I want to update you on what the Department of the Navy is doing to protect sensitive personal data from compromise. As you know, personal data loss, which can lead to identity theft, is not always due to outsider threats. It can be the result of an insider’s malicious actions or simply an insider’s lack of proper handling of what we call “personally identifiable information” or PII. The Department has a track record of taking the protection of personal data seriously, and we are continuing to build on our privacy protection measures in policy, processes and practices.
In October 2009, the Under Secretary of the Navy appointed the Department of the Navy Chief Information Officer (DON CIO) as the Senior Military Component Official for Privacy for the DON, responsible for overseeing the Department's implementation of the Privacy Act of 1974. This responsibility includes reviewing DON privacy policies and procedures to ensure they are comprehensive and effective, and coordinating actions across the Department on all Privacy Act and Privacy policy issues to maintain a sustainable and compliant program.
The DON Privacy Team has been active in developing mitigations for major causes of unauthorized exposure of PII. These include hardening laptops containing PII with Data at Rest (DAR) encryption; eliminating the use of thumb drives, which frequently bypassed network security; greatly limiting the situations in which PII is sent via fax; and implementing a hard drive destruction program that significantly reduced exposure of PII from discarded computers and storage devices.
Another important effort was the plan that removed Social Security numbers (SSN) from DON websites, official forms, rosters, official letters and electronic collections. Though it is an ongoing implementation process, this effort has been successful in eliminating the collection and use of the SSN, substituting the DoD ID number for the SSN on forms and in IT systems.
We have seen improvements; however, the unauthorized disclosure of SSNs are responsible for approximately 80 percent of all “high risk” PII breaches that could cause harm to the affected individual. Because most DON breaches are caused by simple human error or failure to follow policy, we have increased significantly our training and awareness efforts. This includes updating and refining the annual privacy training course. This required training can now be accessed anywhere, anytime, via the PII awareness app available for download to your personal smartphone or tablet at http://www.netc.navy.mil/Apps/. Other outreach efforts have included starting a regular Privacy Tips series on the Master Chief Petty Officer of the Navy’s Facebook page, in addition to the Privacy Tips we post on the DON CIO and CHIPS magazine websites.
The DON CIO website offers a wealth of information on policy, FAQs, PII breach reporting, and DoD and Federal resources, including information needed to be protective, preventative, and proactive against cyber-attacks on government social media sites.
When the Privacy Act of 1974 first came into being the primary concern was with potential abuses presented by the government’s increasing use of computers to store and retrieve personal data using an individual’s SSN. The issues surrounding an individual’s right to privacy have expanded beyond protection from the government collecting personal data to an era in which identity theft from malicious actors is almost commonplace. This broader battlefield, so to speak, has made privacy and protecting our workforce from PII compromise a top priority of the DON.
The theme of the current issue of CHIPS magazine is privacy. I encourage you to read and take advantage of the wealth of information provided in the current issue of CHIPS and on the comprehensive repository of privacy related information and resources on the DON CIO website. We should all take the time to learn the rules and use the resources in place that will help protect our own and our colleagues’ personal information from compromise.