On March 22, 2019, the Federal Emergency Management Agency disclosed a privacy incident involving the sharing of sensitive personally identifiable information (SPII) belonging to millions of disaster survivors. FEMA said that it provided to a contractor “more information than was necessary” about people using the Transitional Sheltering Assistance program after hurricanes Harvey, Irma, and Maria, and wildfires in California in 2017. FEMA stated that it has found no indication that the disaster survivors’ data has been compromised, and that it is working with the contractor to remove unnecessary data from the contractor’s system.
The disclosure follows the March 15, 2019 release by the Office of Inspector General of the Department of Homeland Security of a memorandum report headlined, “Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information,” which details the unnecessary release of the SPII of 2.3 million people. The OIG found that FEMA’s release of the information violated the Privacy Act of 1974, 5 USC 552a, as amended, thereby placing approximately 2.3 million disaster survivors at increased risk of identity theft and fraud.
The OIG report makes two recommendations: that FEMA’s Assistant Administrator for the Recovery Directorate implement controls to ensure that only required data elements of disaster survivors be sent to FEMA contractors, and that the Agency implement a process for properly destroying the previously released information.