Press Releases

Miami, FL — U.S. Senators Marco Rubio (R-FL) and Ben Cardin (D-MD), Chairman and Ranking Member of the Senate Committee on Small Business and Entrepreneurship, and Representative Nydia Velázquez (D-NY), Chairwoman of the House Committee on Small Business, sent a letter to Jovita Carranza, Administrator of the U.S. Small Business Administration (SBA), asking the agency for a complete accounting with regard to recent reports of a data breach of personally identifiable information for nearly 8,000 businesses that had applied for the SBA’s Economic Injury Disaster Loan (EIDL) program.


“SBA must immediately provide a complete accounting of this incident, including a summary of information about the data breach and how the breach occurred, the number of individuals and firms that may have been affected, when SBA notified those individuals and firms possibly affected, the period of time information was compromised, and what steps SBA has taken to ensure that applicant information is secure going forward,” the Members wrote. “We do not need to emphasize how vulnerable the nation’s small businesses are right now. More than ever, they are counting on SBA to deliver vital assistance in a responsible and competent manner. Please know that Congress stands ready to work with you to prevent future breaches of this kind.”
 
The full text of the letter is below. 
 
Dear Administrator Carranza:
 
We are writing to express serious concern about recent reports in the media that the Small Business Administration (SBA) permitted sensitive, personally identifiable information of thousands of Economic Injury Disaster Loan (EIDL) applicants to become exposed.
 
We appreciate that SBA is taking on an unprecedented role in the federal response to the COVID-19 pandemic and is rapidly expanding its capacity in real time. As we have worked to address COVID-19, Congress has relied on SBA’s assessment of the resources necessary for this undertaking, providing $675 million for administrative costs in the CARES Act and an additional $2.1 billion in the interim supplemental. The American people deserve a detailed accounting of what policies and procedures SBA has implemented to protect small business owners’ personally identifiable information given the volume and sensitivity of the information the agency now receives. 
 
SBA must immediately provide a complete accounting of this incident, including: a summary of information about the data breach and how the breach occurred; the number of individuals and firms that may have been affected; when SBA notified those individuals and firms possibly affected; the period of time information was compromised; and what steps SBA has taken to ensure that applicant information is secure going forward.
 
We do not need to emphasize how vulnerable the nation’s small businesses are right now. More than ever, they are counting on SBA to deliver vital assistance in a responsible and competent manner.  Please know that Congress stands ready to work with you to prevent future breaches of this kind.
 
Sincerely,