Feb 13

Industry News

3 Simple Tricks to Keep Your Data Safe on the Road

Government Computer News - September 7, 2012

3 Tips for Privacy Professionals

GovInfoSecurity.com - March 5, 2012

Big Data Affects Hiring, Privacy

Federal Computer Week - December 12, 2012

CIO Council Considers New Privacy Guidance

Government Computer News - March 25, 2010

Coalition Calls for Update of Privacy Act

GovInfoSecurity.com - April 1, 2010

Congressmen Poke Facebook Over Privacy Breaches

Information Week - October 19, 2010

Controversial Cyber Bill Sails Through House

Federal Computer Week - April 27, 2012

Defining the Role of Technology in Fighting Waste, Fraud, Abuse

Federal Computer Week - September 6, 2012

DoD's New Policy 'Likes' Social Media, But With Caveats

Federal Computer Week - August 14, 2012

Dreading A Reply All Nightmare? Don't Forget Bcc

Government Computer News - February 4, 2013

Facebook Outlines Privacy Changes

Wall Street Journal - December 9, 2009

Federal Data Breaches: How Long is too Long to Inform Victims?

Federal Computer Week - September 10, 2012

FTC Recommends Do Not Track be Voluntary -- or Else

Government Computer News - March 26, 2012

Groups Call for Stronger FOIA

Federal Computer Week - January 28, 2013

GSA Employee's Error Exposes Staff to Potential Identity Theft

Government Computer News - November 8, 2010

How to Secure Data in Cloud? Stick With it Like Glue

Government Computer News - July 15, 2011

HUD Automates Records Management to Better Handle FOIA Requests

Government Computer News - August 7, 2012

ID Management: A Matter of Trust

Federal Computer Week - August 27, 2012

In New Cyber Battle, Info is the Goal, 'Stupid' is an Enemy

Government Computer News - March 30, 2011

Is Social Security Headed for the Cloud?

Washington Technology - January 11, 2012

Marines Ban Twitter, MySpace, Facebook

Wired Magazine - August 3, 2009

Mobile Privacy Risks: Who Should Alert End Users?

Government Computer News - May 4, 2012

Momentum Builds for Federal Rules on Internet Privacy

The Washington Post - July 27, 2010

Monitoring Employees Online: How Much is Too Much?

Federal Computer Week - August 20, 2012

Navy Steps Up Protection of Sailor Information

Navy News Service - December 27, 2010

New Cyber Threats Put Government in The Cross Hairs

Government Computer News - April 11, 2011

New NIST Guidance Tackles Public Cloud Security

GovInfoSecurity.com - February 2, 2011

New Phishing Scam Targets Military Users, DFAS Warns

Government Computer News - April 16, 2012

NIST Proposes Privacy Controls for Federal Information Systems

Government Computer News - July 22, 2011

OMB Ends Federal Agency Decade-Long Cookie Ban

GovInfoSecurity.com - June 28, 2010

OMB Tells Agencies How To Treat Their Online 'Friends'

Federal Computer Week - June 25, 2010

Printer Security: The Invisible Problem in Plain Sight

Government Computer News - April 1, 2010

Self-Deleting Emails: An Enterprise Nightmare?

Government Computer News - January 29, 2013

Survey: 9% Have Experienced ID Theft

GovInfoSecurity.com - March 10, 2010

Where Does Privacy Figure Into FTC Data Discussions?

Federal Computer Week - December 4, 2012

White House Unveils 'Privacy Bill of Rights'

NextGov - February 23, 2012

White House: Put Teeth Into Online Privacy Bill of Rights

Government Computer News - April 2, 2012

Wikipedia, Others Staging Anti-SOPA Blackout; White House Weighs in

Government Computer News - January 17, 2012

Privacy

View Privacy Resources.

The DON CIO is the Department of the Navy's Senior Military Component Official for Privacy. Federal privacy laws require agencies to "establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records to protect against any anticipated threats or hazards to their security or integrity." The loss or compromise of personally identifiable information can lead to identity theft, which directly impacts Department personnel, contractors, retirees and their dependents. Safeguards must be applied to IT systems, shared drives, computer networks, email, paper records and web sites to ensure privacy of personal information.

Sort by Date | Title
Policy

DON Fax Policy

DTG 081745Z NOV 12 - November 8, 2012

This message states, that effective immediately, the use of fax machines to send information containing SSN and other PII by DON personnel is prohibited except under the following circumstances: When another more secure means of transmitting PII is not practical. When a process outside of DON control requires faxing to activities such as the Defense Finance and Accounting Service (DFAS), Tricare, Defense Manpower ...

Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology

NIST Special Publication, February 1, 2011 - August 29, 2012

Special Publication 800-88 recommends a number of methods for sanitizing electronic data on hard drives and other electronic media. Media sanitization is the process of removing data from a hard drive, CD-ROM or other electronic media, generally at the end of the data’s life cycle.

Processing of Electronic Storage Media for Disposal

DTG 281759Z AUG 12 - August 29, 2012

The purpose of this coordinated Department of the Navy Chief Information Officer, DON Deputy CIO (Navy), DON Deputy CIO (Marine Corps), and DON Information Security Program Authority message is to update policy for the disposal and mandatory physical destruction of electronic storage media.

Reduction of SSN Use Within DoD

DoD Instruction 1000.30 - August 6, 2012

The purpose of this Department of Defense instruction is to establish policy and assign responsibilities for Social Security Number (SSN) use reduction in the DoD. It establishes a DoD SSN use reduction plan and incorporates and cancels Directive-Type Memorandum 07-015. The Department of the Navy SSN Reduction Plan, incorporates the requirements of this

DoD Civil Liberties Program

DoD Instruction 1000.29 - May 22, 2012

This instruction establishes policy and assigns responsibilities for the implementation of the Department of Defense Civil Liberties Program, delegates authorities for the effective administration of the DoD Civil Liberties Program and authorizes the Defense Civil Liberties Board.

DON FOIA, Privacy and Civil Liberties Programs

UNSECNAV Memo - May 17, 2012

This memo retains the Department of the Navy Chief Information Officer as the DON's Senior Military Component Official for Privacy, and delegates the responsibility for oversight and management activities of the Department's implementation of the Privacy Act. It further appoints the DON CIO as the DON Senior Freedom of Information Act (FOIA) Official, and the DON Chief Civil Liberties Officer. It delegates the ...

DON Public Affairs Policy and Regulations

SECNAVINST 5720.44C - June 15, 2012

The purpose of this instruction is to provide basic policy and regulations for carrying out the public affairs and internal relations programs of the Department of the Navy.

DON SSN Reduction Plan Phase Three

DTG 171625Z Feb 12 - February 17, 2012

This Naval message provides details on the continued efforts of the Department of the Navy to implement guidance that better safeguards personally identifiable information by reducing or eliminating the collection, use, display and maintenance of the Social Security number (SSN). The DON has implemented phases one and two of the SSN reduction plan and is now implementing phase three. This DON-wide effort requires the ...

DITPR-DON Process Guidance v1.0

DON Guidance - December 8, 2011

The Department of Defense Information Technology Portfolio Repository-Department of the Navy (DITPR-DON) process guidance document provides a comprehensive discussion of core DITPR-DON functionality and basic lifecycle transactions. This information will enable all users to gain the understanding necessary to perform the basic IT asset management functions of registering, transferring and archiving DON IT systems within ...

Commander Access to Health Information

MARADMIN 308/11 - May 26, 2011

This MARADMIN provides summary information on commander's access to health information regarding Marines within their command. It has been coordinated with and approved by the Navy Bureau of Medicine and Surgery and the Surgeon General of the Navy. Navy Medicine guidance on this topic to medical personnel is being developed for concurrent distribution.

DON IM/IT/Cyberspace Campaign Plan for Fiscal Years 2011-2013

DON CIO Memo - May 4, 2011

The DON Information Management/Information Technology/Cyberspace Campaign Plan for Fiscal Years 2011-2013 outlines the IM/IT/cyberspace and IRM priorities of the Department of the Navy for the next 24 months. Throughout this period, the DON will retain the flexibility to respond to emerging challenges and opportunities; therefore, the plan is a living document, which will incorporate feedback and updates as necessary.

Social Security Numbers Exposed on Public Facing and Open Government Websites

OSD Memo - November 29, 2010

This memo prohibits the posting of Social Security Numbers (SSN), in whole or in part, on any public facing and/or open government website. The Department of Defense continuously monitors situations where the exposure of personally identifiable information might pose a threat to an individual's privacy. There are various requirements in place to reduce the use of SSNs and, where the SSN is necessary to carry out a ...

