April 24,2007

Baucus Wants ID Security Breaches Investigated, Stopped

Finance Chairman concerned by USDA, FEMA leaks of Social Security information

Washington, DC – Senate Finance Committee Chairman Max Baucus (D-Mont.) today called for a crackdown on accidental releases of Americans’ Social Security numbers to the public. In a letter to Office of Management and Budget (OMB) director Rob Portman, Baucus condemned two recent security breaches involving thousands of Social Security numbers on a U.S. Department of Agriculture website and printed on outgoing FEMA mail. Baucus, whose committee oversees Social Security policy, requested a report from OMB on the investigation into the two most recently reported breaches, and on the steps being taken to secure Americans’ personal information at Federal agencies.

“It seems some Federal agencies still don’t get how sensitive Social Security numbers are. But identity theft is already rampant in our country, and I’d rather the government didn’t offer crooks any extra help,” Baucus said. “Congress has passed significant legislation to protect Americans’ private information, but these episodes show that more needs to be done. I want to know what’s being done to investigate these breaches, and what’s being done to keep this from happening again.”

The text of the Senator’s letter follows here.



April 24, 2007


Mr. Rob Portman
Director
Office of Management and Budget
725 17th Street NW
Washington, DC 20503

Dear Mr. Portman:

I am extremely concerned about two instances where sensitive personal information was released to the public. The first instance was reported in the April 20, 2007 New York Times story entitled “Federal Database Exposes Social Security Numbers.” The Times reported that the Department of Agriculture has maintained a publicly accessible database which included the Social Security Numbers (SSNs) for as many as 38,700 people. The information was available on a public Census Bureau website and was discovered by an Illinois farmer. The second instance was in a story in the Washington Post on April 23, 2007. The story reported that FEMA was responsible for printing the SSNs of 2,300 people on the outside address labels of their Disaster Assistance Employee (DAE) reappointment letters.

Both of these releases of sensitive personal information violate the Privacy Act and the Social Security Act. These disturbing releases of information could be devastating to those who have had their financial security compromised. It is also very costly to the taxpayer since the Department of Agriculture now expects to spend up to $4 million to allow those affected to have their credit reports monitored.

Executive agencies must be good stewards of the information that citizens entrust to them. As the law prohibits the release of personal information, and SSNs in particular, I would like you to report to me what steps have been or will be taken to investigate these two releases. At the very least, the Offices of Inspector General (OIG’s) from the Departments of Homeland Security, Agriculture, and Commerce must conduct thorough investigations of these two violations of the Privacy Act and the Social Security Act.

This incident reveals that insufficient progress has been made by the Federal Government in securing sensitive personal information, in spite of years of public attention. Previous warnings have been issued by agency OIG’s of serious vulnerabilities in SSN safeguards. For example, a March 17, 2003 audit report by the Social Security Administration OIG to the President’s Council on Integrity and Efficiency found that “9 (60 percent) of 15 OIGs reported that their agencies had inadequate controls over access to SSNs maintained in their databases.”

I am very troubled that a serious privacy violation could simply be found by an Illinois farmer surfing the internet, but not by the Departments of Agriculture and Commerce. You must see that the activities of all Federal agencies are reviewed to ensure that no sensitive personal information is or will be made publicly available. It is important that all such activities be examined, not just those that are recent. In the case of the Department of Agriculture, its database contained information that was quite old. Moreover, as the two releases of SSN’s are violations of the Privacy Act and the Social Security Act, you need to make sure there are no other violations of these Acts that are occurring.

By July 30th, I want you to report to me on what actions have been taken or will be taken by Federal agencies to ensure the security of personal information. I must be able to reassure my constituents that these deplorable incidents do not recur. It is vital that we restore public confidence in the security of Federal Government information.


Sincerely,

Max Baucus
Chairman, Senate Finance Committee

# # #