The Department of Housing and Urban Development (HUD) is missing the mark on records management and privacy requirements to the tune of more than one billion records that contain personally identifiable information (PII), the agency’s Inspector General (IG) said in a recent report.
The IG identified those problems to HUD in a Dec. 19, 2019 memorandum that calls out “specific high risk conditions,” and that precedes a more complete report based on the IG’s Fiscal Year 2019 FISMA (Federal Information Security Modernization Act) evaluation.
“During our fieldwork, we encountered specific records management and privacy issues that pose a serious threat to sensitive information that we believed important to raise now rather than wait for the conclusion of our broader evaluation,” the IG said in its Dec. 19 communication.
“HUD is failing to meet basic records management and privacy requirements for over 1 billion records containing PII,” the IG said, adding, “Specifically, HUD is unable to identify, categorize, and adequately secure all of its electronic and paper records that contain PII.”
That problem, the IG said, stems from HUD’s failure to:
- Identify all of the agency’s information systems and maintain complete inventories of all data on those systems;
- Implement a formal records inventory process and maintain a complete records inventory;
- Establish a data classification program that includes marking and tracking sensitive data; and
- Have access to technical tools to search for sensitive data within its systems.
“In many instances, sensitive PII data is housed within legacy information systems that are increasingly difficult to properly maintain and secure, placing this sensitive data at perpetual risk,” the IG said, adding, “Further, some such systems do not allow the removal of historical electronic data, increasing risk and violating NARA records management requirements.
Part of the problem is also paper-based transactions, the IG said.
“In addition, HUD continues to carry out certain essential business functions through paper transactions. This occurrence is due to some HUD legacy systems not having the capability to accept and process electronic data transferred to HUD by its business partners. For example, large mortgage case binders with PII are printed by banks and mailed to HUD. HUD officials have expressed concern over the volume of paper records maintained by some offices, yet many offices are unaware of how many records they have or which records might contain PII,” the IG said.
The IG cited Office of Management and Budget (OMB) rules requiring Federal agencies to eliminate the use of paper records and transition to electronic data formats to the fullest extent possible by the end of 2022, and said it was “ unable to identify a plan that will enable HUD to meet the OMB requirements.”
“HUD’s inability to identify, categorize, and track its PII poses a significant risk to the agency and to the millions of American citizens and stakeholders who have entrusted their personal information to HUD,” the IG concluded.
The IG said it will issue a formal report at the conclusion of its evaluation, but in the meantime urged HUD to start taking action on the problem.
“As a Federal agency housing such an extensive amount of sensitive data, HUD must prioritize its capability to properly identify and protect this information,” the IG said. “Failure to do so places both the agency and private citizens at risk. OIG urges HUD leadership to assess this condition immediately and work with the appropriate agency components to address this significant risk.”
The IG expects to issue more specific recommendations to the agency soon.