The Department of Homeland Security (DHS) and its contractors collect and maintain large amounts of personally identifiable information (PII)—such as a person’s date of birth and social security number.
There have been some privacy incidents within DHS that included the unauthorized disclosure of federal information. In March 2019, for example, the DHS Office of Inspector General announced that the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance program had overshared PII, such as banking and home address information, from more than 2.3 million survivors of hurricanes Harvey, Irma, and Maria, as well as California wildfires, with one of the agency’s contractors. In addition, according to a DHS Office of Inspector General’s September 2020 report, photographs of people in vehicles entering and exiting the U.S. through a land border port of entry had been stolen by hackers as part of a malicious cyber attack on one of CBP’s subcontractor’s private networks. This attack compromised approximately 100,000 images of travelers and at least 19 of the images had been posted to the dark web.
DHS has developed various policies to ensure that its contractors protect PII. These policies include providing privacy training, and overseeing IT systems operated by contractors.
However, a review by the Government Accountability Office (GAO) has found that although DHS components complied with most of the requirements, gaps existed. For example, the U.S. Coast Guard (USCG) did not demonstrate that it identified and addressed gaps in privacy compliance, DHS HQ did not administer role-based privacy training, and the Transportation Security Administration (TSA) did not demonstrate its evaluation of proposed new instances of PII sharing in contractor-operated systems.
DHS developed Privacy Incident Handling Guidance, which outlines the department’s process for how incidents are to be identified and remediated. Of the six selected components GAO reviewed, four components had privacy incidents that resulted in a breach of data during the time frame of July 1, 2018 through June 30, 2019. According to the government watchdog, “three of the four selected components fully identified, remediated, and identified and shared lessons learned for the privacy incidents that we reviewed. The remaining component identified and shared lessons learned for the privacy incident we reviewed, but did not fully remediate the incident in accordance with guidance”.
GAO found that all four components had completed the required activities to identify their respective privacy incidents according to the guidance and in a timely manner. Specifically, each component reported its incidents to the appropriate component privacy officials and collected the necessary information about the incident to create a security event notification in the incident database. For example, TSA’s incident intake report identified the date and time the incident was discovered, along with the type of data involved and the number of individuals affected. Further, each component entered the incident in the database and assigned the incident a priority level within 24 hours of confirmation of the privacy incident.
Three components—FEMA, ICE, and TSA—had completed all of the appropriate activities required to remediate their selected incidents in accordance with DHS guidance. The remaining component—CBP—took some steps to remediate the privacy incidents, but GAO found it did not complete all of them.
GAO’s December 16 report makes seven recommendations:
- The Secretary of the Department of Homeland Security should direct its Privacy Office to provide targeted role-based privacy training to contractors who are responsible for protecting PII.
- The Commandant of the U.S. Coast Guard should direct the USCG Privacy Office to establish a time frame to complete the development of a process that can be used to identify and assess the gaps in contractor compliance with privacy requirements.
- The Commandant of the U.S. Coast Guard should direct the USCG Privacy Office to ensure, in conjunction with the acquisition office, that contractors certify their acceptance of their privacy requirement responsibilities.
- The Commandant of the U.S. Coast Guard should direct the USCG Privacy Office to ensure the evaluation of proposed new instances of sharing personally identifiable information with third parties are fully documented.
- The Commissioner of U.S. Customs and Border Protection should direct the CBP Privacy Office to ensure that risk assessments are fully documented in the incident database.
- The Commissioner of U.S. Customs and Border Protection should direct the CBP Privacy Office to ensure that recommendations to notify affected individuals of privacy incidents are fully documented in the incident database.
- The Administrator of the Transportation Security Administration should direct the TSA Privacy Office to ensure the evaluation of proposed new instances of sharing personally identifiable information with third parties are fully documented.
DHS concurred with each recommendation and said it plans to review its privacy training to determine whether to make specific role-based training for contractors, as appropriate. In addition, DHS noted that the USCG Privacy Office plans to collaborate with the acquisition office to ensure that all contractors complete privacy awareness, and other required privacy-related training, as required under contractual clauses. The CBP Privacy Office also plans to collaborate with the DHS Privacy Office to clearly delineate roles for posting finalized risk assessments when an incident is categorized as major and ensuring the requirement to fully document the provision of notice to affected individuals is included in the incident database. DHS also stated that the TSA Privacy Office would raise proposed new instances of sharing PII with third parties during monthly meetings between the Contracting Officer Representative and the contractor lead. The department also stated that significant changes would be documented in the DHS Privacy Threshold Analysis.