On April 20, the New York Times broke a story about the U.S. Department of Agriculture (USDA) disclosing personally identifiable information (Social Security numbers and taxpayer ID numbers) of some people who have received financial assistance from the department. The practice, which, according to USDA, affected 38,700 people, has been going on for roughly a decade. The problem was discovered a week earlier by a user of OMB Watch's FedSpending.org, a website providing easy access to information about government spending. On Friday the 13th no less, Marsha Bergmeier, president of Mohr Family Farms in Fairmount, IL, typed the name of her company on a Google search page, found FedSpending.org listed, and clicked through. Pulling up information about a loan she received from USDA, she found a field that uniquely identifies information about the financial award also had her Social Security number embedded in it. After Bergmeier notified OMB Watch and the government, it became apparent this was not a unique situation and involved at least two agencies within USDA. Within a week, there were at least 155 news stories and 88 blog posts about this issue. And the USDA, initially reluctant to acknowledge its mistake, ultimately did so, and agreed to provide free credit monitoring for a year to those affected. The information in the data field, which is called the Federal Award ID, has now been restricted throughout government for all financial assistance awards, which include grants, cooperative agreements, and loans. The Federal Award ID is a vitally important data field, as it provides a unique identifier about the financial transaction. For anyone investigating particular transactions, that identifier is essential. For example, to request information through the Freedom of Information Act, you need that identifier. Thus, the redaction of the data field is as unacceptable as is disclosing personally identifiable information. Prodded by Rep. Zack Space (D-OH), the House Agriculture Committee is holding a hearing on May 2 to explore "how the breach happened, the proposed remedies, and recommendations on how to make sure that this never happens again." Additionally, on April 27, Sens. Barack Obama (D-IL) and Tom Coburn (R-OK) wrote a letter to USDA Secretary Mike Johanns stating that the disclosure of personally identifiable information was "improper and unacceptable." They added, "We all should be grateful for the watchful eyes of American citizens," implying support for FedSpending.org and gratitude for people like Bergmeier. Obama and Coburn called on USDA to provide three things by May 18:

1. An assessment of the harm caused by disclosing Social Security numbers and a report on utilization of the credit monitoring service;
2. A report on what is being done to ensure that data security problems are fixed; and
3. A detailed plan and timeline for adopting a new unique identifier without disclosing personally identifiable information.

On April 16, before the New York Times story, the government requested that OMB Watch temporarily remove the unique identifier from the entire database on FedSpending.org. (In the spirit of full disclosure, our website provides a full chronology of communication we had with government officials and others regarding this issue.) We agreed to do so, but only on the condition that the government provide a plan within 30 days on how it will re-generate the unique identifier. This is the same information that Obama and Coburn requested from USDA. While USDA has acknowledged its mistake in disclosing Social Security numbers, this issue raises a number of concerns:

1. In an electronic age, there will certainly be mistakes with regard to disclosing personally identifiable information resulting from legacy systems. Government needs a comprehensive approach to inspecting agency websites to discover any problems that may exist today. And it needs a comprehensive plan for addressing problems once it finds them. Reacting by the seat of its pants is not a solution.
2. Should the government establish a uniform approach to applying the unique identifier for financial transactions? The problem arose because every agency employs its own system for crafting a unique identifier, and one department used Social Security numbers as part of its format. Wouldn't it make more sense to create a government-wide format that helps the public understand more about the transaction through the identifier and does not disclose personally identifiable information? For example, the identifier might have a common format that starts with agency code, followed by location of assistance, type of assistance (e.g., a grant or loan), and a sequential numbering. This unique identifier is required by law under the Federal Funding Accountability and Transparency Act, commonly called Coburn-Obama, which was signed into law last fall. Coburn-Obama requires the Office of Management and Budget to establish a website like FedSpending.org by January 1, 2008. So the government better get this right — and soon.
3. Why has USDA taken so long to provide re-generation of the unique identifiers? It has now been more than two weeks since USDA was first notified of the problem. Yet OMB Watch still has not received new identifiers to put on FedSpending.org. This is not rocket science, even if USDA cannot make a permanent change in its internal database, which apparently links to its accounting system. What it could do is generate new numbers, without personally identifiable information, as a cross-walk to the older numbers for external use, such as with FedSpending.org. We could post the corrected numbers, and those who still are eager to track government spending could do so.

OMB Watch remains proud of creating FedSpending.org and its role in uncovering USDA's mistake in disclosing personally identifiable information. Since its launch in October 2006, there have been more than four million searches on FedSpending.org. In March, there were about one million searches, and in April there were more than 1.7 million, demonstrating rapid growth in the online service. FedSpending.org was created with support from the Sunlight Foundation, and we plan to continue improving and expanding the site.