Governance & Risk Management , IT Risk Management , Risk Assessments
Audit: USAID Needs to Enhance Data Protections
OIG Report Outlines Security RecommendationsDespite security improvements over the last seven years, the U.S. Agency for International Development - USAID - needs to better protect the large amounts of personal identifiable data - such as Social Security numbers - that the agency collects, according to an inspector general's audit.
See Also: OnDemand | Measuring Your Data's Risk
The report lists several recommendations, including measuring the effectiveness of the data loss prevention tools the agency deploys, providing better training for staff and reducing the amount of personal data, such as Social Security numbers, that the agency collects.
USAID is an independent agency responsible for administering aid and development assistance overseas. Its 2021 budget was approximately $25 billion, according to the White House.
The audit notes that USAID has made some significant improvements since 2014, when another investigation found the agency struggling with ensuring that the personal data it collected remained secured. Still, more needs to be done.
"While USAID implemented some key privacy controls to protect [personally identifiable information], additional actions are needed," the audit concludes. "These key elements of a privacy program are needed to protect PII and provide the public with sufficient information about records containing their information so that they know how their PII is safeguarded against misuse. Acting now would also guard against loss, unauthorized use and lack of trust in the organization and limit risks related to litigation and compensation to the victims."
Too many federal government agencies continue to mishandle personal data and need to make security improvements, says Tim Wade, a former security and technical manager for the U.S. Air Force.
"The first step to addressing a problem is to acknowledge a problem, and so on that front, we can applaud this audit," says Wade, now the director of the CTO team at security firm Vectra AI. "But unless and until actual consequences rumble through the bureaucracy resulting in tangible consequences for these systemic failures to protect individual privacy, I’ll curb my own optimism on real progress on this front."
USAID's Response
The inspector general's report notes that USAID agreed with four of the five recommendations outlined in the report, but only partially agreed with another recommendation concerning the publishing System of Records Notices, or SORNs, in the Federal Register.
SORNs are a group of any records that a federal agency controls that contain information or data about individuals. Federal law requires each agency to publish a list of SORNs in the Federal Register.
The audit found that the SORNs overseen by USAID had missing information and elements and that the agency needs to work on improving these documents. While USAID didn't fully agree about the maintenance of the SORNs, the agency noted that it plans to implement all five recommendations.
Recommendations
Over the last seven years, USAID has made a series of improvements in how the agency protects personal data, including justifying why it needs to collect Social Security numbers, publishing SORNs to the Federal Register and developing security plans to better protect the personal data it collects.
To continue to improve the way the agency protects data, the audit notes five areas where USAID needs to continue to make updates. These include:
- Measure effectiveness of data loss prevention tools: While USAID deploys DLP tools made by Google, the agency needs to do more to measure their effectiveness. "OIG sent a total of nine emails containing fillable PDF forms and Excel spreadsheets with fictitious PII, including SSNs, names, home addresses, email addresses, telephone numbers, and dates of birth," the report notes. "However, USAID's Google DLP tool did not capture those outgoing emails or prevent them from being sent."
- Improve privacy training: The audit found that USAID's staff did not have proper privacy training to ensure that personally identifiable information that's collected is secured.
- Reduce collection of Social Security numbers: The audit found that USAID continues to collect Social Security numbers despite a 2007 order from the Office of Management and Budget requiring federal agencies to reduce the amount of Social Security numbers they collect. The audit states USAID needs to create a list of actions to do that.
- Improve publishing of SORNs: The report recommends that USAID improve the way it maintains its SORNs and publishes the information to the Federal Register.
- Create an inventory of websites: The audit also found that USAID needs to create a comprehensive list of public-facing websites the agency runs, as well as those run by third-party sites associated with the agency, that can all collect personal information on users. The current inventory did not contain URLs for 202 of 264 websites controlled by USAID. "USAID was unable to determine the extent to which privacy notices were placed on third-party websites and if additional privacy notices needed to be posted. As such, users may not have adequate information regarding how their PII would be protected and used by third-party websites," the report notes.
Data Privacy Difficulties
JB Eid, the data privacy principal for the consultancy Coalfire, notes that agencies such as USAID continue to have problems with protecting the data they collect because managing and storing all this information, as well as ensuring governance and compliance, can be difficult.
"Many companies don’t know their data, where it is going, and what is done once it gets there. Solving this problem immediately gets to the root of any good privacy program," Eid says. "If USAID had documented their data flows, it would show their risks and how those risks are being mitigated. If they also improve their policies and procedures, they should be in good shape for their next OIG audit."