3rd Party Risk Management , Governance & Risk Management , IT Risk Management
Senator Demands Review of How DHS Shares PII With Contractors
Sen. Maggie Hassan Asks GAO to Scrutinize DHS' Third-Party Security PracticesSen. Maggie Hassan, D-N.H., is demanding that the U.S. Government Accountability Office review how the Department of Homeland Security shares personal data with third parties following several recent security incidents in which such information was exposed.
In an Oct. 23 letter to the GAO, Hassan writes that recent "troubling" security incidents connected to third-party contractors working with DHS have raised concerns about the increased threats of identity theft and fraud from data that may have leaked.
While DHS collects and maintains a large volume of citizens' personally identifiable information as part of its law enforcement mandate, it increasingly depends on third parties for storing and securing large volumes of that data, and attackers have succeeded in exploiting security loopholes to access this data, the lawmaker notes in the letter.
Your personal information should always be handled with care.
— Sen. Maggie Hassan (@SenatorHassan) October 24, 2019
But over the past year, there have been 3 data breaches of @DHSgov contractors – putting Americans' privacy at risk.
I recently wrote to @USGAO asking them to review DHS's policies.https://t.co/aslFST2cUO
A GAO spokesperson tells Information Security Media Group that the letter will “go through a review process before we take any action. That review usually takes a few weeks.”
A DHS spokesperson, and Hassan's office, did not respond to a request for additional information.
Three Incidents
Hassan, who serves on the Homeland Security and Governmental Affairs Committee, cites three incidents that happened between March and June that have raised questions about how DHS shares data with third parties as well as the inability of some contactors to secure that data.
These incidents include:
- In March, the Inspector General's Office found that the Federal Emergency Management Agency, a unit of DHS, shared too much personally identifiable information with third-party contractors. This included information related to 2.3 million citizens affected by hurricanes and wildfires over the last several years.
- In June, U.S. Customs and Border Protection, another DHS unit, announced that license plate images and photos of travelers collected at the U.S. border had been compromised after a federal government subcontractor was hacked. In this case, the images of about 100,000 travelers were exposed and an initial investigation found that the contractor did not follow security protocols outlined in its contact with the agency (see: US Border License Plate and Traveler Photos Exposed).
- News stories emerged that DHS stored sensitive data from the nation's bioterrorism defense program on insecure websites where it was vulnerable to attacks. Those sites were run by a third-party contractor, according to the Los Angeles Times.
These three incidents raise questions about how much data DHS should share with third parties and whether those policies need to be reviewed by the GAO, Hassan writes in her letter.
"We request the GAO to conduct a review of the policies and procedures in place at DHS to ensure that PII collected by or shared with contractors is protected from improper access or use," the senator writes.
Privacy Concerns
In her letter, Hassan requests GAO consider three questions:
- What requirements does DHS impose on contractors to protect personally identifiable information that they receive or collect on behalf of the department?
- What oversight mechanisms are in place at major DHS units to ensure that contractors fully adhere to the department's security and privacy policy?
- When data breaches do occur, what steps does DHS take to ensure that the root causes are identified and remediated in contractor systems and programs?
Hassan's letter was the second she’s sent to GAO this month raising concerns over cybersecurity issues.
On Oct. 18, Hassan asked the GAO to investigate how the federal government supports local and state governments following ransomware attacks. These types of attacks against municipalities have been on the increase since the start of the year (see: Just How Widespread Is Ransomware Epidemic?).