Reduce PII in Electronic and Paper Files
By Steve Muck - Published, August 6, 2008
The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy.
Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.
On March 19, 2008, a group of private citizens discovered six boxes of paperwork at a remote, off-base location near a rifle range. Personnel files, affecting approximately 250 active duty personnel, including training records, general correspondence and W-2 tax forms were found.
The contents, which were found among what appeared to be trash, were partially burned, soiled and water damaged. The remoteness of the location and the way in which the boxes were found reduce the likelihood that PII data were used to steal identities of Department of the Navy personnel. However, because there was a loss of control over documents containing sensitive and high-risk PII data, all affected personnel were notified.
Lessons Learned
- W-2s can and should, whenever possible, be accessed electronically rather than stored in hard copy form.
- Wherever possible, delete Social Security numbers and sensitive personal information from any list, database or e-mail before transmission or storage. SSNs are a critical element for the bad guys to use in stealing personal identities.
- Routinely review files and destroy PII by making it unrecognizable when it is no longer needed. This is especially important in areas that handle a large volume of PII like personnel offices.
Safeguard and label privacy sensitive information!
Steve Muck is the DON CIO privacy team lead.