Sen. Maggie Hassan (D-N.H.) is asking the Government Accountability Office (GAO) to review Department of Homeland Security (DHS) policies for sharing Americans’ personal information with contractors, citing recent data breaches that exposed the information.
Hassan in a letter to Comptroller General Gene Dodaro zeroed in on the access contractors have to personally identifiable information, or PII, collected by DHS.
The senator, who serves on the Homeland Security and Governmental Affairs Committee, asked GAO to examine DHS requirements for contractors that have access to the information, along with any steps the agency takes if a data breach involving PII occurs.
“In many cases, DHS leverages the capabilities and expertise of contractors to assist it in its mission, and these contractors also have access to millions of Americans’ PII,” Hassan wrote. “While the department’s functions are essential, it is also essential that it protect the PII that is collected on the department’s behalf from improper access or use.”
Hassan cited three data breaches of DHS contractors over the past year that have exposed personal information, including a June incident involving a U.S. Customs and Border Protection contractor’s network that led to the theft of photos of travelers at the border.
In March, the personal information of 2.3 million disaster survivors was exposed during a transfer between the Federal Emergency Management Agency and a contractor, and more recently, DHS announced that it had stored data from a bioterrorism defense program on a vulnerable contractor network.
“Such lapses in sharing PII with contractors or protecting PII in contractor systems is unacceptable,” Hassan wrote. “Accordingly, we request that GAO conduct a review of the policies and procedures in place at DHS to ensure that PII collected or shared with contractors is protected from improper access or use.”
In a separate letter last week, Hassan asked the GAO to examine how the federal government is supporting state and local governments hit by ransomware attacks. Those attacks involve an individual or group locking up a computer system and demanding payment before unlocking it, a type of attack that has been increasingly widespread this year across the country.