Congress Must Address Constituent Service Vulnerabilities

Through constituent service, Members of Congress build public trust and create tangible improvements for constituents — but these interactions must be handled with great care, given the sensitive nature of information disclosed.  One story from my time as a caseworker still gives me chills:

Part of my portfolio was Social Security, and about half of those cases involved SSI and SSDI. One constituent called in a panic: she had just been approved for SSDI benefits after multiple years of appeals, and would receive a retroactive check for $30,000. The problem was that Social Security had sent the check to her old address. Social Security told her that it was out of their hands, and she had to speak to the Department of the Treasury to have the check reissued. Despite multiple calls to the Treasury, she had been unable to reach anyone able to help her.

Following standard practice for most casework teams, I had the constituent sign and email back a privacy act release form (PARF), and I contacted the Treasury’s Congressional liaison team and explained the situation. In a few days, Treasury let our office know that they had reissued the check to the correct address — which, as a courtesy to the constituent, I also contacted Social Security to update.

The case was a big win — but it occurred to me months afterward that I had never taken any steps to verify that I had secured that big win for the right person. Everything worked out in that case, but I kept thinking, “what if?”

According to Rule 7 of the House, Representatives have personal ownership over data provided to them by constituents in the course of casework, which can include sensitive information like tax documents and medical records (Congress is also not subject to the Privacy Act, FOIA, or HIPAA in its own right). While Congress may not have legal liabilities for the theft or misuse of that information, Members and their teams nonetheless have a clear moral obligation to not expose constituents seeking help to undue risk — which means taking steps to avoid being made an unwitting partner in fraud, foreign espionage, and general disruption intended to further reduce trust in democracy.

This vulnerability can take several forms. Malign actors could target the sensitive constituent data provided to Congressional offices in the course of constituent services, including Social Security numbers, tax records, medical records, and more — or directly exploit Congressional access to agency decision makers by impersonating constituents. Or, given the vital role casework teams play for constituents who have exhausted their other options, Congressional offices themselves could become targets of a DDOS-style attack intended to tie up constituent service operations in a flood of urgent requests for help from malicious actors using AI to convincingly impersonate constituents.

With the increasing prevalence of these technologies, every office should take immediate, common-sense steps to safeguard constituent information without waiting for institutional guidance. Some starting points include:

1. Offices should be prepared to ask for identification from constituents and have constituents formally verify who they authorize to receive information on their case.

The level of vetting required can change relative to the potential consequences involved in the case, but offices should incorporate at least some level of verification into cases involving sensitive information (including whistleblower disclosures), large sums of retroactive benefits, relaying constituent preferences to an agency, and disclosing case-related information to anyone other than the constituent. Offices may also consider proactively developing ways to verify a constituent’s identity over the phone and email: for example, setting a “safe phrase” that the constituent and Congressional staffer can use to identify themselves and/or confirm a course of action.

2. Offices should have plans in place to shift to in-person casework intake as a break-glass option in case of targeting.

As has been increasingly visible with protests around the TikTok ban, Congressional operations can be derailed by a high volume of calls that prevent constituents with urgent business from reaching staffers — whether the calls are from engaged citizens or a more malicious actor using AI to impersonate constituents at scale in a DDOS-style attack. In the event that phones are no longer workable, offices should consider a break-glass option to shift to in-person operations in district or state offices. Offices that are already experimenting with innovative ways to reach constituents like casework vans, office hours programming, or strong networks of local referring stakeholders like VSOs, senior centers, and other elected officials will be best prepared to be flexible in these situations.

3. Offices should constantly refresh and retrain staff on policies for handling sensitive constituent information.

The most important piece of safeguarding constituent information is a strong commitment to basic cyber and in-person document handling hygiene. Both the House and Senate have mandatory cybersecurity training for Congressional staff, and casework managers should ensure that their teams keep their training up to date. The Office of the Whistleblower Ombuds also provides information on best practices for handling sensitive information, including a template case management procedure and confidentiality policy. Other common-sense best practices for document handling include minimizing the time sensitive documents spend in a Member office, protecting documents from casual access, and keeping detailed records of which documents come into the office and how they are disposed of.

To rebuild the American’s people’s trust in Congress, Congress has to demonstrate that it is trustworthy. Taking common-sense measures to ensure that constituents are not exposed to further risks by asking for Congressional help is an important first step.