Union groups sue Treasury over giving DOGE access to sensitive data The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Union groups that represent 72 million people filed a lawsuit Monday against the Treasury Department for handing over information including Social Security numbers tax return data and bank account details to Elon Musks Department of Government Efficiency DOGE pp Plaintiffs in the lawsuit which include the Alliance for Retired Americans the American Federation of Government Employees and the Service Employees International Union allege that Musk and his surrogates are violating a federal law known as the Privacy Act which bans the government from sharing individuals records without consent or unless a statutory exception applies pp Exceptions include allowing disclosure to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties or for routine use only when an agency formally describes that intended use in the federal register at least 30 days before acting pp DOGE a White House department created by President Donald Trump is spearheading an effort to reduce costs across the federal government It is staffed by workers as young as 19 many of whom appear to have been employed at Musk companies but lack government experience Wired reported Saturday pp Trying to decimate federal expenditures by stopping payments that have been approved by other federal agencies would not be a routine permissible use John Davisson the director of litigation at the Electronic Privacy Information Center and who is not involved in the lawsuit said in an interview pp DOGE workers are also violating a law which says tax returns and return information should be kept confidential the lawsuit alleges That law known as the Internal Revenue Code says that officers and employees of the Treasury Department may access return information only if their official duties require them to obtain it for tax administration purposes pp The scale of the intrusion into individuals privacy is massive and unprecedented says the lawsuit which was brought by the Public Citizen Litigation Group and State Democracy Defenders Fund  pp Treasury Secretary Scott Bessents decision to give DOGE team members full continuous and ongoing access to the information for an unspecified period of time means that retirees taxpayers federal employees companies and other individuals from all walks of life have no assurance that their information will receive the protection that federal law affords it alleges pp The Treasury Department and the White House did not respond to a request for comment pp Other data points the lawsuit contends are stored in the Treasury system include date and location of birth physical and electronic mailing addresses personal cell phone numbers bank routing numbers and household income assets and liabilities Name and contact information of employers drivers license numbers credit and debit card numbers and user names and passwords are also stored the lawsuit says pp The Treasury payments system includes a debt collection database according to the lawsuit and Davisson pp That database known as Integrated Document Management System houses even more sensitive personal information including about mental health and disabilities for between 10 and 9999 million people according to a privacy impact assessment conducted in 2019 pp There are no more recent privacy impact assessments available though experts say it is unlikely what is stored has changed pp While the lawsuit doesnt cite it Davisson said DOGE workers penetration of Treasurys payment systems likely also violates the Federal Information Security Modernization Act FISMA which he said lays out protocols for operating an information system inside the federal government  pp Those protocols were developed by the National Institute of Standards and Technology NIST he said and under FISMA federal agencies are required to adopt many of the standards including access controls training requirements for people with direct access to personal data and limits on physical media that can be connected to systems pp If you roll up to a Treasury server and plug in whatever something you bought at Best Buy it probably does not meet the media restrictions and protocols that are set out in those NIST standards Davisson said pp The extent of the DOGE teams penetration into government networks has become clear in recent days  pp DOGEs alleged installation of an outside server at the Office of Personnel Management OPM in order to collect personal data belonging to federal workers triggered a classaction lawsuit filed on January 27 The government workers behind that lawsuit on Tuesday sought a temporary restraining order alleging that the ongoing use of the server is endangering their personal data Wired reported pp Over the weekend DOGE workers reportedly penetrated the US Agency for International Developments systems DOGE also has accessed a Department of Education database containing personal information belonging to millions of people receiving federal financial aid The Washington Post reported Monday  pp The DOGE team has asked for access to Centers for Medicare and Medicaid Services systems the New York Times reported Monday pp Democrats have begun fighting back On Tuesday two House Democrats sent a letter to OPM Acting Director Charles Ezell saying that the administrations actions at the agency demonstrate gross negligence severe incompetence and a chaotic disregard for the security of our government data and the countless services it enables our agencies to provide to the public pp Senator Chuck Schumer DNY along with other Democratic Congressional leaders said Tuesday that they plan to introduce legislation to prevent what Schumer called unlawful meddling in the Treasury Departments payment systems  pp There is nothing to stop DOGE from using agency data to find undocumented immigrants advocates say An executive order Trump issued in his first administration directed federal agencies to share data with the Commerce Department so that it could determine individuals immigration status pp The executive order creating DOGE states that agency heads must give it full and prompt access to all unclassified agency records software systems and IT systems pp That language is reminiscent of the executive order Trump signed in 2019 said Elizabeth Laird director of equity and civic technology at the Center for Democracy and Technology  pp The earlier order compelled federal agencies including Immigration and Customs Enforcement the Social Security Administration and the Centers for Medicare and Medicaid Services to share data with Commerce so that it could identify immigrants who were in the country illegally pp I have determined that it is imperative that all executive departments and agencies provide the Department the maximum assistance permissible consistent with law in determining the number of citizens and noncitizens in the country including by providing any access that the Department may request to administrative records that may be useful in accomplishing that objective Trump said in that order pp Allowing DOGE to access data from across the government could be used to further any number of administration goals beyond just finding efficiencies Laird said pp We dont know exactly what they want to do and theres no limitations on what they say they will or will not use this access for she said ppSuzanne Smalleyppis a reporter covering privacy disinformation and cybersecurity policy for The Record She was previously a cybersecurity reporter at CyberScoop and Reuters Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek She lives in Washington with her husband and three childrenppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp