The Small Business Administration (SBA) is having some technical issues, to say the least. Small government agencies are notorious for suffering from technological inadequacy and poor information security measures, and the SBA appears to be no exception as it forms a bottleneck between small businesses and federal aid.
As part of its compliance with law, the SBA sent a “Data Breach” notification to as many as 8,000 Economic Injury Disaster Loan (EIDL) applicants. The SBA recently expanded the EIDL’s coverage to assist small businesses affected by the fallout of COVID-19. Though the loans were targeted at providing quick relief and funds were supposed to be delivered just a few days after application, many applicants waited weeks and continue to wait. The SBA seemingly did not have the technical processes in place to handle the deluge of applications it received. Unsurprisingly, delays, system crashes, and even a data breach occurred. Specifically, a flaw in the SBA’s loan application portal allowed applicants to see another user’s information if the back button was clicked. The SBA disabled that part of the site and fixed the bug, but not before inadvertent disclosures occurred.
Due to state breach notification statute requirements, when certain elements of an individual’s personal information are subject to unauthorized disclosure (in different circumstances, depending on the state(s) at issue), and usually regardless of intent or any inadvertence, the entity that owns or licenses that individual’s data must notify the individual of the disclosure. Instead of a loan, many applicants received a legally required notice of data breach from the SBA. The letter stated that their personal information, including names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, citizenship status, and insurance information, was subject to unauthorized access due to an inadvertent disclosure. The SBA further stated that there were no signs that the information was misused and offered affected persons one year of free credit monitoring, which is another requirement of a number of state breach notification statutes.
Today, the SBA’s technical woes continue. The SBA’s Paycheck Protection Program (“PPP”), separate from the EIDL Program, sputtered in its initial opening in early April, as the online portal where loans were to be submitted, “E-Tran,” failed to handle the volume of requests, causing banks to raise alarms regarding the system’s functionality. Technical issues aside, the PPP reached its funding ceiling with just a small percentage of applicants receiving any money. The federal government reloaded the program, and today E-Tran, re-opening for round two, was again rife with error messages and technical problems, much to the dismay of banks across the country.
With requests for billions of dollars of funding processed through a system that seems inadequate to handle the amount of expected volume, it is natural to question what potential exists for fraud and cybercrime. In the last year, state governments were already common targets for ransomware due to their technological inadequacy. While no one could have predicted the scope and toll of the COVID-19 pandemic, the need for better information technology standards becomes more apparent every day to organizations of all kinds, and government agencies themselves are not and should not be exempt from scrutiny.