Safeguarding PII on Shared Drives Continues to be a Challenge
By Steve Muck - Published, January 12, 2012
The following is a recently reported personally identifiable information (PII) data breach involving the posting of a large number of documents containing PII on an activity's shared drive. Incidents such as this will be reported in CHIPS magazine to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
Background
Shared drives facilitate information sharing and collaboration. Their availability and ease of use make them a popular tool across the DON. However, the number of PII breaches submitted related to shared drives has not decreased. Posting personal information in shared drive folders that do not have access controls, or where the access controls have been removed, continues to be an issue.
The Incident
In November 2011, during an activity's detachment swap prior to deployment, a backup file containing employment information, including names, Social Security numbers (SSN), resumes, hiring information, disability information, etc., was created because of network connectivity problems. The backup file was posted on the activity's shared drive, but was not encrypted. No password protection was established for the file — meaning that access was not restricted to only those with an official need to know.
Approximately a month after the backup file was posted to the shared drive, an employee discovered it, recognized that it contained personal information and reported it during a staff meeting. An investigation was immediately initiated and steps were taken to restrict access to only those with a need to know. A PII breach report was submitted to the DON CIO.
The investigation involved identifying individuals by name and the PII elements contained in the files associated with each of the affected personnel. Using this information, the DON CIO Privacy Office directed the activity to notify those individuals whose sensitive PII had potentially been compromised.
Lessons Learned
When posting personally identifiable information on a shared drive, positive controls that restrict access to only those with an official need to know must be in place. Positive controls include encrypting documents and password protecting files and folders containing the documents. Collecting only the PII elements necessary to perform the mission is also an important consideration.
It is important to note that maintenance performed on shared drives often involves the removal of access controls. Following maintenance, it is important to ensure that the controls have been properly restored and to verify they are working correctly.
Activities should perform routine spot checks and searches on their shared drives using key words such as "SSN," "Social Security number," "DOB," "date of birth," etc. Where documents can be removed, they should be deleted. Files and folders containing PII should be protected with the appropriate permissions. In some cases, PII can be redacted from documents and the resulting document saved. The collection of SSNs should be authorized by one of 12 approved use cases. The list can be found at www.doncio.navy.mil/ContentView.aspx?id=1833.
Documents in files and folders on shared drives should also be marked "FOUO – Privacy Sensitive. Any misuse or unauthorized disclosure may result in both civil and criminal penalties."
The DON CIO website contains several privacy articles, tips and Naval messages that address the protection of PII on shared drives. Visit www.doncio.navy.mil/privacy.
Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer.