Data Security: Take Steps to Protect Residents’ and Applicants’ Personal Information

A consistent stream of hacks and large-scale corporate data breaches in the news have heightened the public’s awareness and sensitivity towards privacy issues. Most recently, a major bank broke news of a data breach that affected approximately 100 million customers in the U.S. and another 6 million in Canada. While data breaches of banks and large corporations generate the most news headlines, HUD has had its own problems with the data security of public housing residents.

In November 2016, HUD announced that it had inadvertently put nearly 500,000 individuals at risk of identity theft. HUD had made their personal information such as Social Security numbers and dates of birth publicly available on its website. According to HUD, the data breach was the result of two separate incidents, one of which exposed the personal information of more than 425,000 public housing residents.

HUD said it discovered the breach of the personal information of public housing residents while sharing community service requirement information with local public housing authorities. Under that requirement, public housing residents between the ages of 18 and 62 are required to perform eight hours of community service each month, unless otherwise excused for work or education conflicts. Instead of sharing that information privately with the housing authorities, Excel files with 428,828 individuals’ personal information was made publicly available on HUD’s website. According to HUD, the file included the public housing residents’ last names, last four digits of their Social Security numbers, and their building code identifiers. HUD said that it made these postings five separate times beginning in August 2015, but removed the information from its website on Sept. 22, 2016.

Another incident with potentially compromised personal information involved an attempted fraud being committed against an owner. In December 2018, HUD notified owners that an individual posing as a HUD staff member had called an owner and requested bank account and routing numbers, HUD users’ IDs, voucher amounts, and other specific information. When further questioned by the owner, the caller disconnected. HUD reminded owners that HUD staff will never call asking for this type of information and to contact the site’s assigned HUD Account Executive if they receive such a call. 

In light of increasing data breaches and phishing attempts at personal information, it’s a good idea to review HUD’s requirement to protect the privacy of residents’ information and review the policies and procedures that are currently in place at your site. We’ll provide some resources that you can review to help you update your documents accordingly. Then you can give them to your site staff and educate them about what they’re expected to do to maintain an appropriate level of data security at your site.

In the incident above, the owner who prevented the phony caller from obtaining the requested information was aware of this kind of situation, probably completed at least one security training course, and likely had a written protocol in place to notify HUD of the potential breach.

Protecting Privacy Information

HUD is committed to protecting the privacy of individuals’ information, stored electronically or in paper form, in accordance with the Privacy Act of 1974, as amended, and other federal privacy-related laws, guidance, and best practices.

Personally Identifiable Information (PII) is defined as “...information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” [OMB M-07-16].

A subset of PII to consider is a category labelled Sensitive Personally Identifiable Information (SPII). This is personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in “substantial harm, embarrassment, inconvenience, or unfairness to an individual.” Examples of Sensitive PII include, but are not limited to:

• Social Security numbers (SSN);
• Drivers’ license or state identification numbers;
• Passport numbers;
• Alien Registration numbers;
• Financial account numbers;
• Biometric identifiers; and
• Other data, when combined, such as citizenship or immigration status, personal email address, account passwords, dates of birth, criminal history, or mother’s maiden name.

Review Resources When Creating Data Security Policy

HUD encourages owners to develop their own procedures and internal controls to prevent the improper use or unauthorized disclosure of information about applicants and tenants. Adequate procedures and controls protect not only applicants and tenants, but also owners [HUD Handbook 4350.3, par. 5-19 (B)(2)]. Owners and their employees are subject to penalties for unauthorized disclosure of applicant or resident information. In addition, applicants and residents may initiate civil action against an owner for unauthorized disclosure or improper use of the information they provided [HUD Handbook 4350.3, par. 5-19(B)(1)].

Much of the focus in protecting an applicant or household’s PII is directed at HUD’s Enterprise Income Verification (EIV) system. The EIV system is a web-based computer system that contains the employment and income information of individuals who participate in HUD rental assistance programs.

HUD obtains information about residents from the local PHA, the Social Security Administration (SSA), and the U.S. Department of Health and Human Services (HHS). HHS provides HUD with wage and employment information as reported by employers; and unemployment compensation information as reported by the State Workforce Agency (SWA). SSA provides HUD with death, Social Security (SS), and Supplemental Security Income (SSI) information.

Chapter 9, Section 4, of the HUD Occupancy Handbook 4350.3 provides the guidance and security requirements that sites need to implement to safeguard EIV data. However, while EIV policies and procedures naturally are a main focus of data security measures, EIV security policies should be a subset of an overall written strategy and policy handbook to safeguard all potential tenant or applicant PII that HUD requires to be collected and maintained.

