Steve Muck is the Director for Privacy and Information Sharing for the Department of the Navy Chief Information Officer. He has served as the DON Privacy Lead since 2007 and was the first government civilian within the Defense Department to obtain designation as a Certified Information Privacy Professional (CIPP). The DON CIO is the Department of the Navy's Senior Military Component Official for Privacy. Federal privacy laws require agencies to "establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records to protect against any anticipated threats or hazards to their security or integrity."
The loss or compromise of personally identifiable information (PII) can lead to identity theft, which directly impacts DON personnel, contractors, retirees and their families. Safeguards must be applied to all collections of PII including: IT systems, shared drives, computer networks, cloud services, email, paper records and websites.
As the DON CIO’s Director for Privacy and Information Sharing, Mr. Muck has extensive knowledge and experience with the DON’s Privacy Program and safeguarding the personal data of DON employees and members of the public. He has worked extensively with senior privacy officials from the Office of Management and Budget and other federal agencies. He currently co-chairs the Incident Response Working Group chartered by the Federal Privacy Council.
Mr. Muck responded in writing to questions in late July.
Q: Can you discuss the components of the DON Privacy Program and the steps the department has taken to ensure the protection of personal data for the workforce?
A: Our main thrust has been on education and awareness. Email, social media, instant messaging, online purchasing, and online banking are common everyday activities for our Sailors, Marines, and civilian employees, almost to the point that we do not even consider the risks these activities can present to the protection of our PII, so it is important to keep the DON workforce educated on the steps they can take to guard against harm and keep them aware of the changing threat.
We have also taken significant steps to reduce the unnecessary exposure of PII, which in many cases we as a society have done for so long, that we just think of it as the normal course of business. For example, we have waged a very aggressive and successful campaign within the Navy’s infrastructure to reduce and where possible eliminate the use of the Social Security number (SSN) in our routine business activities. We have learned from experience that the unauthorized disclosure of an individual’s SSN is responsible for 80 percent of all “high risk” PII breaches (breaches that could cause harm to the affected individual), so removing it where it is not needed and raising awareness about the need to protect SSNs has been a key aspect of our program.
Q: Are there any new privacy initiatives that you are working on for the department?
A: We are actively exploring the use of Data Loss Protection (DLP) across the DON enterprise. Our goal is to provide our workforce with a simple tool that will alert them to potential inadvertent disclosures of PII before rather than after the fact. It will have the two-fold effect of protection and awareness.
Q: What are the steps involved in reporting a privacy breach?
A: The first and most important step is to recognize a breach, which we cover in the DON annual privacy awareness training. Briefly, a breach is any time there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of personally identifiable information (PII) where persons other than authorized users and for an other than authorized purpose have access or potential access to PII.
Second, notify your supervisor or command Privacy Officer, as soon as you possibly can. This is critical in limiting any potential harm to individuals or the Navy because the sooner the chain of command can act on a breach or potential breach, the sooner the cause of the breach can be rectified and the sooner steps can be taken to minimize the threat of identity theft or fraud that could stem from a breach. In the case of the breach, we want people to err on the side of caution and report, even if they are not sure a breach has occurred. The breach reporting process will determine if a breach has occurred or not.
Q: Does the Naval Criminal Investigative Service or other law enforcement agencies get involved when there is a reported breach?
A: NCIS gets involved when there is a likelihood of criminal intent (i.e., theft, fraud, hacking) associated with a PII breach. Very few DON breaches are in this category; the vast majority of breach reports we receive are caused by human error or a failure to follow policy.
Q: Data breaches and identity theft have become so common; victims often wonder if perpetrators are held accountable. Have there been any cases where they receive punishment or a fine for offenses in the department?
A: Yes, there are cases where perpetrators receive punishment for mishandling PII. However, while 80 percent of DON breaches are caused by human error or the failure to follow policy, few are malicious and often only require the completion of refresher training. When a PII breach is the result of human error or a failure to follow policy, commanders and commanding officers have discretion to take disciplinary action. The DON Privacy Office published a matrix identifying disciplinary actions/consequences that can be taken against contractors, military personnel and government civilians when/if directed by the commanding officer.
When criminal acts occur, federal and state laws provide wide latitude of consequences, including fines and prison time depending on the severity of the offense(s) and the harm done to affected individuals. In a federal case a few years ago, the perpetrator of a PII breach was awarded seven years confinement for attempting to sell hundreds of names with sensitive PII associated with Marine Corps Reservists.
Q: I have read all the articles in your CHIPS “Hold Your Breaches!” column series and it seems that the No.1 culprits in privacy breaches are carelessness, neglect and lack of common sense in handling PII with personnel losing laptops, discs and thumb drives or leaving PII unattended. Have you seen an improvement in the handling of PII since the DON began educating the workforce in how to protect privacy data? Is there more that can be done?