Department of the Navy Social Security Number Reduction Plan for Forms Phase One

MARADMIN 646/10: 181512Z Nov 10 - November 19, 2010

Widespread use of the Social Security number has reached unacceptable levels and requires a Department-wide effort to eliminate or reduce the collection, use, display and storage of this sensitive data element. As a result, the commandant of the Marine Corps is initiating procedures for a review of all official and non-official forms that collect SSNs. This MARADMIN provides the process that will be used to conduct this ...

DoD and DON Privacy Impact Assessment Guidance

DON CIO Memo - November 19, 2010

The Privacy Impact Assessment (PIA) is a tool for assessing privacy risks in an information technology system. Federal and Department of Defense guidance regarding PIAs helps ensure that personally identifiable information (PII) in electronic form is only collected, maintained and disseminated when necessary, and that the supporting IT systems being developed and used protect and preserve the privacy of the American ...

Updated Plan to Remove Social Security Numbers from DoD Identification Cards

Under Secretary of Defense Memo - November 10, 2010

This memo cancels the Jan. 28, 2009, memo, "Business Practice Changes to Allow the Removal of Social Security Numbers from DoD Identification (ID) Cards," which established a timeline for truncation and removal of the visible Social Security numbers (SSN) on all ID cards. The memo addresses concerns raised by DoD stakeholders about potential adverse impacts that may occur if the SSN is truncated or removed as ...

Code of Federal Regulations (32 CFR Part 701)

Availability of DON Records and Publication of DON Documents Affecting the Public - September 8, 2010

Subparts A, B, C and D of 32 CFR Part 701 issue policies and procedures for implementing the Freedom of Information Act (FOIA) (5 U.S.C. 552) and Department of Defense Directive 5400.7–R series (the DoD FOIA Program),

DON Social Security Number Reduction Plan for Forms Phase One

192101Z JUL 10 DON CIO Washington DC - July 20, 2010

Widespread use of the Social Security number has reached unacceptable levels and requires a Department-wide effort to eliminate or reduce the collection, use, display and storage of this sensitive data element. As a result, the Chief of Naval Operations, Commandant of the Marine Corps and Department of the Navy Chief Information Officer are initiating procedures for a review of all official and non-official forms that ...

Safeguarding Personally Identifiable Information (PII)

NAVADMIN 125/10 - September 30, 2010

The Under Secretary of the Navy issued the memo "Safeguarding Personally Identifiable Information" in February 2010 emphasizing the importance he places on personal privacy and the safe management of Department of the Navy's personally identifiable information (PII). His intention was to make eradicating further PII breaches a Departmental priority. As a result, the Vice Chief of Naval Operations release

Safeguarding Personally Identifiable Information

MARADMIN 162/10 - September 30, 2010

The Under Secretary of the Navy issued the memo "Safeguarding Personally Identifiable Information" in February 2010 emphasizing the importance he places on personal privacy and the safe management of the Department of the Navy's personally identifiable information (PII). His intention was to make eradicating further PII breaches a Departmental priority. As a result, MajGen George Allen, DON Deputy CIO (M

Safeguarding Personally Identifiable Information

UNSECNAV Memo - February 19, 2010

This memo conveys the seriousness the Under Secretary of the Navy places on personal privacy and the safe management of Department of the Navy personally identifiable information (PII) and his intention to make eradicating further PII breaches a Departmental priority. This includes implementing a DON-wide plan to reduce the collection and use of Social Security numbers.

DON Privacy Program and Appointment of the Senior Military Component Official for Privacy

UNSECNAV Memo - December 22, 2009

This memo designates the Department of the Navy Chief Information Officer as the Senior Military Component Official for Privacy for the Department of the Navy, delegated the responsibility for oversight of the Department's implementation of the Privacy Act of 1974.

DON Privacy Impact Assessment Guidance

DTG 181430Z MAY 09 - May 21, 2009

This Naval message implements the Department of Defense Privacy Impact Assessment (PIA) guidance of Feb. 12, 2009, for the Department of the Navy. The following is highlighted: The guidance expands PIA coverage from just members of the public to include Federal personnel, Federal contractors, and Foreign Nationals employed at U.S. military facilities abroad. PIAs are required for legacy systems and electronic ...

DoD Privacy Impact Assessment Guidance

DoD Instruction 5400.16 - February 18, 2009

This instruction establishes policy and assigns responsibilities for completion and approval of privacy impact assessments to analyze and ensure personally identifiable information in electronic form is collected, stored, protected, used, shared and managed in a manner that protects privacy.

DON Enterprise Data At Rest Solution For All Non-NMCI Assets

DTG 312021Z JAN 09 - February 2, 2009

This Naval message announces the availability of the Department of Navy Data At Rest Enterprise Solution for Non-NMCI assets and ends the moratorium on DAR software purchases. Implementation of this solution enables compliance with Department of Defense, Joint Task Force-Global Network Operations and DON policy mandates for encryption of sensitive information on mobile computing devices and portable storage media.

DON Personally Identifiable Information Training Requirement

DTG 181905Z DEC 08 - January 6, 2009

This Naval message emphasizes that personally identifiable information (PII) annual awareness training is foundational to the safeguarding of PII and key to understanding the Department's breach reporting responsibilities. It explains how DON leadership must continually reinforce PII awareness, through training, so that personnel properly safeguard privacy sensitive information in order to improve business processes.

Protecting Personally Identifiable Information on DON Shared Drives and Application Based Portals

DTG 201839Z NOV 08 - November 21, 2008

This Naval message reinforces current Department of the Navy policy aimed at reducing the number and potential impact of lost, stolen or compromised personally identifiable information (PII) to Sailors, Marines, government personnel, dependents and DON contractors.

Web 2.0: Utilizing New Web Tools

DON CIO Memo - October 23, 2008

The purpose of this memo is to provide initial guidance for all Navy and Marine Corps commands regarding the use of emerging web tools to facilitate collaboration and information sharing in the Department ofthe Navy. These tools, described in enclosure (I) include wikis, blogs, mash ups, web feeds (such as, Really Simple Syndication and Rich Site Summary (RSS) feeds), and forums, which are often referred to as components ...

DON Policy Updates for Personal Electronic Devices Security and Application of Email Signature and Encryption

DTG 032009Z OCT 08 - October 6, 2008

This Naval message provides updates to the DON policy for digital signature and encryption of email. It also provides updated budget guidance for procurement and use of Smart Card Reader technology to support digital signature and encryption of email from Personal Electronic Devices.

DoD Social Security Number Reduction Plan

USD (P&R) Directive-Type Memorandum 07-015 - March 31, 2010

This Directive-Type Memorandum establishes the Department of Defense policy for the use of the Social Security number and guidance for reducing its unnecessary use.

Loss of Personally Identifiable Information Reporting Process

DTG 291652Z FEB 08 - March 3, 2008

This Naval message announces the updated reporting process to be used when there is a known or suspected loss of Department of the Navy personally identifiable information. It includes new and existing requirements for incident reporting recently issued by the Office of Management and Budget and the Department of Defense. Please note: Since the release of this message, the Defense Privacy Office (DPO) email address ...

DON Encryption of Sensitive Unclassified Data at Rest Guidance

DTG 091256Z OCT 07 - December 17, 2007

This Naval message provides guidance regarding the move to choose an enterprise solution to encrypt sensitive Data at Rest (DAR) and states that commands should hold off on purchasing DAR products and services until an enterprise solution is identified.

DON Personally Identifiable Information Annual Training Policy

ALNAV 070/07: R 042232Z OCT 07 - September 8, 2008

This ALNAV message stresses the seriousness of safeguarding personally identifiable information (PII) across the Department by establishing an annual PII awareness training requirement, as well as completing semi-annual command level PII compliance spot checks. View PII Spot Check Form.

Privacy and Civil Liberties

Public Law 110-53 - March 9, 2010

This is an excerpt from PUBLIC LAW 110-53-AUG. 3, 2007, "Implementing Recommendation of the 9/11 Commission Act of 2007," specifically Sections 801 (Modification of Authorities Relating to Privacy and Civil Liberties Oversight Board) and 803 (Privacy and Civil Liberties Officers).

Safeguarding Personally Identifiable Information from Unauthorized Disclosure

DTG 232026Z JUL 07 - December 17, 2007

This Naval message defines personally identifiable information (PII) and emphasizes the importance of its proper handling following more than 100 incidents of PII loss during the past 18 months.

Safeguarding Personally Identifiable Information

DTG 171952Z APR 07 - December 18, 2007

This Naval message establishes interim policy for the handling of personally identifiable information when stored on government furnished laptop computers, other mobile computing devices and removable storage media (e.g., removable hard drives, thumb drives, blackberries, personal digital assistants, compact discs and DVDs).

