Management Alert - FEMA Did Not Safeguard Disaster Survivors' Sensitive Personally Identifiable Information (REDACTED)

We determined that the Federal Emergency Management Agency (FEMA) violated the Privacy Act of 1974 and Department of Homeland Security policy by unnecessarily releasing to a contractor the Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII) of 2.3 million survivors of Hurricanes Harvey, Irma, and Maria and the California wildfires in 2017. FEMA should have provided the contractor with only limited information needed to verify disaster survivors’ eligibility for the program. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements. Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud. We recommend FEMA implement controls to ensure it sends only required data elements to contractors. Further, FEMA should assess the extent of this privacy incident and implement a process for ensuring that PII, including SPII, of registered disaster survivors previously released to the contractor is properly destroyed pursuant to DHS policy. FEMA concurred with our two recommendations, notified Congress of the privacy incident as required, and has begun to take actions that have identified additional security vulnerabilities. FEMA’s estimated completion date for implementing the recommendations is June 30, 2020. Given the sensitive nature of these findings, we urge FEMA to expedite this timeline.