Report Summary
Social Security Administration Office of the Inspector General

August 2009

Protecting Personally Identifiable Information on the Social Security Administration’s Intranet Sites
(A-12-09-29118)


Objective

Our objective was to determine whether the Social Security Administration’s (SSA) Intranet sites were protecting personally identifiable information (PII).

Background

Office of Management and Budget Memorandum (OMB) M-07-16 requires that Executive agencies safeguard PII in the Government’s possession and prevent its breach to ensure the Government retains the public’s trust.  OMB suggested three procedures to reduce the amount of PII available to unauthorized users:

To view the full report, visit http://www.ssa.gov/oig/ADOBEPDF/A-12-08-28080.pdf

Our Findings

Our search of SSA’s Intranet sites detected 179 instances of PII being displayed.  We found most of this PII on regional Intranet sites maintained by SSA’s Office of Disability Adjudication and Review.  In addition, we found 11 other instances of exposed PII on other SSA Intranet sites containing Agency training manuals.  After we notified SSA officials about the exposed PII, it was immediately removed from the Intranet sites.  The Agency lacked a designated component to monitor PII issues related to SSA’s Internet and Intranet sites.  Moreover, SSA had not developed clear and relevant content standards for safeguarding PII on its websites.  This lack of controls may have contributed to PII being displayed on SSA’s Intranet sites.

Our Recommendation

We recommended:

  1. Designate a component with the responsibility of (a) developing PII safeguard policies over the Internet and Intranet and (b) ensuring adherence with these new policies.

  2. Designate a component with the responsibility of periodically reviewing Internet and Intranet sites to ensure employee and contractor PII is protected.  Such reviews should become part of the Agency’s internal control structure.

SSA agreed with our recommendations.