IG: FEMA Mishandles Sensitive Information at Disaster Sites

Updated: This story was updated June 20 to include a statement from Rep. Bennie G. Thompson, D-Miss., the ranking member of the House Homeland Security Committee.

After a wildfire tears through your community, the last thing you may be worried about is having your identity stolen or your personal information breached.

But maybe you should be.

A new inspector general report finds the Federal Emergency Management Agency still struggles to properly handle the safeguarding of personally identifiable information, or PII, at its disaster recovery centers.

Posted online today, the June 9 management advisory report from the Homeland Security Department’s IG presses FEMA officials to “take quick action to ensure the protection of PII in future disasters.”

The IG report reviewed FEMA’s handling of sensitive personal information at a disaster recovery center in Northern California, during a months-long series of wildfires in the fall of 2015 that scorched more than 307,000 acres of land.

Recovery centers are FEMA facilities where people affected by disasters can sign up for assistance programs. During that process, FEMA officials collect information from applications, which can include names, telephone numbers, Social Security numbers, driver’s license and passport numbers, and financial and medical records.

During the California wildfires, the agency processed and collected PII from approximately 4,000 applicants.

During a site visit, IG investigators observed FEMA personnel placing documents containing personal information in open cardboard boxes and in file folders on table tops -- lax handling of PII, which violates federal privacy guidelines.  

“The mishandling of PII increases the risk of identity theft and can result in substantial harm, embarrassment, inconvenience, or unfairness to individuals,” the report noted.

Officials on-site told investigators FEMA headquarters rarely supplies centers with the proper technical equipment, such as lockable containers or paper shredders, to secure sensitive information.

Part of the problem is a lack of awareness by some FEMA officials about federal privacy rules, the IG found. FEMA management also lacks an effective way to track whether employees have properly undergone privacy awareness training, according to the report.

The report noted the agency has made “significant progress in developing a culture of privacy protection” in recent years. However, the agency “must ensure that disaster assistance personnel are aware of their responsibilities to safeguard PII, and create a system to document and enforce compliance with federal standards.”

FEMA officials agreed with the IG’s  recommendations. In a response to the report, David Bibo, the agency’s acting associate administrator for policy and program analysis, said FEMA continues to promote privacy awareness and that an additional 4,000 employees had undergone privacy awareness training.

In a statement, Rep. Bennie G. Thompson, D-Miss., the ranking member of the House Homeland Security Committee, said he was “troubled” by the report.

“The last thing a disaster survivor needs is to have their PII compromised as they work to rebuild their lives,” he said. Thompson called on FEMA to conduct inspections of disaster recovery centers to evaluate whether personal information is mishandled.

Thompson called on FEMA to “act swiftly” to implement stronger privacy procedures, especially now amid hurricane season.