Poor data hygiene is common

USDA has begun scrubbing its databases of unnecessary Social Security numbers

IRS and Agriculture efforts strike pay dirt

Some procedures that agencies put in place years ago have come back to haunt them in an era of networks and online databases.

What was once common practice, such as using Social Security numbers as unique identifiers, has put people at greater risk of identity theft.

The Agriculture Department found that out when it discovered through the complaint of a loan recipient that it had inadvertently made public the Social Security numbers of 38,700 grant and loan recipients.

Officials originally thought the number of people affected was much higher. USDA had included Social Security numbers in the publicly accessible Federal Assistance Awards Data System (FAADS), which the Census Bureau manages.

The nine-digit Social Security numbers  were embedded in 15-digit federal award identifier numbers. USDA formulated the makeup of those identifiers decades ago, said Charles Christopherson Jr., USDA’s chief financial officer.

“It was not readily apparent…that these were Social Security numbers,” he said at a recent hearing of the House Agriculture Committee.

The incident highlights the fact that past design decisions need to be constantly revisited, said Bill Vajda, the Education Department’s chief information officer and co-chairman of the CIO Council’s Best Practices committee. A comprehensive review can determine how personal information has been coded and used in the past and how that data is being stored.
 
“Doing that immediately rather than waiting for a disaster to happen would be a very prudent best practice,” Vajda said.

Because many agencies other than the Social Security Administration use Social Security numbers as unique identifiers in databases, the risk of exposing those numbers is widespread, said Daniel Bertoni, acting director of education, workforce and income security issues at the Government Accountability Office.
 
“The difference today is that there is greater awareness that SSNs are valuable information that must be protected, as well as new laws and requirements regarding the use and display of SSNs,” he said.

And because of today’s higher data security standards, USDA officials had to report the incident and notify the people who could be affected.

Federal laws passed since 1982 require that agencies report financial assistance award information and make it available to Congress, states and the public, Christopherson said. Since then, the personal identifiers of grant and loan recipients have been publicly available in databases on CD-ROMs and the Internet, he said.

After the discovery of data privacy problems April 13, USDA immediately redacted the Social Security numbers from the FAADS database. But it will take years to replace all the department’s unique identifiers with new ones, Christopherson said.

 “To replace these systems, which may be one of the things that needs to happen in order to eliminate these identifiers…will take several years,” he said. USDA created some of the oldest databases in the 1970s.

A year ago, USDA began removing Social Security numbers from its databases as part of its  effort to improve data security. It has scrubbed 29,500 numbers so far. USDA has about 250 information systems, of which 56 contain personal information.
 
Data security is high on the agenda for lawmakers. Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, recently introduced the Federal Agency Data Breach Protection Act.
 
It directs the Office of Management and Budget to establish practices and standards for informing people of lost data and defines the type of sensitive information to which the law would apply.
GAO recommends notification standardsThe Office of Management and Budget should develop guidance for agencies about when to offer credit monitoring or assist individuals at risk of identity theft and when to issue a contract for data breach monitoring or alternatives to assist them, the Government Accountability Office said in a report.
GAO recommends:
n Promptly informing key
federal officials.
  • Designating agency officials to decide promptly about notification.
  • Planning carefully how to communicate to the public.
  • Providing security training and awareness.
  • Defining contractor roles and responsibilities.
- Mary Mosquera


Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.