Data breaches are a serious threat to organizations all over the world. Cybersecurity is starting to become more of a priority, but cybercriminals are not the only threat to the personal and sensitive data kept on an organization’s network. Sometimes an organization itself can mistakenly release data to an outside source, which is exactly what happened in a recent incident involving data held by the Federal Emergency Management Agency (FEMA).
During an audit of one of FEMA’s assistance programs, the Department of Homeland Security found that FEMA mistakenly shared the personal data of 2.3 million survivors of a number of natural disasters with an unnamed contractor. The exposed data belonged to survivors of the 2017 California wildfires as well as hurricanes Harvey, Irma, and Maria. The affected survivors had provided their private information to FEMA in order to obtain temporary housing as part of the Transitional Sheltering Assistance (TSA) program.
The audit found that FEMA itself jeopardized the private information it had collected from applicants when the organization released more information than necessary to an undisclosed outside contractor handling the TSA program. The report stated that FEMA shared “more than 20 unnecessary data fields for survivors participating in the TSA program,” with the contractor, including home addresses, bank account numbers and other details about the survivors’ financial institutions.
In an email statement, FEMA assured the public that it “has taken aggressive measures to correct this error,” and “has also worked with the contractor to remove the unnecessary data from the system,” among other remedial actions. While FEMA insists that there are indicators to suggest the data was compromised, the event itself highlights a greater need for data release controls when sharing information between organizations. According to industry experts, very few organizations currently possess the controls to properly monitor their internal systems and effectively follow the movement of data. Because of this lack of control, data breaches tend to go unrecognized for longer amounts of time.
Organizations should be prepared to prevent data breaches at all costs, and that includes data leakage incidents caused by internal error too. Effective data release controls include the monitoring of what kind of information is being shared with partners, vendors and contractors as well as supervising database access and activity. Software can be utilized to notify administrators when an employee downloads, copies, deletes or modifies any information on a specific database. Two-party verification can be required when any data needs to be accessed, shared or changed to help reduce administrative errors.
Most importantly, organizations that keep sensitive data need comprehensive cyber liability insurance to help address the exposures they face and provide them with information and expertise to minimize the disruption a data breach can cause.
About Connected Risk Solutions
At Connected Risk Solutions, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. To learn more, contact us at (877) 890-9301.
