RSS Alerts
The Inspector General's report said more encryption is needed at SSA

Share

More services

Related Links

Related Stories

  • Social Security Administration publishes private data of the living on death list
    The Social Security Administration (SSA) published personally identifiable information, including social security numbers, of 36,657 living individuals erroneously listed on the agency’s death master file (DMF) over a three year period, the SSA’s Office of the Inspector General (IG) concluded.
  • Keeping sensitive information secure when staff is leaving
    Career loyalty is an endangered creature. Unlike our predecessors, today’s workforce is unlikely to stay committed to a job for five years, let alone their entire lives. But with such a fluid stream of employees keeping human resources busy, and countless eyes being cast over company data, Rob Stringer investigates how sensitive information can stay faithful to its organisation, even if its staff don’t...
  • The Good, the Bad, and the Ugly Insider Threats
    Whether intentional or unintentional, insider threats take many forms. The (ISC)² US Government Advisory Board Executive Writers Bureau examines this dichotomy and how it is being affected by both regulatory considerations, and the rapidly changing technology landscape
    Members' Content
  • The Undead are in the dark about Social Security data breaches
    The Social Security Administration (SSA) has failed to notify close to 32,000 people that their social security numbers were mistakenly disclosed on the SSA’s death master file, a public database that provides information on deceased US citizens as a death verification tool.
  • ICO says more than 9000 children's details put at risk by UK councils
    The Information Commissioner' Office (ICO) has taken action against the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council for breaching the Data Protection Act.

Top 5 Stories

News

Social Security flexible workplace program leaves personal data at risk

16 June 2010

A recent report from the Social Security Administration’s Inspector General reveals that beneficiaries’ personal has been put at risk through its new flexible workplace policy. The IG asserted that lax adherence to the agency’s employee compliance standards is to blame.

Patrick O’Carroll, the Social Security Administration’s Inspector General, recently issued his report evaluating the agency’s new flexible workplace program (known as Flexiplace) that was negotiated between the SSA and unions representing the agency’s Office of Disability Adjudication and Review (ODAR) staff. The program permits hearing officers to conduct evaluations from an alternate site one day per week, usually the employee’s home, and while the audit showed an increase in worker morale and increased productivity, the IG also warned the SSA that these employees routinely put beneficiary data at risk through a variety of means.

Files used by ODAR staff routinely contain Social Security numbers, names, addresses, and a wealth of other personal data. The IG audit results come from interviews of 135 hearing officers and 75 ODAR managers since the implementation of Flexiplace and found that ODAR employees had transported personal identifying information (PII) files from its facilities using unencrypted CDs, in addition to improper chain of custody documentation when removing and returning files containing PII.

“While SSA had implemented some preventative measures to safeguard PII removed from its premises, we determined ODAR practices may have exposed claimant data to unauthorized disclosure”, noted the report. “We believe ODAR should identify opportunities to better monitor employee compliance and strengthen Flexiplace controls.”

According to the report, the use of unencrypted CDs to transport data to and from ODAR facilities is rather widespread. The audit interviews revealed that this occurred at 17 of the 20 regional hearing offices the IG’s office surveyed.

The ODAR believed policy compliance was achieved if Flexiplace workers simply transported these CDs in a locked container, a practice the IG categorized as inadequate security measures.

Even though Office of Management and Budget rules require all sensitive data to be encrypted on mobile devices, the SSA’s encryption process is “incompatible with the computer application ODAR uses for electronic claimant records”, said the report. In its final recommendations the IG suggested that ODAR employees store electronic PII only on encrypted and password-protected laptops until a suitable CD encryption solution is reached.

In response to the IG’s recommendation, James Winn, executive counselor to the SSA commissioner, assured that the agency now has enough encrypted/password-protected laptops for Flexiplace staff and will no longer allow PII to be removed from its facilities on CDs.

This article is featured in:
Compliance and Policy  • Data Loss  • Encryption • Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012