Some procedures that agencies put in place years ago have come back to haunt them in an era of networks and online databases.
What was once common practice, such as using Social Security numbers as unique identifiers, has put people at greater risk of identity theft.
The Agriculture Department found that out when it discovered through the complaint of a loan recipient that it had inadvertently made public the Social Security numbers of 38,700 grant and loan recipients.
Officials originally thought the number of people affected was much higher. USDA had included Social Security numbers in the publicly accessible Federal Assistance Awards Data System (FAADS), which the Census Bureau manages.
The nine-digit Social Security numbers were embedded in 15-digit federal award identifier numbers. USDA formulated the makeup of those identifiers decades ago, said Charles Christopherson Jr., USDA’s chief financial officer.
“It was not readily apparent…that these were Social Security numbers,” he said at a recent hearing of the House Agriculture Committee.
The incident highlights the fact that past design decisions need to be constantly revisited, said Bill Vajda, the Education Department’s chief information officer and co-chairman of the CIO Council’s Best Practices committee. A comprehensive review can determine how personal information has been coded and used in the past and how that data is being stored.
“Doing that immediately rather than waiting for a disaster to happen would be a very prudent best practice,” Vajda said.
Because many agencies other than the Social Security Administration use Social Security numbers as unique identifiers in databases, the risk of exposing those numbers is widespread, said Daniel Bertoni, acting director of education, workforce and income security issues at the Government Accountability Office.
“The difference today is that there is greater awareness that SSNs are valuable information that must be protected, as well as new laws and requirements regarding the use and display of SSNs,” he said.
And because of today’s higher data security standards, USDA officials had to report the incident and notify the people who could be affected.
Federal laws passed since 1982 require that agencies report financial assistance award information and make it available to Congress, states and the public, Christopherson said. Since then, the personal identifiers of grant and loan recipients have been publicly available in databases on CD-ROMs and the Internet, he said.
After the discovery of data privacy problems April 13, USDA immediately redacted the Social Security numbers from the FAADS database. But it will take years to replace all the department’s unique identifiers with new ones, Christopherson said.
“To replace these systems, which may be one of the things that needs to happen in order to eliminate these identifiers…will take several years,” he said. USDA created some of the oldest databases in the 1970s.
A year ago, USDA began removing Social Security numbers from its databases as part of its effort to improve data security. It has scrubbed 29,500 numbers so far. USDA has about 250 information systems, of which 56 contain personal information.
Data security is high on the agenda for lawmakers. Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, recently introduced the Federal Agency Data Breach Protection Act.
It directs the Office of Management and Budget to establish practices and standards for informing people of lost data and defines the type of sensitive information to which the law would apply.
