What is the issue - The United States Federal Emergency Management Agency (FEMA) has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractor.
The Office of Inspector General for the Department of Homeland Security published a report titled ‘Management Alert - FEMA did not safeguard disaster survivors’ sensitive personally identifiable information (Redacted)’. The report revealed that FEMA disclosed PII of disaster survivors including address and banking information to its contractors.
Why it matters - FEMA offers Hurricane Harvey, Irma, and Maria survivors with a housing facility through its Transitional Sheltering Assistance (TSA) program.
While enrolling to the TSA program, disaster survivors need to provide their personal information with FEMA, which the emergency management agency shared with the contractor who manages the program.
FEMA is required to share some of the personal information of the disaster survivors with the contractor managing the TSA program.
The limited information includes,
However, apart from the above-mentioned information, FEMA provided the contractor with additional 20 data fields that include applicants SPII such as street addresses, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.
“In agreement with OIG’s observations, FEMA determined that numerous elements constituting SPII were not necessary to administer the TSA program. FEMA stated it had implemented immediate measures to discontinue sharing the unnecessary data and had begun an on-site assessment of network,” the report read.