Patrick O’Carroll, the Social Security Administration’s Inspector General, recently issued his report evaluating the agency’s new flexible workplace program (known as Flexiplace) that was negotiated between the SSA and unions representing the agency’s Office of Disability Adjudication and Review (ODAR) staff. The program permits hearing officers to conduct evaluations from an alternate site one day per week, usually the employee’s home, and while the audit showed an increase in worker morale and increased productivity, the IG also warned the SSA that these employees routinely put beneficiary data at risk through a variety of means.
Files used by ODAR staff routinely contain Social Security numbers, names, addresses, and a wealth of other personal data. The IG audit results come from interviews of 135 hearing officers and 75 ODAR managers since the implementation of Flexiplace and found that ODAR employees had transported personal identifying information (PII) files from its facilities using unencrypted CDs, in addition to improper chain of custody documentation when removing and returning files containing PII.
“While SSA had implemented some preventative measures to safeguard PII removed from its premises, we determined ODAR practices may have exposed claimant data to unauthorized disclosure”, noted the report. “We believe ODAR should identify opportunities to better monitor employee compliance and strengthen Flexiplace controls.”
According to the report, the use of unencrypted CDs to transport data to and from ODAR facilities is rather widespread. The audit interviews revealed that this occurred at 17 of the 20 regional hearing offices the IG’s office surveyed.
The ODAR believed policy compliance was achieved if Flexiplace workers simply transported these CDs in a locked container, a practice the IG categorized as inadequate security measures.
Even though Office of Management and Budget rules require all sensitive data to be encrypted on mobile devices, the SSA’s encryption process is “incompatible with the computer application ODAR uses for electronic claimant records”, said the report. In its final recommendations the IG suggested that ODAR employees store electronic PII only on encrypted and password-protected laptops until a suitable CD encryption solution is reached.
In response to the IG’s recommendation, James Winn, executive counselor to the SSA commissioner, assured that the agency now has enough encrypted/password-protected laptops for Flexiplace staff and will no longer allow PII to be removed from its facilities on CDs.