With all eyes on the Mueller Report, the Federal Emergency Management Agency (FEMA) announced a new national disaster the agency is responding to — its own carelessness.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” FEMA press secretary Lizzie Litzow said in a statement. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”
The people affected include survivors of the 2017 California wildfires and the disastrous 2017 hurricane season that Puerto Rico is still recovering from. Survivors of these disasters that used FEMA’s Transitional Sheltering Assistance program now have had the disaster management agency overshare sensitive data.
Specifically, 1.8 million people had both their banking information and addresses revealed, and about 725,000 people had just their addresses shared, according to the Washington Post.
The breach violated the Privacy Act of 1974.
“This is unacceptable, and FEMA must demonstrate it will do better in the future,” said Rep. Bennie Thompson (D-Mississippi). “Safeguarding the information of Americans already suffering from a disaster should be of the utmost importance.”
While FEMA has argued that there is no evidence to suggest the contractor in question receiving the overshared data has led to that data becoming compromised, the Department of Homeland Security’s Office of the Inspector General noted security logs are only kept for 30 days.
As such, the Inspector General cautioned that survivors of devastating national disasters now face an increased risk of identity theft because of the agency ostensibly charged with helping them survive the aftermath of tragedy.
“Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud,” warned the report.
Neither FEMA nor the Inspector General report identified the contractor.
This isn’t new territory for the disaster management agency. In 2015, a similar Inspector General report found that at a disaster response center in California, government employees left personal information in open-air, unsecured cardboard boxes. And yet another Inspector General report in 2013 found FEMA privacy protections were woefully inadequate at every site the report inspected.
As hurricane and wildfire seasons approach, the emergent pattern of the agency’s privacy failures in odd-numbered years ought to raise a note of caution in both the Department of Homeland Security, and the disaster victims who will need to trust FEMA in 2019.
Katelyn Kivel is a contributing editor and senior legal reporter for Grit Post in Kalamazoo, Michigan. Follow her on Twitter @KatelynKivel.