Poor data hygiene is common

USDA has begun scrubbing its databases of unnecessary Social Security numbers

IRS and Agriculture efforts strike pay dirt

Some procedures that agencies put in place years ago have come back to haunt them in an era of networks and online databases.

What was once common practice, such as using Social Security numbers as unique identifiers, has put people at greater risk of identity theft.

The Agriculture Department found that out when it discovered through the complaint of a loan recipient that it had inadvertently made public the Social Security numbers of 38,700 grant and loan recipients.

Officials originally thought the number of people affected was much higher. USDA had included Social Security numbers in the publicly accessible Federal Assistance Awards Data System (FAADS), which the Census Bureau manages.

The nine-digit Social Security numbers  were embedded in 15-digit federal award identifier numbers. USDA formulated the makeup of those identifiers decades ago, said Charles Christopherson Jr., USDA’s chief financial officer.

“It was not readily apparent…that these were Social Security numbers,” he said at a recent hearing of the House Agriculture Committee.

The incident highlights the fact that past design decisions need to be constantly revisited, said Bill Vajda, the Education Department’s chief information officer and co-chairman of the CIO Council’s Best Practices committee. A comprehensive review can determine how personal information has been coded and used in the past and how that data is being stored.
 
“Doing that immediately rather than waiting for a disaster to happen would be a very prudent best practice,” Vajda said.

Because many agencies other than the Social Security Administration use Social Security numbers as unique identifiers in databases, the risk of exposing those numbers is widespread, said Daniel Bertoni, acting director of education, workforce and income security issues at the Government Accountability Office.
 
“The difference today is that there is greater awareness that SSNs are valuable information that must be protected, as well as new laws and requirements regarding the use and display of SSNs,” he said.

And because of today’s higher data security standards, USDA officials had to report the incident and notify the people who could be affected.

Federal laws passed since 1982 require that agencies report financial assistance award information and make it available to Congress, states and the public, Christopherson said. Since then, the personal identifiers of grant and loan recipients have been publicly available in databases on CD-ROMs and the Internet, he said.

After the discovery of data privacy problems April 13, USDA immediately redacted the Social Security numbers from the FAADS database. But it will take years to replace all the department’s unique identifiers with new ones, Christopherson said.

 “To replace these systems, which may be one of the things that needs to happen in order to eliminate these identifiers…will take several years,” he said. USDA created some of the oldest databases in the 1970s.

A year ago, USDA began removing Social Security numbers from its databases as part of its  effort to improve data security. It has scrubbed 29,500 numbers so far. USDA has about 250 information systems, of which 56 contain personal information.
 
Data security is high on the agenda for lawmakers. Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, recently introduced the Federal Agency Data Breach Protection Act.
 
It directs the Office of Management and Budget to establish practices and standards for informing people of lost data and defines the type of sensitive information to which the law would apply.
GAO recommends notification standardsThe Office of Management and Budget should develop guidance for agencies about when to offer credit monitoring or assist individuals at risk of identity theft and when to issue a contract for data breach monitoring or alternatives to assist them, the Government Accountability Office said in a report.
GAO recommends:
n Promptly informing key
federal officials.
  • Designating agency officials to decide promptly about notification.
  • Planning carefully how to communicate to the public.
  • Providing security training and awareness.
  • Defining contractor roles and responsibilities.
- Mary Mosquera


FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group