Common Access Card Eligibility for Foreign National Personnel

DoD Memo - December 17, 2007

This memo authorizes the issuance of CACs to foreign national partners who have been properly vetted and who require access to a DoD facility or network logon access to meet a DoD mission. This would apply to DoD sponsored foreign national military, government, and contractor personnel.

Recall Rosters

CNO Memo - August 18, 2010

This memo provides guidance regarding the use of recall rosters for the management of personnel and addresses what personal information may be included.

Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency IT Investments

OMB Memo 06-19 - December 18, 2007

This memo provides update guidance on the reporting of security incidents involving personally identifiable information. It also restates existing requirements and explains new requirements.

DoD and DON Privacy Impact Assessment Guidance

DON CIO Memo - April 14, 2008

This memo and enclosures prescribe the Department of Defense and Department of the Navy Privacy Impact Assessment guidance for IT systems that contain information in identifiable form.

Protection of Sensitive Department of Defense Data at Rest on Portable Computing Devices

DoD Memo - December 18, 2007

This memo provides suggestions on technical means to protect unclassified sensitive information on portable computing devices used within DoD. The measures are in addition to the normal physical security required for such devices so that, if they fall into the wrong hands for any reason, access to the sensitive DoD information they contain will be more difficult.

DoD Implementation Guide for Transitional PIV II SP 800-73 v1

DoD Guide - December 18, 2007

This guide specifies technical details for implementing interagency PIV I and PIV II National Institute of Standards and Technology Special Publication 800-73v1 requirements in the DoD CAC environment. It documents how the DoD common access card and middleware are implemented with PIV.

Federal Information Processing Standard 201-1: Personal Identity Verification of Federal Employees and Contractors

FIPS 201-1 - December 18, 2007

This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems.

National Industrial Security Program Operating Manual

DoD 5220.22-M - December 18, 2007

This manual prescribes requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of classified information and to control authorized disclosure of classified information.

DON Privacy Program

SECNAVINST 5211.5E - October 30, 2008

SECNAVINST 5211.5E implements the Privacy Act of 1974 per the Department of Defense Privacy Program Directive and Regulation ensuring that all DON military members and civilian/contractor employees are made fully aware of their rights and responsibilities with regards to privacy. The program attempts to balance the government’s need to maintain information with the obligation to protect individuals against unwarranted ...

DoD Compliance with Electronic Biometric Transmission Specification

DON CIO Memo - December 18, 2007

This memo forwards memorandum from the Department of Defense Biometrics Executive Agent that mandates all new acquisitions or upgrades of electronic biometric collection systems used by DoD components conform with the DoD electronic biometric transmission specifications.

Withholding of Information that Personally Identifies DoD Personnel

DoD Memo - December 18, 2007

Organizations outside the Federal Government often approach Department of Defense personnel to obtain updated contact information for their publications, which are then made available to the public. The information sought usually includes names, job titles, organizations, phone numbers and room numbers. The DoD director of Administration and Management issued a policy memo Nov. 9, 2001, that provided greater protection ...

DON Privacy Impact Assessment Format Guidance

DON Guidance - December 18, 2007

This summary provides the Department of the Navy format for system assessors to use when conducting a Privacy Impact Assessment.

DON Public Key Infrastructure Implementation Guidance

DTG 061525Z OCT 04 - December 18, 2007

This Naval message provides amplifying public key infrastructure implementation guidance.

Policy for a Common Identification Standard for Federal Employees and Contractors

HSPD-12 - December 18, 2007

This Homeland Security Presidential Directive establishes a government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). This standard will result in enhanced security, increased Government efficiency, reduced identity fraud, and protection of personal privacy.

Privacy Act Program Update

CNO Memo - September 15, 2010

This memo directs Navy activities to be proactive with regards to complying with the Privacy Act of 1974 and SECNAVINST 5211.5 series, DON Privacy Program. The memo provides Privacy Act coordinators good general guidance and addresses areas that are still important today, i.e., protecting personally identifiable information, reducing the

DoD Health Information Privacy Regulation

DoD Instruction 6025.18-R - April 5, 2011

This Department of Defense Regulation prescribes the uses and disclosures of protected health information. It is based on the requirements of the Health Insurance Portability and Accountability Act, Public Law 104-191. It covers much of the same information as the Privacy Act of 1974. This regulation was effective April 14, 2003, and is mandatory for use by all DoD Components.

Instructions on Complying with President's Memorandum of May 14, 1998: "Privacy and Personal Information in Federal Records"

OMB M-99-05 - September 9, 2010

This memorandum provides instructions to agencies on how to comply with the President's Memorandum of May 14, 1998, on "Privacy and Personal Information in Federal Records." In his memo, the president directed Federal agencies to review their current information practices and ensure that they are being conducted in accordance with privacy law and policy. The president also directed the Office of Mangaement and Budget to ...

Privacy Act of 1974

5 U.S.C. 552a - September 9, 2010

The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some ...

News

Protect PII on Social Media

January 28, 2013

Social media are excellent venues for exchanging information, but some of this information could contain personally identifiable information (PII). PII is any information that can be used to distinguish or trace an individual's identity. Examples include but are not limited to: name, Social Security Number, date of birth, home address, home phone number, personal e-mail address, financial information, fingerprints, ...

Don't Get Caught by Spear Phishing

January 24, 2013

In a previous Privacy Tip titled, “Don't Get Caught by Phishing,” phishing was described as a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization. A rising cyber threat called spear phishing takes this email threat to a new level.

DON Makes Progress With Budget Cuts; Savings Initiative Continues

by Enterprise IT Communications - December 7, 2012

The Department of the Navy has made significant progress in adjusting to its smaller budget, but much work remains. The $100 million in savings achieved so far is just a start to the $2 billion cut to the DON’s IT budget, said Terry Halvorsen, the DON Chief Information Officer.

DoD ID Number Authorized as Substitute for SSN

December 3, 2012

The Department of the Navy Chief Information Officer Privacy Office reports that 80 percent of all "high-risk" personally identifiable information (PII) breaches involve the Social Security Number (SSN). Recent DON and Department of Defense policy guidance outlines steps that reduce or eliminate the collection, use, display and maintenance of the SSN in DON business practices. As a result, commands are now authorized to ...

DON Revises Fax Policy on Transmitting PII

November 9, 2012

The Feb. 2012 message, Department of the Navy Social Security Number (SSN) Reduction Plan Phase Three, prohibited the faxing of SSNs and other personally identifiable information (PII) in all but a few special cases. Since its release, many processes that require the faxing of PII, specifically the SSN, have been identified. To ensure that business processes continue uninterrupted to the maximum extent possible, the ...

Which Paper Shredder Should I Use?

October 24, 2012

The Department of the Navy Chief Information Officer Privacy Office receives frequent inquiries regarding paper shredding as a means of destroying unclassified documents containing personally identifiable information (PII).

A Landfill is No Place for PII

by Steve Muck - July 30, 2012

The following is a recently reported personally identifiable information (PII) data breach. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.

PII Breach Articles from CHIPS Magazine

March 5, 2009

The following is a list of CHIPS Magazine articles about personally identifiable information (PII) breaches based on factual reports sent to the DON CIO Privacy Office. Incidents such as these will be reported in each subsequent issue of CHIPS Magazine.

Data as a Critical DON Asset

July 27, 2012

We all save an overabundance of mementos from the past — whether it is a favorite blanket from grandma, a box full of baseball cards (unfortunately, not a Tug McGraw or Ted Williams rookie card in the mix), or 20-year-old report cards. While it may be comforting to know that we can always find a particular item; in reality, is that box of baseball cards valuable enough to keep around? We, as a department, have long ...

The DoD Identification Number as PII

July 26, 2012

For many years, the Electronic Data Interchange-Personal Identifier (EDI-PI) has been a unique identifier for personnel affiliated with the Department of Defense. Until recently, it was used only by DoD information systems to facilitate machine-to-machine communications and appeared in digital signatures. When the EDI-PI was selected to become the DoD identification number, the purpose of the identifier changed.

Business IT Transformation Town Hall Transcript Available

June 5, 2012

At the most recent Department of the Navy Information Technology Conference in Virginia Beach, Va., Terry Halvorsen, DON Chief Information Officer, held a town hall to discuss his strategy for business IT transformation and the future of DON IT. Download the full transcript, which includes questions from the audience, here.

Encrypting Email Containing PII

May 31, 2012

In October of 2008, the Department of the Navy Chief Information Officer released a GENADMIN message that reiterated guidance requiring DON users to digitally sign and encrypt email messages. The below process explains what to do if you should encounter problems when encrypting an email.

