Protecting Personally Identifiable Information on the Social Security Administration’s Intranet Sites
Our objective was to determine whether the Social Security Administration’s (SSA) Intranet sites were protecting personally identifiable information (PII).
Office of Management and Budget Memorandum (OMB) M-07-16 requires that Executive agencies safeguard PII in the Government’s possession and prevent its breach to ensure the Government retains the public’s trust. OMB suggested three procedures to reduce the amount of PII available to unauthorized users:
To view the full report, visit http://www.ssa.gov/oig/ADOBEPDF/A-12-08-28080.pdf
Our search of SSA’s Intranet sites detected 179 instances of PII being displayed. We found most of this PII on regional Intranet sites maintained by SSA’s Office of Disability Adjudication and Review. In addition, we found 11 other instances of exposed PII on other SSA Intranet sites containing Agency training manuals. After we notified SSA officials about the exposed PII, it was immediately removed from the Intranet sites. The Agency lacked a designated component to monitor PII issues related to SSA’s Internet and Intranet sites. Moreover, SSA had not developed clear and relevant content standards for safeguarding PII on its websites. This lack of controls may have contributed to PII being displayed on SSA’s Intranet sites.
SSA agreed with our recommendations.