Trending

BROWSE ALL TOPICS

Improper Disposal of HR Documents

By Steve Muck - Published, August 19, 2009

The following is a recently reported compromise of personally identifiable information (PII) involving the improper disposal of human resources documents. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

The Incident

Some time between late February 2009 and mid-March 2009, three boxes were discovered in a recently vacated office. The office had been completely stripped of all furniture, supplies and equipment in preparation for another office code to move in. The empty office was unlocked and probably remained so until the movers arrived with the new office equipment. The boxes contained more than 240 employee records, with Social Security numbers, home addresses and other personal information dating back to the early 1980s. All personnel in the building were questioned, but no one claimed to have any knowledge of how the boxes appeared in the empty office.

This incident is a privacy official's worst nightmare: Old records containing high-risk PII in an unlocked office that no one could account for. Like most PII breaches, this one could have easily been prevented.

Lessons Learned

  • Office moves are common and present unique challenges when moving paper and electronic records. The command privacy official should ensure that all personnel involved in an office move take extra precautions when packing, shipping and relocating records that contain PII.
  • Develop a moving plan and ensure PII safeguard considerations are factored in.
  • Human resources, law enforcement, medical, administrative, legal and financial offices are especially vulnerable to this type of PII compromise/loss due to the personal records that these offices maintain.
  • All vacated offices should be locked.
  • Remember that PII has a very long shelf life and can be used fraudulently even after a person is deceased. Commands should develop and implement a document destruction policy following guidelines issued in the DON Records Management Manual (SECNAV M-5210.1).
  • Most documents can be destroyed after five years.
THE FEDERAL TRADE COMMISSION ESTIMATES THAT AS MANY AS 9 MILLION AMERICANS HAVE THEIR IDENTITIES STOLEN EACH YEAR.

Steve Muck is the DON CIO privacy team lead.

TAGS: IDManagement, Privacy

Related Policy
Processing of Electronic Storage Media for Disposal
Reduction of SSN Use Within DoD
Updated Plan to Remove Social Security Numbers from DoD Identification Cards
DON Social Security Number Reduction Plan for Forms Phase One
Safeguarding Personally Identifiable Information (PII)
Related News
PII Breach Articles from CHIPS Magazine
Steps For Military Personnel to Take to Defend Against ID Theft
Privacy Tips
Rules for Handling PII by DON Contractor Support Personnel
SSNs to be Removed from Government ID Cards
Related CHIPS Magazine
Factsheet: National Background Investigations Bureau
Privacy Awareness Tips
Safeguarding Your Common Access Cards and Military Identification Cards
Strengthening Privacy Awareness and Protection
Your mobile phone account could be hijacked by an identity thief
Related Resources
Personally Identifiable Information Posters
2014 PII Brief
Privacy Act System of Records Notices
Inventory of DON Systems With Completed Privacy Impact Assessments
2012 Social Security Number Reduction Brief

DON CIO Information

Online Services & Community