Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information REDACTED March 15 2019 OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Washington DC 20528 www oig dhs gov March 15 2019 MEMORANDUM FOR Peter T Gaynor Acting Administrator Federal Emergency Management Agency FROM John V Kelly Acting Inspector General SUBJECT Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information – For Official Use Only For your action is our Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information – For Official Use Only We considered technical comments and incorporated the formal comments provided by your office This alert contains two recommendations directing actions Federal Emergency Management Agency FEMA should take to safeguard both Personally Identifiable Information PII and Sensitive Personally Identifiable Information SPII of disaster survivors and prevent additional privacy incidents similar to one we identified during our ongoing audit of FEMA’s Transitional Sheltering Assistance TSA program FEMA concurred with both recommendations Based on information provided in your response to the draft alert we consider the recommendations resolved and open Once your office has fully implemented the recommendations please submit a formal closeout letter to us within 30 days so that we may close the recommendations The memorandum should be accompanied by evidence of completion of agreedupon corrective actions Please send your response or closure request to OIGAuditsFollowup@oig dhs gov Consistent with our responsibility under the Inspector General Act we will provide copies of our alert to congressional committees with oversight and appropriation responsibility over the Department of Homeland Security We will post a redacted version of the alert on our website Please call me with any questions or your staff may contact Sondra McCauley Assistant Inspector General for Audits at 202 981-6000 www oig dhs gov FOR OFFICIAL USE ONLY FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Results in Brief During our ongoing audit of the Federal Emergency Management Agency’s FEMA Transitional Sheltering Assistance TSA program we determined that FEMA violated the Privacy Act of 19741 and Department of Homeland Security the PII and SPII of policy2 by releasing to 2 3 million survivors of hurricanes Harvey Irma and Maria and the California wildfires in 2017 3 FEMA should only provide with limited information needed to verify disaster survivors’ eligibility for the TSA program The privacy incident4 occurred because FEMA did not take steps to ensure it provided only required data elements to Without corrective action the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud Background Through the TSA program FEMA provides transitional sheltering in hotels to disaster survivors displaced by emergencies or major disasters TSA reduces the number of survivors in congregate emergency shelters by providing hotel lodging The contractor administering the TSA program helps disaster survivors obtain short-term lodging at participating hotels FEMA identified more than 2 3 million disaster survivor registrants eligible for the TSA program during the response to hurricanes Harvey Irma and Maria and the California wildfires in 2017 When applying for FEMA disaster assistance applicants are required to provide PII and SPII The Privacy Act of 1974 the Act protects individuals by ensuring personal information collected by Federal agencies is limited to what is legally authorized and necessary The Act also dictates that agencies maintain PII and SPII to preclude unwarranted intrusions upon individual privacy DHS’ 1 Privacy Act of 1974 5 USC 552a as amended DHS Management Directive 11042 1 - Safeguarding Sensitive but Unclassified For Official Use Information January 6 2005 2 3 Hurricane Harvey DR-4332 Hurricane Irma DR-4336 in Puerto Rico DR 4337 in Florida Hurricane Maria DR-4339 and the California Wildfires DR-4344 4 A privacy incident is defined as the loss of control compromise unauthorized disclosure unauthorized acquisition or any similar occurrence when 1 a person other than the authorized user accesses or potentially accesses PII or 2 an authorized user accesses or potentially accesses PII for an unauthorized purpose The term encompasses both suspected and confirmed incidents involving PII whether intentional or inadvertent which raises a reasonable risk of harm The term “privacy incident’ can be used synonymously with the term “breach” DHS Privacy Policy Instruction 047-01-008 Privacy Incident Handling Guidance www oig dhs gov 2 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Handbook for Safeguarding Sensitive Personally Identifiable Information December 2017 defines these terms as follows  Personally Identifiable Information PII is any information that permits the identity of an individual to be directly or indirectly inferred including any information that is linked or linkable to that individual regardless of whether the individual is a U S citizen legal permanent resident visitor to the U S or employee or contractor to the Department This includes complete name home address and birthdate when combined  Sensitive PII SPII is a subset of PII which if lost compromised or disclosed without authorization could result in substantial harm embarrassment inconvenience or unfairness to an individual SPII requires stricter handling guidelines because of the increased risk to an individual if the data are compromised This includes financial account information As required by the E-Government Act of 2002 FEMA completed a Privacy Impact Assessment