A: In the 10 years or so that I have been a part of the DON Privacy Office, areas we have seen improvement in PII handling include: (1) Hardening laptops containing PII with Data at Rest (DAR) encryption; (2) Eliminating the use of thumb drives which almost always bypassed our network security features; (3) Doing away with sending PII via fax, with limited exceptions, because of the inherent insecurity of the fax process; (4) Removing SSNs from websites, official forms, rosters, official letters and electronic collections, which is how we used to do business before we realized that it added no value to our information sharing; and (5) Implementing a hard drive destruction program that significantly reduced our exposure of PII from discarded computers and storage devices. No incidents of this nature have been reported since our policy to physically destroy all drives was implemented in 2009.
Q: Phishing schemes are becoming increasingly sophisticated. Do you think personnel should be held accountable for cybersecurity breaches on naval networks?
A: I agree; phishing schemes are becoming much more sophisticated. Phishing is also pervasive and harmful to DON computers, networks and to email recipients whose identities may be stolen. A significant number of cyber hacking attacks start with a phishing email. To help thwart phishing attacks, I recommend taking the following actions.
- Increase awareness. DON employees must know how to recognize a phishing email and then take appropriate actions that remove the potential harm from the network. This includes filing a report to the system administrator or security officer in accordance with network procedures. It is worth noting that 95 percent of phishing emails pretend to be sent from Amazon, eBay or well-known banks.
- Implement strong network filters such as spam and phishing filters which stop 63 percent of phishing emails before they reach an individual’s inbox. The Marine Corps has been successful in its pilot use of the Counter-phishing User Training and Inoculation Program (CUTIP), a training tool that simulates a phishing attack in an operational environment for the purpose of increasing awareness without injecting risk into operational networks.
Q: Many cybersecurity experts warn that breaches are inevitable because the United States is such a cyber-centric society. Do you think breaches are unavoidable? What do you recommend that personnel do to secure their privacy information on social media sites and mobile devices?
A: As military or civilian government employees, we are probably more likely to be sought out by criminal elements as targets on social media, so it is important that we understand how to set privacy controls on our social media sites. Social media sites are a significant source of PII and if unprotected can provide valuable information to identity thieves. Properly setting privacy controls on individual social media accounts minimizes the risk of PII disclosures as well as being a good component of OPSEC (operational security).
The “DoD Social Media Guide” lists steps you can take to minimize your PII exposure. The Guide can be found at: http://www.doncio.navy.mil/ContentView.aspx?id=5950. Mobile devices are another potential gold mine for the bad guys. The best protective action that you can take to secure mobile devices is to auto-lock cell phones when not in use, do not lend them to others, and protect them as you do your wallet.
Q: A recent article from the Verge reported that a Pew Research Center study from 2014 found that 91 percent of U.S. adults believe they have lost control of their personal data to companies, and in recent U.S. polls, cybersecurity is named as one of the public’s top concerns. What are an individual’s privacy rights where consumers must provide privacy data to conduct business transactions and the safeguarding of their PII is out of their control?
A: While this is not my area of expertise, I am aware of Executive Office and legislative branch interest in providing better privacy protections for the consumer. The Consumer Privacy Bill of Rights is a voluntary act that is considered a "comprehensive blueprint" for future legislation. The Bill gives consumers guidance on what they should expect from those who handle their PII, and sets expectations for companies that use personal data. It addresses issues associated with data access and accuracy, security, transparency and accountability.
State laws also provide a level of data security and control for consumers that companies must adhere to. Recent high impact PII breach incidents have also increased the focus and kept pressure on the need for stronger laws that protect the consumer.
Q: Is there anything consumers can do to minimize the exposure of their privacy data in these cases?
A: Controlling the loss of PII begins at home: on our social media sites, with our online financial dealings, and in our digital communications. We can take steps to secure the data we control. This may sound draconian but I personally remove all PII from the U.S. mail I receive at my home — including my name and address. As a privacy professional, I am most concerned with data mining that results in profiling consumer buying patterns, identifying product preferences and specific service needs.
Information about you can be and is obtained from product warranty cards, point of sale records, bonus cards for purchases, credit card transactions, targeted surveys, smartphone apps, and search engine queries. Individuals can limit their exposure to data mining by limiting the information they provide to businesses.
Other tips to minimize the exposure of PII include:
- Routinely monitor your financial accounts;
- When possible, avoid allowing your credit card to leave your sight, for example, when you are paying the bill at a restaurant;
- Use strong passwords and routinely change them;
- Ensure personal computer security software is current;
- Place a fraud alert on your credit file to let creditors know to contact you before opening a new account;
- File your state and federal tax returns early; and
- Take advantage of credit monitoring services that are offered by businesses or government entities as a result of a PII breach. Historically, 80 percent of affected individuals choose not to opt-in for these services when they are offered.