A consistent stream of hacks and large-scale corporate data breaches in the news have heightened the public’s awareness and sensitivity towards privacy issues. Most recently, a major bank broke news of a data breach that affected approximately 100 million customers in the U.S. and another 6 million in Canada. While data breaches of banks and large corporations generate the most news headlines, HUD has had its own problems with the data security of public housing residents.
In November 2016, HUD announced that it had inadvertently put nearly 500,000 individuals at risk of identity theft. HUD had made their personal information such as Social Security numbers and dates of birth publicly available on its website. According to HUD, the data breach was the result of two separate incidents, one of which exposed the personal information of more than 425,000 public housing residents.
HUD said it discovered the breach of the personal information of public housing residents while sharing community service requirement information with local public housing authorities. Under that requirement, public housing residents between the ages of 18 and 62 are required to perform eight hours of community service each month, unless otherwise excused for work or education conflicts. Instead of sharing that information privately with the housing authorities, Excel files with 428,828 individuals’ personal information was made publicly available on HUD’s website. According to HUD, the file included the public housing residents’ last names, last four digits of their Social Security numbers, and their building code identifiers. HUD said that it made these postings five separate times beginning in August 2015, but removed the information from its website on Sept. 22, 2016.
Another incident with potentially compromised personal information involved an attempted fraud being committed against an owner. In December 2018, HUD notified owners that an individual posing as a HUD staff member had called an owner and requested bank account and routing numbers, HUD users’ IDs, voucher amounts, and other specific information. When further questioned by the owner, the caller disconnected. HUD reminded owners that HUD staff will never call asking for this type of information and to contact the site’s assigned HUD Account Executive if they receive such a call.
In light of increasing data breaches and phishing attempts at personal information, it’s a good idea to review HUD’s requirement to protect the privacy of residents’ information and review the policies and procedures that are currently in place at your site. We’ll provide some resources that you can review to help you update your documents accordingly. Then you can give them to your site staff and educate them about what they’re expected to do to maintain an appropriate level of data security at your site.
In the incident above, the owner who prevented the phony caller from obtaining the requested information was aware of this kind of situation, probably completed at least one security training course, and likely had a written protocol in place to notify HUD of the potential breach.
HUD is committed to protecting the privacy of individuals’ information, stored electronically or in paper form, in accordance with the Privacy Act of 1974, as amended, and other federal privacy-related laws, guidance, and best practices.
Personally Identifiable Information (PII) is defined as “...information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” [OMB M-07-16].
A subset of PII to consider is a category labelled Sensitive Personally Identifiable Information (SPII). This is personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in “substantial harm, embarrassment, inconvenience, or unfairness to an individual.” Examples of Sensitive PII include, but are not limited to:
HUD encourages owners to develop their own procedures and internal controls to prevent the improper use or unauthorized disclosure of information about applicants and tenants. Adequate procedures and controls protect not only applicants and tenants, but also owners [HUD Handbook 4350.3, par. 5-19 (B)(2)]. Owners and their employees are subject to penalties for unauthorized disclosure of applicant or resident information. In addition, applicants and residents may initiate civil action against an owner for unauthorized disclosure or improper use of the information they provided [HUD Handbook 4350.3, par. 5-19(B)(1)].
Much of the focus in protecting an applicant or household’s PII is directed at HUD’s Enterprise Income Verification (EIV) system. The EIV system is a web-based computer system that contains the employment and income information of individuals who participate in HUD rental assistance programs.
HUD obtains information about residents from the local PHA, the Social Security Administration (SSA), and the U.S. Department of Health and Human Services (HHS). HHS provides HUD with wage and employment information as reported by employers; and unemployment compensation information as reported by the State Workforce Agency (SWA). SSA provides HUD with death, Social Security (SS), and Supplemental Security Income (SSI) information.
Chapter 9, Section 4, of the HUD Occupancy Handbook 4350.3 provides the guidance and security requirements that sites need to implement to safeguard EIV data. However, while EIV policies and procedures naturally are a main focus of data security measures, EIV security policies should be a subset of an overall written strategy and policy handbook to safeguard all potential tenant or applicant PII that HUD requires to be collected and maintained.