for the Individual Assistance Program which includes the TSA program The assessment identifies the PII including SPII that will be collected from applicants and includes details on the use of this information in implementing FEMA’s Individual Assistance programs Additionally DHS’ Handbook for Safeguarding Sensitive PII December 4 2017 states that only PII necessary for agency staff to perform their official duties should be collected used and disseminated to individuals on a need-to-know basis Survivor Information at Risk FEMA released unnecessary PII and SPII for approximately 2 3 million disaster survivors to its contractor in direct violation of Federal and DHS requirements and its August 2015 TSA program Performance Work Statement The Performance Work Statement identifies 13 data elements FEMA must send to to verify disaster survivor eligibility during the TSA check-in process at participating hotels Some of the data elements contain PII but none of the individual data elements contain SPII 5 The data elements that FEMA must share include 5 Some data elements by themselves rise to a level of SPII called standalone SPII while other data elements of PII grouped together jointly rise to the level of SPII www oig dhs gov 3 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security              Applicant First Name Applicant Middle Name Applicant Last Name Applicant Date of Birth Last 4 digits of Applicant’s Social Security Number Disaster Number Authorization for TSA Number of Occupants in Applicants Household Eligibility Start Date Eligibility End Date Global Name Export Sequence Number FEMA Registration Number A privacy incident occurred because FEMA did not ensure it shared with the contractor only the data elements the contractor requires to perform its official duties administering the TSA program FEMA provided and continues to provide with more than 20 unnecessary data fields for survivors participating in the TSA program Of the 20 unnecessary data fields FEMA does not safeguard and improperly releases 6 that include SPII       Applicant Street Address Applicant City Name Applicant Zip Code Applicant’s Financial Institution Name Applicant’s Electronic Funds Transfer Number Applicant’s Bank Transit Number FEMA’s Performance Work Statement identified the data elements needed yet FEMA did not take steps to ensure it provided only the required data elements FEMA only confirmed that received the data transmitted Prior iterations of the TSA program required additional information such as bank names and account numbers however the current TSA program does not require the additional personal information FEMA headquarters officials told us it may be feasible to change the data transfer script to remove the unnecessary PII but such change would need to be coordinated with the Individual Assistance and Mass Care program offices which may be time consuming also did not notify FEMA that it was providing information unnecessary to fulfilling the contract terms Although not required to do so had officials notified FEMA officials that the agency was providing unnecessary PII and SPII www oig dhs gov 4 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security for eligible survivors FEMA may have been able to remedy this situation earlier and avoid additional privacy incidents FEMA’s failure to provide only required data elements to has placed approximately 2 3 million disaster survivors at increased risk of identity theft and fraud FEMA must take corrective action to safeguard against improperly releasing PII and SPII of disaster survivors in the future Recommendations Recommendation 1 We recommend that the Federal Emergency Management Agency’s Assistant Administrator for the Recovery Directorate implement controls to ensure that the agency only sends required data elements of registered disaster survivors to contractors such as Recommendation 2 We recommend that the Federal Emergency Management Agency’s Assistant Administrator for the Recovery Directorate assess the extent of this privacy incident and implement a process for ensuring that Personally Identifiable Information including Sensitive Personally Identifiable Information of registered disaster survivors previously released to is properly destroyed pursuant to DHS policy Management Comments and OIG Analysis FEMA concurred with our two recommendations We included a copy of the Department’s management comments in their entirety in appendix A We also received technical comments to the draft report and revised the report as appropriate In its written comments FEMA indicated it has begun to implement measures to assess and mitigate this privacy incident including deploying a Joint Assessment Team of cyber security personnel to the contractor’s facilities FEMA indicated that the Joint Assessment Team had documented the sanitization and removal of the unnecessarily shared PII and SPII from the contractor’s system and performed an in-depth assessment of the contractor’s network According to FEMA these assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days The Joint Assessment Team also identified several security vulnerabilities As of March 2019 four vulnerabilities had been remediated and the contractor was developing remediation plans for the remaining seven FEMA’s estimated completion date for implementing the recommendations is June 30 2020 Given the sensitive nature of these www oig dhs gov 5 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security findings we urge FEMA to expedite this timeline FEMA Response to Recommendation 1 Concur In agreement with