Streamlining DON Business Processes for a More Effective and Efficient Future

May 30, 2012

During the next five to 10 years, the Department of the Navy is facing significant budget constraints. To support vital warfighting capabilities that protect the safety of the nation, it is necessary to find efficiencies in other areas. As part of this effort, the DON Chief Information Office and its information technology partners, such as internal stakeholders and industry, will thoroughly review all operations from an ...

Message From the DON CIO: Keeping PII and PHI Secure

by Terry Halvorsen - May 17, 2012

As a department, we like to save our data and records -- to ensure we will have a historical record or to meet a regulatory requirement. And indeed, many of the Department's business processes require the legitimate use of sensitive information. However, there are cases in which personally identifiable information (PII) or protected health information (PHI) should not be used, maintained or collected.

Tax Related Identity Fraud

by DON CIO Privacy Team - April 19, 2012

Over 34,000 identity fraud cases were reported by the Internal Revenue Service (IRS) in 2011, which represents an almost 100 percent increase from 2010. Identity tax-fraud is easy to commit and presents little risk of getting caught to the identity thief. All that is required by the thief is a full name and associated Social Security Number (SSN).

Sailor Stores PII in Commercial Facility; Fails to Pay Bill

by Steve Muck - April 20, 2012

The following is a recently reported personally identifiable information (PII) data breach involving a Sailor who improperly handled PII. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.

SSN Reduction Plan Phase 1 and 2 Results

by Steve Muck - January 12, 2012

The Department of the Navy continues to implement guidance to better safeguard personally identifiable information (PII) by reducing or eliminating the collection, use, display and maintenance of a Social Security number (SSN) where possible. During the past 18 months, the DON has implemented two phases of its SSN reduction plan and is initiating procedures for the third phase. Results of this department-wide effort are ...

Supervisor Sends PII Without Encrypting Email

by Steve Muck & Steve Daughety - October 26, 2011

The following is a recently reported personally identifiable information (PII) data breach involving a Department of the Navy support contractor who improperly handled PII. Incidents such as this will be reported in CHIPS magazine to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the DON Chief Information Officer Privacy Office.

The DON SSN Reduction Plan Continues

by Steve Muck - October 26, 2011

The Department of the Navy is eliminating the unnecessary collection of Social Security numbers (SSNs) to protect personally identifiable information (PII). The SSN, to include any form of the SSN, such as truncated, masked, partially masked, encrypted or disguised, is ubiquitous and a key data element used to commit identity fraud.

Report Your Breaches

by Michelle Schmith - July 24, 2011

The privacy of an individual is a fundamental right that must be respected and protected. While improved handling and security measures within the Department of the Navy are noted in recent months, the number of incidents in which loss or compromise of personally identifiable information (PII) occurs remains unacceptably high.

Website Question Leads to a Strengthened Privacy Process

by Steve Muck - July 24, 2011

A question submitted to the "Ask an Expert" section of the Department of the Navy Chief Information Officer website underscores the need to improve business processes that involve the use of a Social Security number. While there are many legitimate requirements for SSN use, efforts must be made to reduce or eliminate reliance on this unique personal identifier. After reading the question and the DON CIO's response, ...

DON Digital Signature and Encryption Policy for Emails Containing PII

by DON CIO Privacy Team - July 14, 2011

The purpose of this tip is to reinforce existing DON policy regarding digitally signing and encrypting emails that contain personally identifiable information (PII).

Contractor Improperly Handles PII

by Steve Muck - May 17, 2011

The following is a recently reported personally identifiable information data breach involving a Department of the Navy support contractor who improperly handled PII. Incidents such as this are recounted to increase PII awareness. Names have been changed or omitted but details are factual and based on reports sent to the DON Chief Information Officer Privacy Office.

DON Employee Challenges Use of Unauthorized DoD "Form"

by Steve Muck - May 17, 2011

The Department of the Navy is working to eliminate the unnecessary collection of Social Security numbers (SSNs) to protect your personally identifiable information (PII). The SSN is ubiquitous and one of the key data elements used to commit identity fraud. The DON has embarked on a plan to reduce the use of the SSN by eliminating it where it is not needed or replacing it with another unique identifier (e.g., the ...

DON IM/IT/Cyberspace Campaign Plan Released

May 6, 2011

The Department of the Navy Chief Information Officer published the DON Information Management/Information Technology/Cyberspace Campaign Plan for FY2011-2013, which outlines IM/IT/cyberspace priorities for the next 24 months.

Steps For Military Personnel to Take to Defend Against ID Theft

by DON Privacy Team - March 8, 2011

Identity theft is a constant and evolving threat for all citizens and can be of particular concern for those on military deployment and their families. It is a serious crime that occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes.

Privacy Tips

by DON CIO Privacy Team - February 26, 2009

Privacy Tips are meant to increase awareness about privacy issues that impact the Department of the Navy by highlighting a specific topic. Feedback or suggestions for future topics are welcomed.

Rules for Handling PII by DON Contractor Support Personnel

by the DON Privacy Team - March 8, 2011

The following Privacy Tip provides existing policy guidance and best business practices for contract support personnel who handle personally identifiable information. Office of the Secretary of Defense Memo dated June 05, 2009, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)" and SECNAV INST 5211.5E: "SECNAV Privacy Program" apply.

SSNs to be Removed from Government ID Cards

by the DON CIO Privacy Team - January 31, 2011

This Privacy Tip provides answers to frequently asked questions regarding upcoming changes to the Department of Defense identification cards. The questions and answers below were reproduced from a recent DoD memo. Changes include the removal of both the sponsor and dependent Social Security number (SSN), the addition of a DoD benefits number for DoD beneficiaries, and the removal of the SSN in the card bar codes. The DoD ...

DONCAF Reduces SSN Use

by Steve Muck - January 21, 2011

The Department of the Navy Central Adjudication Facility (DONCAF), a Naval Criminal Investigative Service (NCIS) organization, is responsible for determining who within the Department of the Navy is eligible to hold a security clearance, have access to Sensitive Compartmented Information (SCI), and be assigned to sensitive duties.

To Err is Human: Human Error is Main Cause of PII Breaches

by Steve Muck - January 21, 2011

Human error is the cause of 80 percent of the DON's PII breaches. Not knowing or not following guidance, or just being careless can result in the unintended disclosure of privacy sensitive information and potentially adversely affect many personnel.

DON SSN Reduction Plan

by Steve Muck - January 21, 2011

The Social Security number (SSN) has evolved beyond its intended purpose to become the identifier of choice for many of the business processes within the Department of the Navy. While use of the SSN has become the enabler to identify and authenticate individuals, it is one of the key elements used for identity theft and fraud. Widespread use of the SSN has reached unacceptable levels and requires a department-wide effort ...

Unique DoD ID Replaces SSN

by Steve Muck - January 21, 2011

A memo from the Under Secretary of Defense issued Nov. 23, 2010, (DTM 13798-10, "Social Security Numbers (SSN) Exposed on Public Facing and Open Government Websites"), addresses concerns about the potential for adverse consequences if the Social Security number (SSN) is truncated or removed as previously planned.

Elements of a Good Privacy Program (Part Two)

by DON CIO Privacy Team - October 27, 2010

This is part two of Elements of a Good Privacy Program and serves as a best practices guide to help Department of the Navy commands/units implement and sustain privacy awareness and better safeguard personally identifiable information within their control.

Elements of a Good Privacy Program

by DON CIO Privacy Team - October 7, 2010

This Privacy Tip will be published in two parts and serves as a best practices guide to help Department of the Navy commands/units implement and sustain privacy awareness and better safeguard personally identifiable information within their control.

Rein in and Rethink the Use of Recall Rosters

by DON CIO Privacy Team - August 25, 2010

While recall rosters serve a useful and valid purpose, safeguards must be in place to ensure that the personally identifiable information they contain is properly maintained and protected to prevent inadvertent disclosure. This privacy tip provides specific safeguards all Department of the Navy personnel should use when creating and sharing recall rosters.

Top 10 PII Lessons Learned

by DON CIO Privacy Team - July 9, 2010

When a Department of the Navy activity reports a personally identifiable information breach, it must include lessons learned in an after-action report. Lessons learned are an important feedback mechanism and are used to shape future DON privacy policy. The following information is a compilation of the most frequently reported lessons learned.

Web Portals and Shared Drives Must Be Continually Monitored

by Steve Muck - May 17, 2010

The following is a recently reported data breach involving the disclosure of personally identifiable information (PII) on the Navy Knowledge Online (NKO) website. Names have been changed or omitted but details are factual and based on reports sent to the DON CIO Privacy Office.

