The Federal Emergency Management Agency (FEMA) is under fire for mishandling personally identifiable information (PII) at disaster recovery centers, according to a recent report by the Department of Homeland Security (DHS) Office of the Inspector General (OIG).
The federal investigators determined that FEMA personnel did not comply with federal privacy and security guidelines during the 2015 California wildfire disaster, exposing the victims to potential identity theft, as well as “substantial harm, embarrassment, inconvenience, or unfairness to individuals.”
In response to the devastating wildfires, FEMA set up three disaster recovery centers, which help survivors apply for federal assistance. From October 28, to November 23, 2015, FEMA processed and collected PII from approximately 4,000 applicants at the centers.
DHS defines PII as “any information that permits the identity of an individual to be directly or indirectly inferred, including other information that is linked or linkable to that individual.”
While visiting the disaster recovery centers, the federal investigators observed FEMA personnel storing PII in open, unsecured cardboard boxes and file folders sitting on top of tables. Officials at the center said FEMA seldom supplied them with secured document containers or disposal equipment, such as shredders.
In addition, FEMA personnel were not fully aware of federal standards for safeguarding PII. Moreover, FEMA did not provide management or training officials with a reliable method to track mandatory training or promote privacy awareness.
DHS OIG noted that it informed FEMA of similar challenges regarding privacy awareness and training in 2013, prompting FEMA to develop a plan to implement corrective actions, including conducting privacy compliance inspections. However, FEMA officials at Disaster Recovery Centers for the 2015 California wildfires said they were not aware of any inspections at this disaster.
“While FEMA has made significant progress in developing a culture of privacy protection, it needs more work to increase the privacy footprint at disaster relief sites,” the investigators concluded.
DHS OIG recommended that FEMA take steps to ensure disaster personnel are aware of their responsibilities regarding the protection of PII. Additionally, the agency should create a system to document and enforce compliance with federal standards.
FEMA concurred with DHS OIG’s recommendations, and expects to complete its proposed corrective actions by April 30, 2017.
Rep. Bennie G. Thompson (D-MS), Ranking Member of the Committee on Homeland Security, issued a statement urging FEMA to act swiftly to improve its protection of PII at disaster relief sites in light of the findings of the DHS OIG’s report.
Thompson stated, “I am troubled to learn that FEMA continues to struggle to effectively implement policies to protect disaster survivors’ personally identifiable information at its disaster recovery centers – particularly since several were operating in my district earlier this year. The last thing a disaster survivor needs is to have their PII compromised as they work to rebuild their lives.”
“As Hurricane Season continues, FEMA must act swiftly to implement PII policies and training mechanisms to ensure that those who are affected by disasters can seek assistance from FEMA with the confidence that their personal information will be handled responsibly,” Thompson added.