Department of Navy Chief Information Officer - News: Web Site Postings of PII

Audit Readiness of IT Systems (0)	DIACAP (12)	Information Sharing (48)	Open Source (3)
Awards (35)	DON Enterprise Architecture (49)	IT Asset Management (20)	Performance Measurement (2)
Business Case Analysis (11)	Enterprise Licensing Agreements (12)	IT Efficiencies (119)	Personal Electronic Device (17)
CIO Authorities (56)	Enterprise Services (35)	IT Expenditure Approval Authority (12)	Printing and Imaging (Copiers/MFDs) (17)
Civil Liberties (21)	Enterprise Software Initiative (32)	IT Governance (48)	Privacy (257)
Clinger-Cohen Act Compliance (25)	FISMA (11)	IT Infrastructure (17)	Public Key Infrastructure (19)
Cloud Computing (21)	Forms/Reports (14)	IT Investment Management (77)	Records Management (38)
Common Access Card (9)	Freedom of Information Act (27)	IT Portfolio Management (1)	Section 508 (10)
Cybersecurity (240)	Functional Area Manager (9)	Knowledge Management (34)	Social Media (31)
Cyberspace/IT Workforce (34)	GIG Standards (20)	Naval Enterprise Networks (38)	Spectrum (56)
DADMS/DITPR-DON (42)	Green IT (10)	Naval Networking Environment (12)	Statutory & Regulatory Compliance (11)
Data at Rest (10)	Identity Management (112)	NGEN (18)	Telecommunications (62)
Data Center Consolidation (37)	IM/IT Strategy (44)	NMCI (27)	Wireless (65)
Data Strategy (12)	Information Assurance (63)

Web Site Postings of PII

By Steve Muck - Published, February 8, 2008

The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.

On Oct. 17, 2007, a recall roster was discovered posted to a virtual workspace portal on the Navy Marine Corps Intranet. The roster contained the names, home addresses, home phone numbers and cell phone numbers of command and contractor personnel. The portal was accessible to NMCI users only, but no other access restrictions were in place. The roster was immediately removed from the portal and the affected individuals were notified.

Lessons Learned

IT system owners and web site managers must implement strict business rules that allow access to PII posted to a web site or virtual workspace only to those with a "need to know." Commands should periodically spot check their web sites for unrestricted PII. Spot checks are now required twice yearly as required in ALNAV 070/07, DTG 042232Z of Oct. 4, 2007: Department of the Navy Personally Identifiable Information Annual Training Policy.

A sample spot check form can be found on the DON Privacy Office web site at http://privacy.navy.mil, along with other tools and information for protecting privacy.

Steve Muck is the DON CIO privacy team lead.

TAGS: Cybersecurity, Privacy

Processing of Electronic Storage Media for Disposal

DON Public Affairs Policy and Regulations

Safeguarding Personally Identifiable Information

DON Privacy Impact Assessment Guidance

DON CIO Information

Online Services & Community

RSS Feeds

DON CIO FOIA

DON CIO Mobile Website

Website Accessibility

External Links Disclaimer

SECNAV DON CIO • 1000 Navy Pentagon
Washington, DC 20350-1000

This is an official U.S. Navy website (DoD Resource Locator 45376) sponsored by the Department of the Navy Chief Information Officer (DON CIO). The purpose of this website is to facilitate effective information flow about information management/information technology and cybersecurity issues and initiatives occuring within the Department of the Navy.

Please read our Privacy Policy notice.
Please read our Section 508/Accessibility Statement.

Trending

Web Site Postings of PII

By Steve Muck - Published, February 8, 2008

TAGS: Cybersecurity, Privacy

DON CIO Information

Online Services & Community