Your Office Copier/Printer May Present Information Security Risks

by Steve Muck - February 22, 2010

The following is a recently reported compromise of personally identifiable information (PII) involving the disposal of copiers containing personal information stored on their hard drives. Incidents such as this will be reported to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

Protecting PII on Removable Storage Devices

by DON CIO Privacy Team - February 23, 2010

The Department of the Navy, Department of Defense and Office of Management and Budget (OMB) have mandated the protection of data at rest (DAR) on all unclassified network seats/devices. NMCI is implementing a solution using GuardianEdge Encryption Anywhere and Removable Storage software to meet these requirements. All data in computer storage as well as data written to a removable storage device will be encrypted. This ...

Compliance Spot Checks Key to Successful Privacy Program

by DON CIO Privacy Team - January 4, 2010

ALNAV 070/07 Department of the Navy Personally Identifiable Information (PII) Training Policy states that, "Commanders/Commanding Officers/Officers in Charge will ensure that supervisors conduct a spot check of their assigned area of responsibility, focusing on those areas that deal with PII on a regular basis (e.g., human resources, personnel support, medical, etc.)." The ALNAV also states that the compliance spot check ...

Theft of Storage Media Containing PII

by Steve Muck - November 6, 2009

The following is a recently reported compromise of personally identifiable information (PII) involving the theft of storage media containing personal information. Names have been changed or removed, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.

Web 2.0: Federal CIO Council Releases Guidelines for Secure Use of Social Media

by Christy Crimmins - November 9, 2009

The use of social media has become a popular topic within the Department of the Navy, Defense Department and across the federal government. As agencies begin to venture into this media, whether it is creating an agency Facebook page or updating constituents via Twitter, precautions must be taken and risks should be assessed. While these tools open up many avenues for broader communication and collaboration, they also ...

PII and Records Management

by DON CIO Privacy Team - November 2, 2009

A successful command privacy program must include an aggressive records review and disposal component. While hard copy files cannot be ignored, the volume of electronic data files is a much larger issue and must be aggressively addressed by local commands/units.

Copier/Printer May Present Information Security Risks

by DON CIO Privacy Team - October 2, 2009

Two recent personally identifiable information (PII) breach incidents involving the turn in of reproductive office equipment highlight the fact that many people do not know that copiers and printers present information security challenges.

Using Shredders Versus Shredder Services

by DON CIO Privacy Team - August 31, 2009

This Privacy Tip is a summary of input received from information assurance personnel, security personnel and privacy officials from a variety of commands across the Department of the Navy and Joint Forces Command. The information is intended to represent best business practices and should not be considered DON policy, unless otherwise noted.

Improper Disposal of HR Documents

by Steve Muck - August 19, 2009

The following is a recently reported compromise of personally identifiable information (PII) involving the improper disposal of human resources documents. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

Protect Your Personal Information: It's Valuable

by DON CIO Privacy Team - May 26, 2009

Why should you protect your personal information? To an identity thief, it can provide instant access to your financial accounts, your credit record and your other personal assets. If you think that no one would be interested in your personal information, think again.

Defending Cell Phones and PDAs Against Attack

by DON CIO Privacy Team - April 30, 2009

As cell phones and personal digital assistants (PDAs) become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device.

Un-Encrypted Email With NSPS Information

by Steve Muck - April 20, 2009

The following is a recently reported compromise of personally identifiable information (PII) involving the transmission of an un-encrypted e-mail which contained National Security Personnel System (NSPS) performance ratings of employees within a Navy region. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

Tax Time Privacy Tips

by DON CIO Privacy Team - April 6, 2009

This Privacy Tip provides a list of things you should know about the Interal Revenue Service (IRS) and identity theft.

Reducing the Use of SSNs is Key to Securing PII

by DON CIO Privacy Team - March 3, 2009

If the Department of the Navy eliminated the use of Social Security numbers (SSN) from email, forms, documents and electronic information technology systems, 80 percent of the personally identifiable information (PII) breaches reported in 2008 would never have occurred. The March Privacy Tip of the Month explores the relationship between SSNs and identity theft. It also provides approaches to reducing the display, ...

Insider Threat

by Steve Muck - February 20, 2009

The following is a reported loss or breach of personally identifiable information (PII) involving a Department of the Navy information system with lessons learned from the event. Names have been changed or removed, but details are factual and based on reports sent to the DON Privacy Office.

DON Enterprise Data At Rest Solution For All Non-NMCI Assets Is Awarded

February 2, 2009

The Department of the Navy enterprise solution for protection of sensitive Data at Rest (DAR) on non-NMCI assets is now available. Implementation of this solution enables compliance with DoD and DON requirements associated with protection of personally identifiable information (PII) and other types of sensitive DAR on mobile computing devices and portable storage media.

Reduce PII Loss by Proper Disposal/Sanitization of Unclass Equipment

by DON CIO Privacy Team - January 26, 2009

During the past year, the Department of the Navy has experienced problems relating to turning in excess information technology and office equipment that contain personally identifiable information (PII).

Action Steps for Identity Theft Victims

January 8, 2009

During the past year, the Department of the Navy has experienced a few documented cases of identity theft linked to the loss of government privacy information. The December 2008 Privacy Tip focused on how thieves steal identities, what they do with the personal information they obtain, and general information about identity theft. This Privacy Tip is reproduced from Department of Justice guidance found on its

What You Should Know About Identity Theft

November 13, 2008

During the past year, the Department of the Navy has experienced a few documented cases of identity theft linked to the loss of government privacy information. This Privacy Tip focuses on how thieves steal identities and what they do with that personal information, as well as general information about identity theft.

Privacy Must be Considered When Using Web 2.0 Tools

October 30, 2008

As outlined in a recently published memo, the Department of the Navy endorses the secure use of Web 2.0 tools to enhance collaboration, streamline processes and foster productivity.

Laptop Security

by Steve Muck - October 29, 2008

The following is the July 2008 summary of recently reported losses or breaches of personally identifiable information (PII) involving laptops or thumb drives. Laptop security continues to be the foremost vulnerability in the Department of the Navy. Names have been changed or removed, but details are factual and based on reports sent to the Department of the Navy Privacy Office.

GSA Awards BPA for Credit Monitoring Services

September 9, 2008

The U.S. General Services Administration awarded Blanket Purchase Agreements (BPAs) to assist Federal agencies in protecting the confidentiality of personal credit and payment information, as well as providing a fast and effective solution for Federal agencies needing commercial-off-the-shelf credit monitoring services, according to its web site.

Safeguarding PII on the Command Shared Drive

September 4, 2008

Recent personally identifiable information (PII) breach reports highlight the need to conduct searches of shared drives throughout the Department to protect employees’ personal information and reduce the risk of identity theft. PII is found most often in documents related to awards, medals, legal issues, medical records and financial data.

Reduce PII in Electronic and Paper Files

by Steve Muck - August 6, 2008

The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.

Why Peer-to-Peer File Sharing Is Not a Good Idea

September 3, 2008

Peer-to-Peer (P2P) networks, which link computers directly, allowing users to swap digital movies, music and files with other users without centralized security controls or oversight.

Handbook Provides Cyber Crime Prevention Tips

July 28, 2008

The recently released Department of the Navy Cyber Crime Handbook provides an overview of the definitions, criminal techniques, electronic laws, incident reporting and responses regarding cyber threats to DON personnel and the Department's global network infrastructure.

Guidance Updated for DAR Compliance Effort on Non-NMCI Networks

July 11, 2008

An enterprise solution to encrypt DON data-at-rest (DAR) for non-Navy Marine Corps Intranet (NMCI) networks is anticipated to be available this fall from the Department of Defense Enterprise Software Initiative/SmartBUY Enterprise Software Agreements.

Don't Get Caught by Phishing

July 11, 2008

Phishing is a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization. Examples of such practices include manipulated emails that appear to be from the Department of the Navy, Navy Federal Credit Union, Navy Knowledge Online or other recognizable contacts.

Secure Those Laptops

June 13, 2008

Whether due to carelessness or theft, the loss of laptops and other portable electronic devices (especially thumb drives), continues to be one the top contributors to the loss of personally identifiable information (PII).

Information Privacy Professional Certification Available

June 9, 2008

The International Association of Privacy Professionals' (IAPP) mission is to define, promote and improve the privacy profession globally and is the world's largest association of privacy professionals representing more than 5,000 members from business, government and academia across 32 countries. It is the first organization to establish educational and testing credentials for information privacy, i.e., the Certified ...

PII Has No Shelf Life

by Steve Muck - May 14, 2008

The following synopsis of a recently reported loss or breach of personally identifiable information (PII) highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy office.

Use Caution With Wi-Fi

May 13, 2008

From FBI.gov The scenario: You are at the airport waiting for your flight. With time to kill, you are thinking of connecting your laptop to the airport’s Wi-Fi to check your office e-mail, do some personal banking or shop for a gift for your spouse. However, chances are there is a hacker sitting nearby with a laptop attempting to “eavesdrop” on your computer to obtain personal data that will provide access to ...

