Finding 1154809 (2024-001)

Name of Federal Agency: U.S. Department of Housing and Urban Development Federal Program Name and Assistance Listing Number: Housing Voucher Cluster: 14.879 Mainstream Vouchers Program. 14.871 - Section 8 Housing Choice Vouchers Program. Federal Award Identification Number and Year: ACC A-3096 2024 Compliance Requirements: Eligibility Type of Finding: Material Weakness in Controls Criteria In accordance with the Computer Matching and Privacy Protection Act of 1988, HUD requires all authorized users of the Enterprise Income Verification system (EIV) to comply with the Tenant Rental Assistance Certification System (TRACS) Rules of Behavior as well as adhere to the Privacy Act of 1974. Condition: During the year ended December 31, 2024, a Housing Specialist employee violated HUD’s TRACS Rules of Behavior and the Privacy Act of 1974 by emailing EIV reports containing information of 10 applicants to the employee’s personal email address immediately prior to termination of employment. Cause: The employee had authorized access to the EIV information as part of the normal duties associated with their position. The employee had signed the Rules of Behavior, and participated in annual cyber training as required by HUD; however, the employee was discovered to have circumvented the controls and emailed EIV information to their personal email address immediately prior to termination of employment. Effect or Potential Effect: Tenant applicants and tenant participants of the housing voucher program are at risk of having personally identifiable information (PII) exposed and misused by the employee. Questioned Costs:None Context: An employee who had authorized access to EIV for the performance of their duties in the Housing Choice Voucher (HCV) program was discovered to have emailed themselves private information of 10 housing choice voucher applicants. Identification as a Repeat Finding: This finding is not a repeat finding. Recommendation: We recommend that the Authority reviews its internal controls to reduce the risk of unauthorized access to and/or misuse of PII contained within the EIV reports in the future to ensure compliance with eligibility requirements. Views of Responsible Officials: Shortly after the employee’s separation from the Authority, management discovered that the individual had sent documents to their personal email address immediately prior to departure. Upon discovery, management promptly notified legal counsel and the Authority’s cybersecurity insurance provider. The employee’s laptop was subsequently sent to the designated vendor for a forensic inspection to determine the extent of the data compromise. The final report confirmed that approximately 10 households’ personally identifiable information (PII) had been affected. Notification letters were issued to those households with instructions on how to monitor their credit and review potential impacts. To date, no households have reported any negative consequences to the Authority. As part of the Authority’s standard internal controls, all HCV employees with access to EIV are required to sign the Rules of Behavior and complete HUD’s annual cybersecurity training. In addition, the Authority maintains physical security measures and general IT controls onsite to reduce risks associated with unauthorized access. After this incident, the Authority implemented several additional measures to strengthen data protection practices. Specifically: • Issued a new Information Protection Policy and Confidentiality Agreement, which all employees are required to review and sign. • Conducted an all-staff training session to review the new policy in detail and reinforce best practices for safeguarding participant information. • The Chief Executive Officer reiterated the Authority’s commitment to data security and emphasized that any violation of information protection policies will result in disciplinary action, up to and including termination of employment, as well as potential legal prosecution.