FEMA Shared too Much Information

On March 15th, Homeland Security’s Inspector General released their findings titled, “Management Alert FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information (REDACTED)”. 2.3 million individuals are affected by this incident.

FEMA released personally identifiable information (PII) from survivors of hurricanes Harvey, Irma and Maria as well as the California wildfires of 2017 disasters. The information was released to contractors who provide services for the Transitional Sheltering Assistance (“TSA”) program.

There are two classifications of PII. The first classification is commonly known information about an individual and it is labeled PII. The second classification is defined as sensitive PII (SPII). SPII is information that is not commonly known and when put together with other data elements, it can identify an individual.

The report states:

“FEMA provided and continues to provide (redacted) with more than 20 unnecessary data fields for survivors participating in the TSA program. Of the 20 unnecessary data fields, FEMA does not safeguard and improperly releases 6 that include SPII:

  • Applicant Street Address
  • Applicant City Name
  • Applicant Zip Code
  • Applicant’s Financial Institution Name
  • Applicant’s Electronic Funds Transfer Number
  • Applicant’s Bank Transit Number

The lesson from this report is based on the security principle of “Least Privilege”. Many small and medium sized businesses overshare company and client information that is likely considered protected or SPII. The “Least Privilege” principle states that users should only have access to the information they need to perform their job function. The oversharing of information needlessly puts the organization at risk.

Click here to view the original report.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs