Report: USMMA Is Leaving Data on Sexual Assault Cases Unprotected

The U.S. Department of Transportation's internal watchdog has found that the Maritime Administration and its U.S. Merchant Marine Academy are using a lightly-protected spreadsheet to track complaints of sexual assault and sexual harassment, potentially leaving an open door for unauthorized personnel to access highly sensitive data. The informal tracking system appears to violate a Congressional directive requiring MARAD to invest in a secure database for SASH claims. 

In 2023, Congress included language in the annual defense spending bill that set out new requirements for handling SASH reporting at USMMA. The law required MARAD to set up a formal information management system (IMS) for storing and reporting data on reportable claims involving cadets. The clause requires the administration to record the location or vessel, the perpetrator's role, any factual reports, the type of the investigation (if any), and the outcome. 

The law also directed DOT's inspector general to audit USMMA's Sexual Assault Prevention and Response (SAPR) program, and the audit turned up several deficiencies. Auditors found that USMMA had not acquired an IMS, but was using a spreadsheet instead - even though officials acknowledged that the spreadsheet system wasn't fully fit for purpose. The academy also lacked a process to ensure that personal identifying information was kept out of the system, or a policy on updating its case records when a suspect was acquitted of wrongdoing. 

More seriously, the spreadsheet file lacks cybersecurity controls needed to protect data from hackers. Several non-program staff have potential read/write access to the file, including IT staff and non-academy employees. While the sheet is password-protected and encrypted at the file level, the SAPR program's shared network drive is not; the program staff also have a limited ability to detect unauthorized access, data theft or tampering because the drive is not set up for audit logging, according to the inspector general's office.

"MARAD needs to implement cybersecurity and privacy controls that meet federal standards to protect the SAPR Program’s data and information," concluded the OIG. "MARAD’s lack of full compliance with this mandate inhibits the agency’s ability to protect its data on these very sensitive incidents and mitigate the risk of compromise."

USMMA's superintendent told the inspector general that the academy plans to acquire an IMS, but the timing is dependent on "forthcoming and future appropriations" from Congress.