A comprehensive written policy should take into consideration multiple HUD sources. HUD has created and published numerous handbooks and materials that discuss the various requirements for data security. When creating a comprehensive plan, be sure, at a minimum, to review these resources:

• HUD Handbook 4350.3, Chapter 9, Section 4 contains the information required to safeguard HUD’s EIV information.
• HUD Handbook 4350.3, Chapter 5, paragraphs 5-19 (Confidentiality of Applicant and Tenant Information), 5-20 (Security of EIV Data), and 5-23 (Record-Keeping Procedures) discuss the framework to ensure privacy of applicant and tenant information.
• HUD Handbook 4350.3, Chapter 8, paragraph 8-14 covers drug abuse and other criminal activity of residents and applicants. It emphasizes the importance of privacy requirements when obtaining criminal background reports and states that criminal records obtained by the owner must be maintained confidentially, not misused or improperly disseminated, and destroyed three years after tenancy is terminated. Criminal records, including state lifetime sex offender registration checks, received for applicants who never move in must be retained with the application for three years [HUD Handbook 4350.3, par. 8-14(C)(14)]. 
• HUD Handbook 4350.3, paragraph 8-20 discusses EIV income reports. The Federal Privacy Act (5 USC 552a, as amended) prohibits the disclosure of an individual’s information to another person without the written consent of that individual. As such, the EIV data of an adult household member may not be shared (or a copy provided or displayed) with another adult household member, unless the individual has provided written consent to disclose such information. However, the owner isn’t prohibited from discussing with the head of household (HOH) and showing the HOH how the household’s income and rent were determined based on the total income reported and verified [HUD Handbook 4350.3, par. 8-20(C)].
• Chapter 4 of the EIV Multifamily Program User Manual provides specific security information and guidance that must be adhered to when developing policies and procedures [www.hud.gov/sites/dfiles/Housing/documents/P181_EIV_14.5.0_MF_User_Manual.pdf].
• The Security Administration Manual for EIV Systems provides an overview and details the process for how access to the EIV system is granted. The guidance found within this document should be reviewed when determining whom to grant access to EIV, how to grant the applicable access, and how to terminate that access [www.hud.gov/sites/documents/securityadminmanual.pdf].
• HUD Handbook 2400.25, Technology Security Policy, is the comprehensive overview of all of HUD’s policies and safeguards. This handbook should be reviewed by the person developing the site’s policy and procedures documents as well as the person/company responsible for maintaining the site’s computer system [www.hud.gov/sites/dfiles/OCHCO/documents/240025CIOH.pdf].

HUD Guidance on Protecting PII

In April 2015, HUD’s Office of the Chief Information Officer issued guidance on protecting PII. Entitled “Protecting PII: Capacity Building Guidance on Protecting Privacy Information,” it provides succinct guidance on steps to take to help ensure compliance with the Privacy Act and other privacy-related laws. Here’s a summary of the document’s guidance.

1. Limit Collection of PII

• Don’t collect or maintain sensitive PII without proper authorization.
• Collect only the PII that’s needed for the purposes for which it’s collected.

2. Manage Access to Sensitive PII

• Only share or discuss sensitive PII with those who have a need to know for work purposes.
• Don’t distribute or release sensitive PII to others until the release is authorized.
• Before discussing sensitive PII on the telephone, confirm that you’re speaking to the right person and inform him or her that the discussion will include sensitive PII. Don’t leave messages containing sensitive PII on voicemail.
• Avoid discussing sensitive PII if there are unauthorized persons in the adjacent cubicles, rooms, or hallways who may overhear your conversations.
• Hold meetings in secure spaces (no unauthorized access or eavesdropping possible) if sensitive PII will be discussed.
• Treat notes and minutes from such meetings as confidential unless you can verify that they don’t contain sensitive PII. Record date, time, place, subject, chairperson, and attendees at any meeting involving sensitive PII. 

3. Protect Hard Copy and Electronic Files Containing Sensitive PII

• Clearly label all files containing sensitive PII. Examples of appropriate labels might include “For Official Use Only” or “For [Name of Individual/Office] Use Only.”
• Lock up all hard copy files containing sensitive PII in secured file cabinets. Don’t leave sensitive PII in an open area unattended.
• Protect all media (for instance, thumb drives, CDs, etc.) that contain sensitive PII and don’t leave media unattended. This information should be maintained either in secured file cabinets or in computers that have been secured.
• Keep accurate records of where PII is stored, used, and maintained.
• Periodically audit all sensitive PII holdings to make sure that all such information can be readily located.
• Secure digital copies of files containing sensitive PII. Protections include encryption, implementing enhanced authentication mechanisms such as two-factor authentication, and limiting the number of people allowed access to the files.
• Store sensitive PII only on workstations that can be secured, such as workstations located in areas that have restricted physical access.

4. Protect Electronic Transmissions of Sensitive PII via Fax, Email, etc.

• When faxing sensitive PII, use the date stamp function, confirm the fax number, verify that the intended recipient is available, and confirm that he or she has received the fax. Ensure that none of the transmission is stored in memory on the fax machine, and that all paper waste is disposed of properly (shredded). If possible, use a fax machine that uses a secure transmission line.
• When sending sensitive PII via email or via an unsecured information system, make sure the information and any attachments are encrypted.
• If a secure line isn’t available, contact the recipient office before faxing to inform them that information is coming. Then, contact the recipient office following transmission to ensure they received it. For each event, the best course of action is to limit access of PII to only those individuals authorized to handle it, create a paper trail, and verify information reached its destination.
• Don’t place PII on shared drives, multi-access calendars, the Intranet, or the Internet.
• Don’t let PII documents sit on a printer where unauthorized employees or contractors can have access to the information.