OIG’s observations FEMA determined that numerous elements constituting SPII were not necessary to administer the TSA program FEMA stated it had implemented immediate measures to discontinue sharing the unnecessary data and had begun an on-site assessment of network Estimated Completion Date June 30 2020 OIG Analysis We consider these actions responsive to the recommendation This recommendation is resolved and open until FEMA 1 provides a report about the controls implemented to ensure that the agency only sends required data elements on registered disaster survivors to contractors 2 provides a report on the final outcome of the on-site assessment of network 3 provides copies of the contract amendments including the Homeland Security Acquisition Regulation clause requiring annual privacy and security awareness training of staff and 4 provides a report on FEMA’s annual privacy and security training of FEMA employees to mitigate future privacy incidents similar to the one we identified FEMA Response to Recommendation 2 Concur FEMA's Office of the Chief Information Officer OCIO has begun taking corrective actions to conduct an on-site security and risk assessment of data systems and network Upon completion of initial assessment activities FEMA worked with to sanitize all previously transferred non-required PII SPII from system FEMA stated the OCIO will continue to assess systems on a regular basis to assure maintains a security posture in accordance with Federal security standards on handling PII SPII as well as the FEMA Records Retention Schedule covering this information Estimated Completion Date June 30 2020 OIG Analysis We consider these actions responsive to the recommendation This recommendation is resolved and open until FEMA provides a report on its actions to mitigate this privacy incident and its ongoing assessments to ensure the contractor maintains a security posture in accordance with Federal standards for handling PII SPII www oig dhs gov 6 FOR OFFICIAL USE ONLY O IG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Objective Scope and Methodology The DHS Office of Inspector General was established by the Homeland Security Act of 2002 Pub L No 107−296 116 Stat 2135 which amended the Inspector General Act of 1978 We issued this management alert during an ongoing audit of FEMA’s TSA program The objective of our ongoing audit is to determine to what extent FEMA ensured compliance with contract requirements concerning the TSA program We conducted interviews in June 2018 with FEMA headquarters officials in charge of the TSA program and in July 2018 with FEMA financial management information technology and contracting officials in Winchester Virginia to inform them of the privacy incident We also interviewed state and FEMA officials in Texas specifically concerning the use of the TSA program following Hurricane Harvey in 2017 We reviewed Federal DHS and FEMA criteria related to transitional sheltering and contracting TSA process workflows and standard operating procedures policies procedures and other documentation and TSA data from Hurricanes Harvey Irma and Maria from August 2017 to August 2018 and California wildfires in 2017 including all eligible households program recipients of TSA and program costs We conducted our work under the Inspector General Act of 1978 as amended Section 2 2 b to promote economy efficiency and effectiveness in the administration of and to prevent and detect fraud and abuse in such programs and operations  This management alert focuses only on FEMA’s release of PII and SPII We are continuing this audit so additional recommendations regarding this issue may be included in the full audit report Any corrective actions FEMA takes in response to this management alert will be addressed in our full audit report Office of Audits major contributors to this management alert are Yesi Starinsky Director Andrew Smith Audit Manager David Kinard Auditor-inCharge Keith Lutgen Program Analyst Haidee Lai Auditor Edward Brann Program Analyst Daniel Malone Program Analyst Deborah Mouton-Miller Communications Analyst and John Skrmetti Independent Report Referencer www oig dhs gov 7 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Appendix A FEMA Comments to the Draft Alert   www oig dhs gov 8 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security www oig dhs gov 9 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security www oig dhs gov 10 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security www oig dhs gov 11 FOR OFFICIAL USE ONLY OIG-19-32 FOR OFFICAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Appendix B Report Distribution Department of Homeland Security Secretary Deputy Secretary Chief of Staff General Counsel Executive Secretary Director GAO OIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs FEMA Audit Liaison Congress Congressional Oversight and Appropriations Committee www oig dhs gov 12 FOR OFFICIAL USE ONLY OIG-19-32 Additional Information and Copies To view this and any of our other reports please visit our website at www oig dhs gov For further information or questions please contact Office of Inspector General Public Affairs at DHS-OIG OfficePublicAffairs@oig dhs gov Follow us on Twitter at @dhsoig OIG Hotline To report fraud waste or abuse visit our website at www oig dhs gov and click on the red Hotline tab If you cannot access our website call our hotline at 800 323-8603 fax our hotline at 202 254-4297 or write to us at Department of Homeland Security Office of Inspector General Mail Stop 0305 Attention Hotline 245 Murray Drive SW Washington DC 20528-0305