SBA defends data exposure response

Small Business Administration Editorial credit: Jer123 / 

Notification of a potential personal data exposure for 8,000 small business loan applicants seeking to keep payrolls humming during the COVID-19 pandemic took longer than the Small Business Administration wanted because the agency had to cut a contract for credit monitoring services for victims, the agency's deputy CIO told a House business subcommittee on Wednesday.

"I would have liked that to be faster, but that is how long it took to get there," Guy Cavallo, SBA deputy CIO told a July 22, House Small Business Committee's Subcommittee on Investigations, Oversight and Regulations. Cavallo told the subcommittee, SBA worked as quickly as possible both to close the data exposure, as well as to notify those businesses whose data may have been affected.

Closing the exposure took hours but notifying potential victims took far longer, according to Cavallo, because SBA had to line up a contract to provide them with free credit monitoring services.

Cavallo's response was to an inquiry from subcommittee Chairwomen Rep. Judy Chu, D-Calif., about why SBA took until April 15 to issue letters to those businesses potentially affected, when the exposure happened on March 25.

The "data exposure," SBA's Economic Injury Disaster Loans (EIDL) applicants experienced back in March, was fixed in three and a half hours, said Cavallo, but the process to provide free credit monitoring services to those potentially affected took longer because the agency didn't have a current contract with a credit monitoring services vendor to provide those services.

"We had to go to GSA [General Services Administration] to compete it," he said. "We did that on March 29th through 30. Once awarded, the vendor reviewed the logs and found that some didn't have valid addresses and information" that needed to be corrected, he said

Cavallo clarified to Chu that the March incident was not a data breach, but a potential data exposure. Both are serious, he said, but a data breach means bad actors have access to the data for prolonged periods, even potentially downloading it. Data exposure, he said, is more fleeting.

Chu said the incident "shows there clearly needs to be improvement in SBA's IT," also citing a 2014 Government Accountability Office study that found SBA's IT was unprepared for a disaster event that required a massive response.

Under the leadership of SBA CIO Maria Roat, said Cavallo, the agency IT office has been working feverishly since 2016 to implement commercial cloud platforms that are more modern and responsive than legacy systems.

That work, he said, laid the groundwork to create flexible, scalable support for EIDL, Payroll Protection Plan, customer service hub and other small business support platforms in its COVID-response. All of those platforms were implemented within eight days, he said. Some initial glitches, such as delays in access to the small business disaster loan portal for applications, were eased by the cloud platforms' flexibility, he said.

The work SBA has put in over the last three and half years to implement cloud has also allowed it to quickly advance what had been lagging cybersecurity, he said.

According to the Committee on Oversight and Government Reform's Federal Information Technology Acquisition Reform Act (FITARA) scorecard, SBA has made improvements to its IT infrastructure overall, but is still scoring a "D" on cyber security, said Chu in her opening statement . "This is particularly concerning given the cyber security breach that occurred with the EIDL application."

During his testimony, Cavallo pointed to two pilot programs it has been doing with the Department of Homeland Security to understand cloud–based Continuous Diagnostics and Mitigation (CDM) and Trusted Internet Connections (TIC), as proof SBA is making significant progress on cybersecurity.

"Otherwise, DHS would not have selected use to pilot two critical cybersecurity pilots that have changed federal policy," he said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected