House Science, Space, and Technology Committee Ranking Member Frank Lucas was joined by eight Republican Committee Members on an oversight letter to the Federal Emergency Management Agency (FEMA) today.

On March 22, 2019, the Department of Homeland Security (DHS) Office of Inspector General (OIG) published a Management Alert that revealed FEMA released 2.3 million disaster survivors’ Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII) in the wake of Hurricanes Harvey, Irma, and Maria and the 2017 California wildfires.

The data release puts survivors at increased risk of identity theft, fraud, and other scams, which is particularly problematic in the wake of a disaster when, as FEMA warns on its website, “scam artists, identity thieves, and other criminals often attempt to take advantage of vulnerable survivors.”

Under the Federal Information Security Modernization Act (FISMA), Federal departments and agencies are required to report major cybersecurity breaches to the Committee. Additionally, the Committee has jurisdiction over the National Institute of Standards and Technology, which develops cybersecurity standards and guidelines for the Federal government and recommendations for the private sector. “All attending presenters should also be prepared to discuss FEMA’s adherence to the NIST Cybersecurity Framework, and other NIST products governing proper controls for protecting PII,” the letter reads.

The full letter, available online here, was signed by Ranking Member Frank Lucas and Reps. Randy Weber (R-TX), Roger Marshall (R-KS), Michael Cloud (R-TX), Jenniffer González-Colón (R-PR), Bill Posey (R-FL), Brian Babin (R-TX), Ralph Norman (R-SC), and Jim Baird (R-IN).

Ranking Member Frank Lucas (R-OK):

“Disaster survivors must navigate paperwork, medical bills, temporary lodging, and the task of rebuilding, often in chaotic situations. These individuals are already vulnerable to criminal acts and the last thing they need is to have their sensitive information revealed by the government agency meant to be providing assistance.  We have a responsibility to learn more about this privacy violation and to ensure we prevent similar incidents in the future.”

Energy Subcommittee Ranking Member Randy Weber (R-TX):

“Recovering from a disaster is hard enough. The last thing individuals need to worry about is whether their personal information might be compromised. I am concerned about recent information that FEMA overshared with some vendors, and glad FEMA immediately went to work fixing the problem once it was identified. We’ve worked closely with FEMA throughout Hurricane Harvey recovery, so I’m hopeful this briefing request will be accommodated and fruitful. Moving forward, FEMA must work to ensure this unacceptable oversharing of personal information never happens again.”

Representative Michael Cloud (R-TX):

“FEMA’s release of the sensitive personal information of 2.3 million people – including many Hurricane Harvey survivors in my district – is unacceptable. I will be working to make sure that Congress thoroughly investigates this blunder to determine why it occurred, how survivors may be affected, and what FEMA is doing to ensure our government better protects our citizens’ information.”

Representative Jenniffer González-Colón (R-PR)

“Survivors of natural disasters are in an especially vulnerable position. In the case of Puerto Rico, hundreds of thousands of my constituents lost a great deal—some lost all of their belongings. Today, close to 18 months after Hurricanes Irma and Maria, island residents are still trying to recover and heavily rely on the assistance and expertise of federal agencies like FEMA. To think that their personal information was compromised by failure to employ safe and measured data sharing practices is unacceptable. I appreciate Ranking Member Lucas for his leadership in helping us directly assess this incident.”