Web Site Postings of PII

by Steve Muck - February 11, 2008

The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.

CHIPS Magazine

Hold Your Breaches!

by Steve Muck and Steve Daughety - January-March 2013 - January-March 2013

Emailing Personally Identifiable Information

Mr. Terry Halvorsen

by CHIPS Magazine - January-March 2013 - January-March 2013

Department of the Navy Chief Information Officer

Protecting Our Most Valuable Asset - Our People

by DON Enterprise IT Communications - January-March 2013 - January-March 2013

Reducing the Use of Social Security Numbers

by Steve Muck and Steve Daughety - January-March 2013 - January-March 2013

A Good News Story

Medical Insurance Company Faxes Personal Information to Wrong Number for Three Years

by Steve Muck - October-December 2012 - October-December 2012

Which Paper Shredder Should I Use?

by Steve Muck and Steve Daughety - October-December 2012 - October-December 2012

A Message From the DON CIO

by Terry Halvorsen - July-September 2012 - July-September 2012

Maximizing the Value of Data as a Critical DON Asset

Hold Your Breaches, July-September 2012

by Steve Muck - July-September 2012 - July-September 2012

A Landfill is No Place for PII

The DoD Identification Number as PII

by Steve Muck and Steve Daughety - July-September 2012 - July-September 2012

Sailor Stores PII in Commercial Facility; Fails to Pay Bill

by Steve Muck - April-June 2012 - April-June 2012

SSN Reduction Plan Phase 3

by Steve Muck - April-June 2012 - April-June 2012

Hold Your Breaches, October-December 2011

by Steve Muck and Steve Daughety - October-December 2011 - October-December 2011

Supervisor Sends PII Without Encrypting Email

The DON SSN Reduction Plan Continues

by Steve Muck - October-December 2011 - October-December 2011

DON IM/IT/Cyberspace Campaign Plan for Fiscal Years 2011-2013

by DON CIO - July-September 2011 - July-September 2011

Report Your Breaches

by Michelle Schmith - July-September 2011 - July-September 2011

Website Question Leads to a Strengthened Privacy Process

by Steve Muck - July-September 2011 - July-September 2011

Contractor Improperly Handles PII

by Steve Muck - April-June 2011 - April-June 2011

DON Employee Challenges use of Unauthorized DoD "Form"

by Steve Muck - April-June 2011 - April-June 2011

Resources

Inventory of DON Systems With Completed Privacy Impact Assessments

April 25, 2008

Section 208 of the E-Government Act of 2002 establishes government-wide requirements for conducting, reviewing and publishing Privacy Impact Assessments (PIA). The PIA directs agencies to conduct reviews of how privacy issues are considered when creating or purchasing new information technology (IT) systems or when initiating new electronic collections of information in identifiable form. A PIA addresses privacy factor

Messages From the DON CIO

November 12, 2012

The following are links to past messages from the DON CIO.

2012 Social Security Number Reduction Brief

by DON CIO Privacy Team - December 6, 2012

The Social Secruity Number Reduction brief attached below was presented at the 2012 Department of the Navy IT Conference and is provided as a reference and for use in developing other personally identifiable information presentations.

Encrypting Emails Containing PII FAQs

by DON CIO Privacy Team - October 23, 2012

Emails containing personally identifiable information (PII) in the body of the email or in an email attachment: Should only be sent to recipients with an official need-to-know. Should have "FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE" in the subject line. Should have "FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties" ...

Identity Theft FAQs

by DON CIO Privacy Team - October 23, 2012

Identity theft affected 8.4 million adult Americans in 2007. Within the Department of the Navy, two incidents related to the loss of government controlled personally identifiable information (PII) that resulted in identity theft have been confirmed since June 2006.

Laptops and Portable Devices FAQs

by DON CIO Privacy Team - October 23, 2012

Below is a list of frequently asked questions on laptop and portable devices.

Personally Identifiable Information FAQs

by DON CIO Privacy Team - October 23, 2012

What is personally identifiable information (PII)? OMB defines PII as: Any information about an individual maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and information that can be used to distinguish or trace an individual's identity, such as his or her name, SSN, date and place of birth, mother's maiden name, biometric ...

PII Breach Reporting FAQs

by DON CIO Privacy Team - October 23, 2012

A privacy breach is defined as a known or suspected loss of Department of the Navy personally identifiable information (PII).

Privacy Frequently Asked Questions

by DON CIO Privacy Team - December 11, 2008

The following is a list of topics with questions that are frequently asked of the Department of the Navy Chief Information Officer Privacy Team. Responses have been provided and, in many cases, there are added references to the guidance that is cited. Please provide the Privacy Team additional questions so they may be added to the list.

Privacy Training FAQs

by DON CIO Privacy Team - October 23, 2012

Privacy training should be completed by all Department of the Navy personnel (i.e., civilians, military and contractors) no later than Aug. 31 of each year.

Justification For The Use Of The SSN

by DON CIO Privacy Team - October 3, 2012

Phase II of the Department of the Navy Social Security Number (SSN) Reduction Plan addressed a review of information technology systems that collect the SSN. The purpose of the review was to assess whether continued collection was required, whether collection could cease (i.e., elimination of the SSN), or whether the SSN could be substituted with another unique identifier (i.e., the DoD ID number).

PII Annual Training Certificate

by DON CIO Privacy Team - October 3, 2012

Annual privacy training is mandatory and must be completed by August 31 each year, as stated in this message. The preferred sources of training for the Navy are Navy Knowledge Online (NKO) and the Total Workforce Management System (TWMS). MarineNet is the preferred source for the Marine Corps.

Facebook Privacy Application Settings

by DON CIO Privacy Team - September 25, 2012

Even though you should assume that all information you share on Facebook could be made public, there are precautions you can take to share your information only with those you chose. This presentation provides step-by-step instructions to help Facebook users create a balance between safeguarding their privacy and enjoying the benefits of social networking online.

Personally Identifiable Information Posters

August 8, 2012

The Department of the Navy Chief Information Officer has created press-quality posters to help communicate the importance of protecting and properly handling personally identifiable information (PII).

Safe Access File Exchange

August 8, 2012

Safe Access File Exchange (SAFE) allows users to send up to 25 files securely to recipients within the .mil and .gov domains. The files can total up to 2GB in size. SAFE was originally designed to provide Army Missile and Research, Development and Engineering Command (AMRDEC) employees and those doing business with AMRDEC an alternate way to send files. The Department of the Navy has confirmed with AMRDEC that SAFE may ...

Privacy and Personally Identifiable Information Awareness Training

July 5, 2012

This web-based privacy training replaces previous training developed by the Department of Defense and is Department of the Navy centric. It meets the annual DoD privacy training requirement and is provided here for those who do not have access to the following Navy and Marine Corps eLearning sites: Navy Knowledge Online (NKO), Total Workforce Management System (TWMS) or MarineNet.

PII Refresher Training Scenarios

July 2, 2012

The following privacy training consists of nine breach scenarios and is intended to augment the Department of the Navy's annual personally identifiable information (PII) awareness course. The scenarios can be used to increase awareness or as a refresher for individuals who mishandle PII.

Privacy Resources

June 20, 2012

The following is a list of privacy resources.

Process for Substituting the DoD ID Number for the SSN in IT Systems

by DON CIO Privacy Team - June 11, 2012

In Phase II of the Department of the Navy Social Security Number (SSN) Reduction Plan, program managers/system owners identified information technology systems that could eliminate the collection of SSNs by substituting the Department of Defense identification (ID) number (i.e., the Electronic Data Interchange Personal Identifier). Phase III authorizes the use and substitution of the DoD ID number and provides strict ...

Privacy Briefs

by DON CIO Privacy Team - April 9, 2009

The following privacy presentations are provided for reference and use in developing future presentations and briefings.

Privacy Resources for Military Members and Their Families

by DON CIO Privacy Team - April 26, 2012

Service members and their families face many life altering events that most people never experience, such as frequent moves, extended deployments and multiple family separations. Each of these events can potentially expose the service member to an increased risk of identity theft and/or fraud. The following links provide information on what to do if you find yourself in a situation where your personal information has ...

Publically Accessible Website Privacy Resources (including Official DON Social Networking Sites)

by DON CIO Privacy Team - October 18, 2010

The World Wide Web is specifically designed to be open and accessible to a global audience. While this global accessibility makes the web a powerful public information tool and enhances productivity in the conduct of daily business, it also presents a potential risk to Department of the Navy personnel, assets and operations if inappropriate information is published on DON websites. Threats to the security of Navy and ...

