CHIPS Articles: Combating Identity Theft

To comply with Department of Defense (DoD) and Department of the Navy (DON) policies, Camp Pendleton began the revitalization of its privacy program in 2008. Using such references as Directive-Type Memorandum 07-15-USD (P&R), DoD Social Security Number (SSN) Reduction Plan; DoD Directive 5400.11, DoD Privacy Program; Combating Identify Theft: A Strategic Plan from the President’s Identity Theft Task Force; and other guidance issued by the DON and Headquarters Marine Corps, Camp Pendleton began its efforts to reduce the usage of Social Security numbers for identification by consolidating reference materials, analyzing current procedures and identifying key stakeholders.

The consolidation and validation process was not an easy task during the 2008 and early 2009 time period. Some of the contributing factors making the process difficult were: changing requirements, lack of a primary reference, compliance ownership, and personnel availability and/or opportunities for training and idea sharing which were further constrained by budget limitations. Additionally, the use of the Social Security number for identification was and still is ubiquitous. Too many of our processes, many that are beyond Marine Corps control, rely on the use of the SSN. But by 2009, dramatic, positive change began in Camp Pendleton’s privacy program.

The tipping point was the issuance of the Marine Corps Enterprise Information Assurance Directive (EIAD) 011, Personally Identifiable Information (PII), of April 9, 2009. This document consolidated various directives into a single source reference and detailed requirements. EIAD 011 outlined cross-functional (Privacy Act and information technology) action items and melded together requirements from previously bifurcated functions.

Implementation of EIAD 011 laid the foundation of a manageable Privacy Act Program that includes the requirements of both electronic and manual systems of records. Action taken for Phase One of the DON’s SSN Reduction Plan was an easy fit into the oversight structure developed as a result of EIAD 011. A good fit for action officers, compliance for Phase One was substantial. The following actions were completed as a result of Phase One. • All locally generated forms for Camp Pendleton were thoroughly reviewed.
• SSN use was validated, eliminated when possible, or justified for continued use.
• Privacy Act statements and systems of record numbers were assigned to each form where required.
• Purchased and distributed the DON PII training class on compact disc and distributed CDs to all special staff sections for internal training.
• Local form numbers and local stock numbers were assigned to each form.
• Forms not submitted for review and approval were no longer authorized.
• Electronic versions of all forms were entered into the Marine Corps forms processes link.
• Of 200 local forms, only 17 required the continued use of the SSN. This number will be further reduced when a substitute unique identifier is authorized for DON use.
• A PII training class based on the required annual PII training syllabus was developed. This class is given quarterly at the base theater and is open to anyone on the base who does not have access to online training.
• Developed and instituted self-inspections for PII compliance.
• Field assist visits are offered and occur on a regular basis. Best practices are discussed and shared.

Camp Pendleton’s privacy program significantly reduces the risk of loss or compromise of warfighters’ personal information by eliminating, masking or truncating the SSN wherever possible. Reducing exposure of this sensitive privacy element reduces the likelihood that the Marines and civilian workforce will fall victim to identity theft.

Even though Camp Pendleton has a revitalized Privacy Act Program, there is always the risk of compromise or loss. The best case scenario is to mitigate that risk to the extent possible. The following suggestions may further enhance efficiencies and mitigation.

• Mandate that Privacy Act responsibilities are a primary duty for assigned personnel. Currently, Privacy Act duties are collateral duties at the major command level.
• Require professional training prior to assignment of Privacy Act duties and semiannual refresher training thereafter. Currently, training is not required and learning occurs on the job.
• Establish one agency office with responsibility for compliance with all phases of the Privacy Act. Currently, several offices may be issuing directives that have an impact on the Privacy Act Program.
• Establish a venue for privacy professionals to meet semiannually and discuss best practices, challenges and accomplishments.

Camp Pendleton is very proud of the collaborative efforts of its team members and looks forward to the continual improvement of its privacy processes.

Jim Hoskins is the MCB Camp Pendleton adjutant.