Trending

BROWSE ALL TOPICS

Un-Encrypted Email With NSPS Information

By Steve Muck - Published, April 22, 2009

The following is a recently reported compromise of personally identifiable information (PII) involving the transmission of an un-encrypted e-mail which contained National Security Personnel System (NSPS) performance ratings of employees within a Navy region. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

Two non-password-protected attachments to an e-mail were sent to approximately 700 employees. The attachments were created for each NSPS pay pool and provided a bar chart of pay pool results presented as a single Microsoft PowerPoint slide.

A subordinate field activity reported that some of the employees had access to the underlying information that was used to build the slides. The initial investigation showed that, despite command efforts to prevent disclosure, it was possible to manipulate the attachments and reveal privacy sensitive data.

Data included: name; civilian grade; employee identification number, as assigned by the Defense Civilian Personnel Data System (DCPDS); salary; and fiscal year 2008 rating of record for the NSPS employees at the affected command.

No Social Security numbers or other PII was compromised.

Lessons Learned

  • This incident could have been avoided if proper warnings from the NSPS Program Office about downloading NSPS data to a PowerPoint presentation had been followed.
  • While performance rating information does not meet the standard definition of PII, the information in this breach is privacy sensitive and must be treated as such.
  • Strict controls must be in place so that only those personnel with a need to know have access to performance rating information.
  • The NSPS Program Office has been advised of the compromise of information and will work on a fix to prevent a recurrence.
  • All electronic or paper copy documents containing PII must be marked with the following: FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties. Refer to: Secretary of the Navy (SECNAV) Instruction 5211.5E.
  • Official e-mails containing sensitive information must be digitally signed. Refer to DON CIO message DTG 032009Z OCT 08.
  • E-mails containing 25 or more PII records must be encrypted using WinZip or another authorized DON enterprise solution. Refer to DON CIO message DTG 171952Z APR 07.
Steve Muck is the DON CIO privacy team lead.

TAGS: Cybersecurity, Privacy

Related Policy
Improving Critical Infrastructure Cybersecurity
Processing of Electronic Storage Media for Disposal
DON Public Affairs Policy and Regulations
Safeguarding Personally Identifiable Information
DON Privacy Impact Assessment Guidance
Related News
DON IT West and East 2017 Conference Registration Now Open
Nominations for DON IM/IT Excellence Awards Due Dec. 5
DON CIO Awards Recognize Information Management and Information Technology Excellence
DON IT Conference Presentations Available
DON CIO Congratulates 2016 DON IM/IT Award Winners
Related CHIPS Magazine
Tech Support Companies Using Deceptive Pop-Up Ads to Scare Consumers into Purchasing Unneeded Service
Creating a Smart, Skilled Cybersecurity Workforce
Factsheet: National Background Investigations Bureau
DoD Releases Update of Manual Governing Defense Intelligence Activities
OPM Announces New Chief Information Officer
Related Resources
Personally Identifiable Information Posters
2014 PII Brief
DON Users Guide to Personally Identifiable Information
Inventory of DON Systems With Completed Privacy Impact Assessments
Privacy Frequently Asked Questions
Related Industry News
New Pentagon Website Can Tell If You Were Hacked by China
Nextgov 
America Needs To Stay the Course on GPS Security
Space News 
5 Ways to Spot a Coerced Insider Threat
Nextgov 
For Today's Government Data Security, Trust no one
Government Computer News 
OPM Security Chief: You're Gonna Need a Bigger Boat
Federal Computer Week 

DON CIO Information

Online Services & Community