Trending

BROWSE ALL TOPICS

Contractor Improperly Handles PII

By Steve Muck - Published, June 21, 2011

The following is a recently reported personally identifiable information data breach involving a Department of the Navy support contractor who improperly handled PII. Incidents such as this are recounted to increase PII awareness. Names have been changed or omitted but details are factual and based on reports sent to the DON Chief Information Officer Privacy Office.

The Incident

A contractor working on a contractor-owned and operated information technology system sent an email to 10 recipients, including four government personnel and six contractors, with an attached list of unique Social Security numbers from the IT system to be used for testing and further processing. The list did not contain data elements that could uniquely link the SSNs to individuals. The recipients did not have a "need to know" and the sender had never completed the annual PII training course. The email was not digitally signed and did not carry the "For Official Use Only (FOUO)" privacy warning. The IT system was registered in the Department of Defense IT Portfolio Repository-Department of the Navy (DITPR-DON), had an approved privacy impact assessment (PIA), and accurately reflected that it collected PII.

Actions Taken

Approximately two hours after the email was sent, a DON recipient sent an email asking the nine other recipients to delete the email immediately, purge file copies, and reply with an email confirmation. The DON CIO Privacy Office was contacted a short time after the action was taken.

The DON CIO Privacy Office advised that an SSN by itself may or may not constitute a high risk breach when context becomes the determining factor. In this case, the SSNs were contained in a Microsoft Excel file, there was one SSN without the dashes per data cell, and there was no other information contained within the file. Therefore, the SSNs could not be linked to an individual. Accordingly, the DON CIO determined that notifications to the personnel whose SSNs were emailed were not required.

While this breach was considered low risk to affected personnel, it could easily have been determined to be high risk if there had been a linkage between the SSN and a person's name.

Lessons Learned

  • DON support contractors who handle PII must receive annual PII training.
  • DON support contractors must comply with all privacy protections under the Privacy Act when handling PII.
  • Contractor-owned or maintained IT systems under contract to the DON must be registered in the DITPR-DON.
  • There are many IT systems that are contractor owned or operated, and contracts between the commercial vendor and the DON must contain two specific contract clauses from Federal Acquisition Regulation (FAR) 52.224-2 as noted on the next page.
Additional Lessons Learned
  • Real/live PII data should never be used to test or evaluate a new or altered IT system.
  • PII should only be disclosed to those who have a need to know in the performance of their official duties.
  • Managers and supervisors must review PII processes and procedures to ensure they are complying with DON privacy policy. They must ensure that a PII compliance spot check is completed twice yearly as required by DON policy.
  • All electronic or paper copy documents and attachments containing PII must be marked with the following: FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties. Refer to Secretary of the Navy (SECNAV) Instruction 5211.5E.
  • Emails containing PII must be digitally signed.
  • Twenty-five or more PII records stored on any laptop, mobile computing device or removable storage media must be encrypted using WinZip or another authorized DON enterprise solution. Refer to DON CIO message DTG 171952Z APR 07: "Safeguarding Personally Identifiable Information."
  • PII collected and/or disseminated in separate data calls may not be PII, but when combined with other data elements becomes PII, such as using SSNs in one data call and names in a separate data call. Put together, data calls containing privacy data may result in a PII breach.

    Steve Muck is the DON CIO privacy team lead.

    TAGS: Privacy

Related Policy
Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response
Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems
DON Revision of PII Breach Reporting Forms
Use of Best Judgment for Individual PII Breach Notification Determinations
DoD Component Responsibility to Ensure Government Contract Compliance with the Privacy Act
Related News
DON IM/IT Excellence Awards Nominations Due Dec. 5
How to Obtain Military Personnel, Health, and Award Records
Privacy Tips
Register for DON IT East and West 2017
PII Breach Articles from CHIPS Magazine
Related Resources
Privacy Briefs
Contractor Privacy Responsibilities
Quickstep Process for Marking Emails Containing PII
Blanket Purchase Agreements for Identity Monitoring
Email and PII

DON CIO Information

Online Services & Community