Lawmakers push for answers on SBA data leak
Despite a glitch that made headlines, the Small Business Administration had planned in advance to build tech tools to support legislative mandates for emergency business loans.
- By Mark Rockwell, Derek B. Johnson
- Apr 24, 2020
Lawmakers are seeking more information about the leak of personally identifiable information from thousands of applicants for loans through the Small Business Administration during the coronavirus pandemic.
Sens. Ben Cardin (D-Md.) and Marco Rubio (R-Fla.) and Rep. Nydia Velazquez (D-N.Y.) wrote to SBA Administrator Jovita Carranza on April 23 seeking "a complete accounting" about an incident in which personal data including income and Social Security numbers of at least 8,000 Economic Injury Disaster Loans were exposed.
SBA confirmed press reports that EIDL applicants may have had some of their data exposed to other applicants. An administration official told CNBC that "we immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal."
A twitter user posted a copy of the SBA letter on April 17, which said the "inadvertent disclosure" of PII was discovered on March 25.
SBA tech officials had a short time to build applications to handle the anticipated crush of applicants for a number of financial relief programs, including EIDL and the website to help small business apply for Paycheck Protection funding – forgivable loans that incentivize businesses to retain employees during the current crisis.
"We had to build things quickly, including the lender gate way in eight days," said Maria Roat, SBA CIO, of its efforts to support the Paycheck Protection Program.
Roat, who spoke at an April 23 virtual event hosted by the Association of Federal Information Resource Managers, was not asked about the data leak in the EIDL portal, but did talk about some of the challenges faced by teams who have to build technology to support new legislative parameters.
Roat said SBA's IT operation was anticipating some of the additional duties the federal economic support package, but some of the details were a moving target.
For larger banks, the agency leveraged its existing portal for disaster loans and the PPP, she said, but SBA also had to work with a new cadre of small and medium-sized businesses.
"The regular portal for 1,800 lenders we work with was already up and running," she said as the COVID crisis rolled forward. SBA built the lender gateway for small and mid-sized businesses in eight days.
SBA along with Treasury and other agencies had been planning for Congress to pass a recovery bill since March.
"There was a lot of upfront planning. We had to watch legislation for particulars," she said.
Even though the agencies knew there would be money for the PPP program and disaster loans, the agencies didn't know until the legislation was approved about what the loan rules were, and how the money would be handled.
"That we had to respond to quickly," she said and ran "what if" scenarios in anticipation. While SBA does disaster loans as part of its core program activity, "what was different was large amount of money and how it is vetted and distributed," Roat said.
On the security side, Roat said, SBA worked on geofencing portalts to limit access to the United States and its territories.
Along with the external-facing portals, she said the agency has also beefed up internal support capabilities, with new staff to handle incoming calls and requests for online support.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.