How to Find Your DoD ID Number

by DON CIO Privacy Team - March 2, 2012

The Department of Defense identification number, formerly referred to as the Electronic Data Interchange Personal Identifier (EDIPI), is a unique 10-digit number that is associated with personnel and their Common Access Card (CAC). The DoD ID is assigned to each person registered in the Defense Enrollment and Eligibility Reporting System (DEERS). This includes government civilians, active duty military, dependents, ...

Unique Investment Identifiers for FY2013

January 22, 2009

The table below provides FY2013 Unique Investment Identifiers (UIIs), formerly Unique Project Identifiers (UPIs), for Department of the Navy information technology systems. The UII is required when completing a Privacy Impact Assessment (PIA).

Digitally Signing and Encrypting Email Containing PII Brief

by LCDR Greg Taylor, BUPERS IAM - January 18, 2012

The attached brief was prepared by LCDR Greg Taylor, Bureau Of Naval Personnel, information assurance manager, and addresses the Department of the Navy requirement to digitally sign and encrypt emails containing personally identifiable information.

Safeguarding PII

October 4, 2010

The following is a list of the latest policy, guidance and resources related to the safeguarding of personally identifiable information.

Department of the Navy Personally Identifiable Information Sample Compliance Spot Checklist

September 8, 2008

This checklist is an internal Department of the Navy document to be used by command leadership to assess the level of compliance in the handling of personally identifiable information as delineated by law and/or specific DoD/DON policy guidance. As commands adapt this checklist for their own use, their checklists will be posted here as a resource for others.

Sample Social Security Number Elimination Plan

January 10, 2012

For new and existing Department of the Navy forms and information technology systems, any use of the Social Security number (SSN) that cannot be justified through appropriate authorities must be eliminated.

Privacy Complaint Process

by DON CIO Privacy Team - January 11, 2012

The Privacy Complaint Process is a tiered process.

Recommended Facebook Privacy Settings

by CHINFO - July 1, 2010

The Department of the Navy Chief of Information has created a guide detailing recommended Facebook privacy settings and how to achieve them. The guide provides step-by-step instructions to help Facebook users create a balance between safeguarding their privacy and enjoying the benefits of social networking online.

Naval Forms Online

by DON CIO Privacy Team - August 10, 2011

Naval Forms Online is the Department of the Navy's repository for all Navy and Marine Corps officially approved forms.

SSN Reduction Plan Resources

August 25, 2010

The following resources are provided to help implement the Department of the Navy's Social Security Number Reduction Plan.

DON Social Security Number Reduction Plan for IT Systems Phase Two

by DON CIO Privacy Team - July 8, 2011

The following resources are provided to assist in completing the review of information technology systems that collect Social Security numbers.

IT System SSN Reduction Review Process

by DON CIO Privacy Team - July 8, 2011

The following process should be followed when reviewing information technology systems that collect Social Security numbers (both full and truncated).

What is Personally Identifiable Information?

by DON CIO Privacy Team - July 11, 2011

The following information is provided to help you better understand what constitutes personally identifiable information (PII). It also attempts to explain what PII elements are considered "sensitive" and "non-sensitive" and the roll these categories play when reporting a loss or compromise of PII (i.e., a breach) or determining when a Privacy Impact Assessment (PIA) is required for an information technology system.

IT System SSN Reduction Response Matrix

by DON CIO Privacy Team - July 8, 2011

To support the review of information technology systems that collect Social Security numbers, the attached response matrix is provided.

Justification Memo for the Continued Collection of the SSN

by DON CIO Privacy Team - July 8, 2011

The continued collection of Social Security numbers by existing information technology systems and collection by new IT systems must be justified.

Privacy Act Data Cover Sheet

by DON CIO Privacy Team - July 11, 2011

Privacy Act Data Cover Sheet, DD Form 2923 dated September 2010, is provided to aid in the safeguarding of personally identifiable information (PII). Use of the form is considered a best practice.

Protected Health Information

July 1, 2011

The following Protected Health Information (PHI) documents are provided as references. PHI is individually identifiable health information that is transmitted or maintained by electronic or any other form or medium, excluding individually identifiable health information in employment records held by a covered entity in its role as employer.

PII Best Practice: Proper Disposal of PII

by DON CIO Privacy Team - May 17, 2011

Some personally identifiable information (PII) if lost, stolen or compromised has the potential to cause harm to an individual because it may result in identity fraud. There are other PII elements that present little to no such risk.

Privacy Training and Compliance Resources

by DON CIO Privacy Team - February 25, 2009

The following resources are provided to support the Department of the Navy's annual privacy training and semi-annual compliance spot-check requirements. Note: The GENADMIN (DTG 181905Z DEC 08) training requirement supercedes the ALNAV 070/07 training requirement. The compliance spot check requirements of the ALNAV remain in effect.

Privacy Act Training

by DON CIO Privacy Team - May 17, 2011

The below Privacy Act Training presentations are provided for use by Department of the Navy Privacy Act coordinators as reference materials only. They not required training and will not be updated in the future. They should not be confused with the DON annual Personally Identifiable Information Training required by "GENADMIN DON CIO WASHINGTON DC 181905Z DEC 08."

SSN Reduction Frequently Asked Questions

March 3, 2011

On Nov. 5, 2010, the Under Secretary of Defense for Personnel & Readiness (USD(P&R)) signed a memorandum announcing the removal of printed Social Security numbers on all Department of Defense identification cards. By the end of May 2011 and beyond, all DoD ID cards issued will display a new number, called the DoD identification number (also known as the EDI-PI). In addition to the DoD ID number, individuals entitled to ...

How and When to Write a Privacy Act Statement

by DON CIO Privacy Team - September 15, 2010

When is a Privacy Act Statement required? If your organization requests that an individual furnish personal information (name, date of birth, Social Security number, etc.) for a system of records, regardless of the method used to collect the information (e.g., forms, personal or telephonic interview, etc.), then a Privacy Act Statement (PAS) is required. If the information requested will not be included in a system ...

Privacy Act Resources

by DON CIO Privacy Team - August 11, 2010

The following resources are intended to supplement SECNAVINST 5211.5E: "DON Privacy Program" and should prove useful to Privacy Act coordinators. Please submit suggestions for additions to this list to the Ask an Expert section of the website. Select the topic: "Privacy Act."

Fair Information Practices

by DON CIO Privacy Team - October 12, 2010

The Privacy Act of 1974 is largely based on a set of internationally recognized principles for protecting the privacy and security of personal information known as the Fair Information Practices. A U.S. government advisory committee first proposed the practices in 1973 to address what it termed a poor level of protection afforded to privacy under contemporary law. The Organization for Economic Cooperation and Development ...

Guidelines for Establishing a New Privacy Act System of Records Notice

by DON CIO Privacy Team - September 22, 2010

All Privacy Act system of records notice (SORN) actions are transmitted electronically to the Chief of Naval Operations, Department of Defense and the Federal Register, because this method is both time and cost effective. Since DoD uses special software to transmit the text to the Federal Register, please do not indent, underline, bold, double-space or center the text. All new systems require a "Narrative Statement on ...

Identifying Privacy Act Systems of Records You May Be Using

by DON CIO Privacy Team - September 22, 2010

A Privacy Act (PA) system of records notice is the authority that allows you to collect, maintain and disseminate information that is retrieved by an individual's name and personal identifier. Because many activities maintain similar types of records, we have written generic or "umbrella" PA systems of records notices to cover activities that require collection of those types of records.

How to Obtain Copies of Military Personnel Records

by DON CIO Privacy Team - September 15, 2010

The following processes are provided for active duty military members, former military members, family members, and other individuals wishing to obtain copies of military personnel records.

Privacy Act Exemptions

by DON CIO Privacy Team - September 15, 2010

The attachment is a copy of the Code of Federal Regulations, Title 32, Volume 5, Revised as of July 1, 2008 (32 CFR 701.128), "Privacy Act Exemptions for Specific Navy Record Systems."

Sample Checklist for Conducting Privacy Act Assessment/Staff Visits

by DON CIO Privacy Team - September 16, 2010

The following checklist is provided for use by Privacy Act coordinators and should be tailored to a command's specific needs.

DoD Privacy Program Resources

by DON CIO Privacy Team - September 14, 2010

The Defense Privacy Program homepage provides resources related to the Privacy Program, Privacy Impact Assessments and the Freedom of Information Act.

How to Make a Privacy Act Request

by DON CIO Privacy Team - September 14, 2010

To make a Privacy Act (PA) request, label the request itself and the envelope: "PRIVACY ACT REQUEST." Identify the specific PA system of records notices you wish to have searched. (See index of PA System of Records Notices and submit your request according to the requirements set forth under "Record Access Procedures.") PA requests must be signed, so we cannot accept email requests.