A comprehensive written policy should take into consideration multiple HUD sources. HUD has created and published numerous handbooks and materials that discuss the various requirements for data security. When creating a comprehensive plan, be sure, at a minimum, to review these resources:
In April 2015, HUD’s Office of the Chief Information Officer issued guidance on protecting PII. Entitled “Protecting PII: Capacity Building Guidance on Protecting Privacy Information,” it provides succinct guidance on steps to take to help ensure compliance with the Privacy Act and other privacy-related laws. Here’s a summary of the document’s guidance.
In addition to creating a written data security policy and following HUD guidance on protecting PII, HUD requires Web Access Secure Systems (WASSS) users and coordinators who access EIV or the Tenant Rental Assistance Certification System (TRACS) to complete the Cyber Awareness Challenge each year. Staff involved with certification who don’t have access to EIV are also required to complete this training if they have access to tenant files that contain EIV reports. After the training, users are required to print and maintain the training completion certificate, as it will be requested during the onsite portion of the annual audit and inspection known as the Management and Occupancy Review for participants in the Section 8 project-based rental assistance program.
The current training, Cyber Awareness Challenge 2019, is a major update from previous versions. The course starts with a message from the future describing serious vulnerabilities resulting from decisions in the present. Users are presented with the types of decisions they’re expected to make throughout the Challenge and the consequences of their decisions in the scoring mechanisms. As a user makes decisions in each situation, he or she is introduced to threats associated with spyware, malicious code, phishing, identity theft, and the insider threat, as well as what to do when encountering classified or sensitive documents on the Internet. Users experience the importance of maintaining information security situational awareness when out of a secure area. Users learn security concepts they need to practice in their daily routine at work.
Users will be given the opportunity to answer questions to determine whether they need the Intelligence Community lessons and if they want to take the knowledge check track. The knowledge check option allows users to answer random questions before each lesson, based on content from the 2018 version. If all questions are answered correctly, that lesson can be bypassed and the user will be allowed to move to the next lesson.
The new version can be found at the Department of Defense (DoD) Cyber Exchange Public web page (formerly the Information Assurance Support Environment (IASE)). This page provides limited access to cyber training and guidance to all Internet users. Specifically, the training can be found at https://public.cyber.mil/training/cyber-awareness-challenge-2019/. From this page, choose “Launch Training” under the Cyber Awareness Challenge 2019. The training was designed to function using specific operating systems, so be sure to read the message that pops up when you click on the Cyber Awareness Challenge link. It will explain which operating systems work. Once you’ve completed the challenge, you’ll have the option to save the certificate as a PDF.
In addition to the annually required training session, there are a few additional trainings located at the DoD Cyber Exchange web page. You and your staff members will also benefit from completing the following training modules:
Phishing Awareness—Version 4. This interactive training explains what phishing is and provides examples of the different types of phishing, which include spear phishing (targeting specific groups or individuals) and whaling (targeting senior officials). Phishing techniques such as deceptive emails and websites, as well as browser “tab nabbing,” are discussed. Guidelines are provided to help users to recognize phishing attempts, so that appropriate actions may be taken to avoid these attacks and their consequences. The training explains that phishing is a serious, high-tech scam and that system users are the best line of defense against phishing. Further, the training illustrates why users should always be on the lookout for phishing attempts, even from people within their own organization. The estimated length of this training is 30 minutes and can be found at https://public.cyber.mil/training/phishing-awareness/.
Identifying and Safeguarding Personally Identifiable Information—Version 3. This course explains the responsibilities for safeguarding PII and PHI on both the organizational and individual levels, examines the authorized and unauthorized use and disclosure of PII and PHI, and the organizational and individual penalties for not complying with the policies governing PII and PHI maintenance and protection. Although this training is intended for DOD civilians, military members, and contractors using DoD information systems, this course may also be used by other federal agencies. The estimated length of this training is one hour. It can be found at https://public.cyber.mil/training/identifying-and-safeguarding-personally-identifiable-information-pii/.