed.
FEMA concurred with the two recommendations.
Learn more: //www.oig.dhs.gov/sites/default/files/assets/2019-03/OIG-19-32-Mar19.pdf.
Related:
- 7 reasons 2019 is the year of privacy
- Assessing identity theft risks
- 8 tips for protecting your personal data
Steven A. Meyerowitz, Esq., is director of the Insurance Coverage Law Center (formerly FC&S Legal). He can be reached at smeyerowitz@meyerowitzcommunications.com.