Instructions for Using WinZip to Encrypt Files

by DON CIO Privacy Team - September 14, 2010

The attachment below provides step-by-step instructions to encrypt files using WinZip.

Other Privacy Act Resources

by DON CIO Privacy Team - September 13, 2010

The following additional resources are provided:

Overview of the Privacy Act of 1974 (2010 Edition)

by DON CIO Privacy Team - September 9, 2010

The "Overview of the Privacy Act of 1974," prepared by the Department of Justice's Office of Privacy and Civil Liberties (OPCL), is a discussion of the Privacy Act's disclosure prohibition, its access and amendment provisions, and its agency recordkeeping requirements.

PEO EIS Portal Procedures for Safeguarding PII

September 14, 2010

Best Practices for use with Command Shared Drives and Web Portals The attachment below is the Program Executive Officer, Enterprise Information Systems (PEO EIS) Portal Procedures for Safeguarding Personally Identifiable Information (PII) and should be used as a best practice. The Department of the Navy has experienced numerous breaches across the enterprise in which PII was improperly posted to shared drives and web ...

Privacy Act Desk Reference Guide

by DON CIO Privacy Team - September 15, 2010

What is the Privacy Act? The Privacy Act (PA) pertains to records the Department of the Navy is maintaining about you. More than 150 types of PA System of Records Notices (SORNs) have been identified that allow the DON to collect, maintain, use and disseminate information about individuals affiliated with the Department. View a complete list of approved systems.

Privacy-Related OMB Memoranda

by DON CIO Privacy Team - September 14, 2010

The following list of Office of Management and Budget memoranda pertains to privacy and is provided to assist personnel as they conduct their daily privacy-related functions.

Disclosure Accounting Form (OPNAV 5211/9 (MAR 1992))

September 9, 2010

Disclosure accounting allows an individual to determine what agencies or persons have been provided information from the system of records about them, enables Department of the Navy activities to advise prior recipients of the system of records of any subsequent amendments or statements of dispute concerning the system of records, and provides an audit trail of the DON's compliance with the Privacy Act of 1974.

General Purpose Privacy Act Statement (OPNAV FORM 5211/12)

September 13, 2010

When an individual is requested to furnish personally identifiable information for possible inclusion in a system of records, a Privacy Act Statement (PAS) must be provided to the individual, regardless of the method used to collect the information (e.g., forms, personal, telephonic interview, IT system, etc). If the information requested will not be included in a system of records, a PAS is not required.

DON SSN Reduction Review Form SECNAV 5213/1 (Jul 2010)

by DON CIO Privacy Team - August 31, 2010

Naval message DTG 192101Z Jul 10: "DON Social Security Number Reduction Plan for Forms Phase One" requires the use of SECNAV 5213/1 to review and justify the continued collection of Social Security numbers on all Department of the Navy forms.

Department of Defense SORN Training Materials

by DON CIO Privacy Team - August 23, 2010

The two documents attached below were provided by the Defense Privacy and Civil Liberties Office. One is a presentation on System of Records Notices (SORNs), and the other is an example of a Navy SORN.

Privacy Act System of Records Notices

August 11, 2010

The Privacy Act allows executive branch agencies to collect, maintain and disseminate information on individuals affiliated with that agency. The Department of the Navy does not maintain information about individuals who have never been affiliated with the Department. The DON's inventory of Privacy Act System of Records Notices (SORNs) identifies under "exemptions claimed for this system" those systems that are exempt ...

Hard Drive Disposal Resources

May 19, 2010

The following hard drive disposal resources provide current Department of the Navy policy and guidance with regard to degaussing, destruction, and turn-in of DON-owned or leased hard drives. It also includes the waiver process.

Methods for Hard Drive/Disk Destruction

by DON CIO Privacy Team - August 3, 2010

The following guidelines are provided for the proper destruction of Department of the Navy hard drives.

Approved Use Cases for Systems Collecting SSNs

by DON CIO Privacy Team - July 9, 2010

The following is a list of 12 approved use cases for systems requesting the use of Social Security numbers.

Privacy Recommended Reading List

by DON CIO Privacy Team - May 4, 2009

Welcome to the Department of the Navy Chief Information Officer Privacy Team recommended reading list. This list will be periodically updated.

2012 Identity Theft Brief

by DON CIO Privacy Team - June 16, 2009

The identity theft brief attached below was presented at the 2012 Department of the Navy IM/IT Conference and is provided as a reference and for use in developing other PII presentations.

2012 Personally Identifiable Information (PII) Brief

by DON CIO Privacy Team - April 22, 2009

The personally identifiable information (PII) brief attached below was presented at the 2012 Department of the Navy IM/IT Conference and is provided as a reference and for use in developing other PII presentations.

2012 Privacy Impact Assessment (PIA) Brief

by DON CIO Privacy Team - April 22, 2009

The Privacy Impact Assessment (PIA) brief attached below was presented during the 2012 Department of the Navy IM/IT Conference and is provided as a reference and for use in developing other PIA presentations.

Privacy Impact Assessment Signature Routing Guidance

by DON CIO Privacy Team - May 22, 2009

The following provides the proper routing for Navy and Marine Corps Privacy Impact Assessments (PIAs). The last two signature blocks on the DoD PIA Template (DD FORM 2930 NOV 2008) are reserved for (1) the DON Privacy Act Program Manager (DNS-36) or USMC Privacy Act/FOIA Officer and (2) the DON CIO.

OMB Information Collection Number

January 30, 2009

An Office of Management and Budget (OMB) Information Collection Number is required when collecting information from 10 or more members of the public in a 12-month period and is used in completing the Privacy Impact Assessment (PIA) Template.

Privacy Impact Assessment Resources

by DON CIO Privacy Team - January 30, 2009

The following resources are provided to assist with the privacy impact assessment submission process.

Privacy Impact Assessment Template "Gouge"

February 18, 2009

This document attempts to address the common issues encountered as a privacy impact assessment moves its way through the review and approval process. Consider this a "living" document and help us improve its content and usefullness.

Privacy Impact Assessment Template Risk Mitigation Question Responses

February 18, 2009

This document provides examples of possible responses to the privacy impact assessment (PIA) template questions that deal with the risks associated with the electronic collection of personally identifiable information and the ways to mitigate those risks.

Take the DON Privacy Quiz!

January 21, 2009

The DON Privacy Quiz highlights basic personally identifiable information (PII) knowledge and policy information that all DON personnel should be familiar. It is recommended that command/unit privacy officials use this quiz (attached below) as a training aid that can be specifically tailored to local use. Please provide feedback on how to make this a better tool by submitting your comments to the DON CIO Privacy Team via ...

PII Breach Reporting Resources

January 16, 2009

The following breach-related resources are provided to aid in reporting the loss or suspected loss of personally identifiable information (PII).

BUPERS Safeguarding PII Presentation

January 16, 2009

The attached brief provides background information, the resultant responses and best practices developed by the Bureau of Naval Personnel related to the sensitivity to the loss of personally identifiable information of DON personnel. Also attached is a transcript from the presentation.

Privacy Information and Resources

December 17, 2008

In addition to the privacy resources and information available on the DON CIO website, the following list of websites provide further information on privacy and identity theft prevention.

DoD Privacy Impact Assessment Template

November 21, 2008

The new Department of Defense Privacy Impact Assessment Template has been published and is available for use by Army, Navy, Air Force, DISA, OSD/JS, DLA, TMA and DFAS. The link provides access to the Word and fillable PDF versions of DD FORM 2930 on the DoD forms web site.

PII Breach Reporting Forms

August 5, 2008

These two forms are available for use in accordance with DTG 291652Z FEB 08: Loss of Personally Identifiable Information Reporting Process. OPNAV 5211/13:DON Loss or Compromise of Personally Identifiable Information (PII) Breach Reporting Form is used for initial and supplemental breach reporting. <

Reporting PII Breach Notifications

August 5, 2008

Commands reporting a loss or suspected loss of personally identifiable information (PII) will be contacted by the Department of the Navy Chief Information Officer Privacy Team to determine if individual notifications are required. The decision to notify will be based on the nature of the PII compromised and the resultant level of risk of identity theft. If the command is faced with notifications and cannot locate the ...

Potential Consequences for Failing to Safeguard PII

July 22, 2008

The DON Table of Potential Consequences and Penalties for the Mishandling/Improper Safeguarding of PII was developed with legal assistance from the Department of the Navy’s Office of Civilian Human Resources and its Workforce Relations and Compensation Division, the Office of the Judge Advocate General, and the Office of the DON CIO.

DON Cyber Crime Handbook

July 23, 2012

The Department of the Navy Cyber Crime Handbook contains an overview of the definitions, criminal techniques, electronic laws, incident reporting and responses regarding the cyber threats to Department personnel and the global infrastructure we rely on.