5. Protect Hard Copy Files Containing Sensitive PII

• Don’t remove records with sensitive PII from facilities where HUD information is authorized to be stored, or access remotely (that is, from locations other than such physical facilities), unless approval is first obtained from a supervisor.
• Don’t use interoffice or translucent envelopes to mail sensitive PII. Use sealable opaque solid envelopes. Mark the envelope to the person’s attention.
• When using the U.S. Postal Service to deliver information with sensitive PII, double wrap the document (use two envelopes–one inside the other) and mark only the inside envelope as confidential with the statement “To Be Opened by Addressee Only.”
• If PII needs to be sent by courier, mark “signature required” when sending documents, in order to create a paper trail in the event items are misplaced or lost.

6. Practice Proper Records Management, Retention, and Disposition

• Follow all applicable records management laws, regulations, and policies.
• Don’t maintain records longer than required.
• Destroy records after retention requirements are met.
• Dispose of sensitive PII appropriately: Permanently erase electronic records. Shred hard copy records.

7. Respond Promptly to Incidents

• A data breach occurs when PII is viewed, leaked, or accessed by anyone who isn’t the individual or someone authorized to have access to this information as part of his or her official duties.
• Promptly report all suspect compromises of sensitive PII related to HUD programs to HUD’s National Help Desk at 1-888-297-8689.

Attend Additional Security Training Courses

In addition to creating a written data security policy and following HUD guidance on protecting PII, HUD requires Web Access Secure Systems (WASSS) users and coordinators who access EIV or the Tenant Rental Assistance Certification System (TRACS) to complete the Cyber Awareness Challenge each year. Staff involved with certification who don’t have access to EIV are also required to complete this training if they have access to tenant files that contain EIV reports. After the training, users are required to print and maintain the training completion certificate, as it will be requested during the onsite portion of the annual audit and inspection known as the Management and Occupancy Review for participants in the Section 8 project-based rental assistance program.

The current training, Cyber Awareness Challenge 2019, is a major update from previous versions. The course starts with a message from the future describing serious vulnerabilities resulting from decisions in the present. Users are presented with the types of decisions they’re expected to make throughout the Challenge and the consequences of their decisions in the scoring mechanisms. As a user makes decisions in each situation, he or she is introduced to threats associated with spyware, malicious code, phishing, identity theft, and the insider threat, as well as what to do when encountering classified or sensitive documents on the Internet. Users experience the importance of maintaining information security situational awareness when out of a secure area. Users learn security concepts they need to practice in their daily routine at work.

Users will be given the opportunity to answer questions to determine whether they need the Intelligence Community lessons and if they want to take the knowledge check track. The knowledge check option allows users to answer random questions before each lesson, based on content from the 2018 version. If all questions are answered correctly, that lesson can be bypassed and the user will be allowed to move to the next lesson.

The new version can be found at the Department of Defense (DoD) Cyber Exchange Public web page (formerly the Information Assurance Support Environment (IASE)). This page provides limited access to cyber training and guidance to all Internet users. Specifically, the training can be found at https://public.cyber.mil/training/cyber-awareness-challenge-2019/. From this page, choose “Launch Training” under the Cyber Awareness Challenge 2019. The training was designed to function using specific operating systems, so be sure to read the message that pops up when you click on the Cyber Awareness Challenge link. It will explain which operating systems work. Once you’ve completed the challenge, you’ll have the option to save the certificate as a PDF.

In addition to the annually required training session, there are a few additional trainings located at the DoD Cyber Exchange web page. You and your staff members will also benefit from completing the following training modules:

Phishing Awareness—Version 4. This interactive training explains what phishing is and provides examples of the different types of phishing, which include spear phishing (targeting specific groups or individuals) and whaling (targeting senior officials). Phishing techniques such as deceptive emails and websites, as well as browser “tab nabbing,” are discussed. Guidelines are provided to help users to recognize phishing attempts, so that appropriate actions may be taken to avoid these attacks and their consequences. The training explains that phishing is a serious, high-tech scam and that system users are the best line of defense against phishing. Further, the training illustrates why users should always be on the lookout for phishing attempts, even from people within their own organization. The estimated length of this training is 30 minutes and can be found at https://public.cyber.mil/training/phishing-awareness/.

Identifying and Safeguarding Personally Identifiable Information—Version 3. This course explains the responsibilities for safeguarding PII and PHI on both the organizational and individual levels, examines the authorized and unauthorized use and disclosure of PII and PHI, and the organizational and individual penalties for not complying with the policies governing PII and PHI maintenance and protection. Although this training is intended for DOD civilians, military members, and contractors using DoD information systems, this course may also be used by other federal agencies. The estimated length of this training is one hour. It can be found at https://public.cyber.mil/training/identifying-and-safeguarding-personally-identifiable-information-pii/.