FEMA contractor at center of privacy violation provides services to many other agencies

Late last-year, the Federal Emergency Management Agency (FEMA) was found to have exposed 2.3 million disaster survivors to identity theft and fraud by unnecessarily sending sensitive data to a government contractor administering FEMA’s emergency lodging program. The contractor, who failed to flag for FEMA the data oversharing, was found by the agency to have 11 cybersecurity vulnerabilities in its data and network facilities, seven of which won’t be remediated until 2020.

That same contractor currently supplies, and has since 2005, emergency lodging services to virtually all government agencies and sub-agencies, including the Department of Defense, the Coast Guard, the Department of Justice, the Department of Veteran’s Affairs, among others. Based on an investigation, it’s unclear if any determination has been made by the agencies that rely on the contractor for emergency lodging services whether they, too, were collecting or transmitting unnecessary sensitive data to the contractor. It’s further unclear the degree to which the identified cybersecurity vulnerabilities leave the contractor’s facilities exposed to external threats or whether the personal data of all the other agencies’ personnel are inadequately protected on the contractor’s vulnerable network.

On March 15, the Department of Homeland Security’s Office of Inspector General (OIG), issued a report alerting that FEMA had violated the Privacy Act of 1974 and Department of Homeland Security policy by needlessly releasing to the federal contractor administering the agency’s Transitional Sheltering Assistance (TSA) program the personally identifiable information (PII) and sensitive personally identifiable information (SPII) of 2.3 million disaster survivors of hurricanes Harvey, Irma and Maria, and the California wildfires in 2017.

Although the OIG’s report redacted the contractor’s name, the contractor is a Wichita, Kansas-based company called Corporate Lodging Consultants, Inc. (CLC), which is owned by a publicly traded commercial payments company, Fleetcor. CLC describes itself as the “nation’s leading provider of workforce lodging rates” and has been the federal government’s sole official provider of emergency lodging services since 2005 under a blanket purchase agreement with the General Services Administration (GSA), a contract that is now on its third iteration. CLC did not respond to requests for comments.

FEMA’s overcollection and transmission of the survivors’ SPII came about because a previous but now suspended program, call the TSA-Reimbursable Program (TSAR), required emergency lodging applicants to provide the SPII so they could be directly reimbursed by CLC. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to CLC. Moreover, CLC did not notify FEMA that the agency was providing unnecessary PII and SPII for eligible disaster survivors.

The collection and transmission of the survivors’ data, which encompassed 20 unnecessary data fields including full addresses, financial institution names, electronic funds transfer numbers and bank transit numbers, placed survivors seeking disaster-related housing under the TSA program at increased risk of identity theft and fraud. After sanitizing the unnecessary data from the contractor’s systems and after deploying a joint assessment team of cybersecurity personnel to the contractor’s facilities, FEMA discovered 11 security vulnerabilities in the contractor’s network, only four of which had been remediated as of March 2019. The contractor is developing remediation plans for the remaining seven vulnerabilities, which won’t be fully implemented until June 30, 2020.

(Although we identified CLC as the contractor in early April, Dave Gershgorn at Quartz first went public with the contractor’s name on April 9 in this piece. We identified the parent company of CLC in the exact same manner as Gershgorn: through a search of the federal contracts database administer by GSA.)

Under the contract, CLC provides lodging negotiations and management services for the federal government, allowing agencies to centrally source, manage, pay, audit and report out on their emergency lodging response purchases. CLC has established relationships with more than 15,000 hotels in North America, and seeks to not only serve as a lodging facilitator for the government but also tries to negotiate lower-than-market rates for government clients.

According to its blanket purchase agreement with GSA, under which all eligible government entities can arrange for using CLC to provide emergency lodging, CLC is paid a per-room night fee according to a schedule that starts at $2.88 per room night and drops with bulk discounts, ending with a $1.92 per room night fee for government clients which request more than two million room nights per year. CLC bills the government at cost for the hotel and other lodging facility charges. Lodgers, however, are usually required to provide credit cards for incidental charges and damages to the room, or in some cases pay CLC directly with a government credit card, check or wire transfer.

Does PII and SPII data exposure go beyond FEMA?

According to the GSA’s Federal Procurement Data System (FPDS), CLC has since October 2007 (the earliest entry in the FPDS database) provided lodging services to thirteen different government agencies and 26 sub-agencies of the federal government, including FEMA, which is the largest government client by a wide margin.

The federal government agencies to which CLC has provided lodging services since 2007 include:

  • Corporation for National and Community Service (CNCS)
  • Department of Agriculture (USDA)
  • Department of Commerce (DOC)
  • Department of Defense (DOD)
  • Department of Homeland Security (DHS)
  • Department of Justice (DOJ)
  • Department of Labor (DOL)
  • Department of State (DOS)
  • Department of The Interior (DOI)
  • Department of Transportation (DOT)
  • Department of Veterans Affairs (VA)
  • Environmental Protection Agency (EPA)
  • General Services Administration (GSA)

Although the data from the FPDS is difficult to analyze, since October 2007 the federal government has spent at least an estimated $100 million on CLC’s services, with the total “potential” value of the government award since 2007 worth an estimated $1.9 billion. The vast majority of the government spending on CLC flows to the DHS, with most of that spending accountable by FEMA. However, the U.S. Coast Guard, which operates under DHS, has accounted for at least $11.7 million and potentially up to $66.4 million of DHS’s spending with CLC. U.S. Customs and Border Protection, also operating under DHS, accounted for nearly $400,000 of the department’s total.