Why We Did This Audit
Given an evolving cyber threat landscape and the number of cyberattacks on government agencies, effective protection of personally identifiable information—such as Social Security numbers and birth dates—remains critical. The loss of personally identifiable information can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. To mitigate risks of data breaches that threaten personal privacy, USAID needs to establish and maintain a robust privacy program aimed at protecting personally identifiable information held by the Agency.
Our audit objective was to assess the extent to which USAID has implemented key elements of an effective privacy program.
Though USAID implemented some elements of an effective privacy program, additional key controls are needed to protect personally identifiable information. The Agency followed Federal privacy requirements to justify the need to collect Social Security numbers for systems in use, hold personally identifiable information appropriately, and publish System of Records Notices in the Federal Register. However, USAID did not fully implement key controls related to:
- Implementing controls for data loss prevention activities,
- Providing role-based privacy training,
- Preparing a comprehensive list of actions needed to eliminate unnecessary Social Security numbers,
- Updating and fully completing system of record notices, and
- Maintaining a comprehensive inventory of third-party websites.
We are making five recommendations to improve the effectiveness of USAID’s privacy program. USAID agreed with four of our recommendations and partially agreed with one. Notwithstanding, the agency agreed to implement all five recommendations.