A Landfill is No Place for PII
By Steve Muck - Published, August 15, 2012
The following is a recently reported personally identifiable information (PII) data breach. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
A command Physical Readiness Test (PRT) office was in the process of moving to a new location. Office personnel boxed approximately 30 PRT records and associated documents and left them on the floor in a locked office. During the night, a cleaning crew inadvertently threw away the files. The files, spanning a more than two-year period, contained personally identifiable information including full names and Social Security numbers. Documentation also included letters of correction for personnel who failed the Physical Readiness Test. However, the specific names of the affected personnel are unknown.
The privacy officer was notified of the PII loss the following business day. At that time, command leadership was notified and an investigation commenced with the submission of an initial PII breach report via the chain of command. Command representatives also searched through trash at the landfill where base refuse is taken for disposal, but were unable to locate the missing records.
Lessons Learned:
A physical move of office equipment and records should be carefully planned. A move plan or checklist should delineate the steps required to securely transport and maintain accountability of documents and electronic files containing PII. This command learned the hard way about improper preparation.
Boxes containing PII should be properly labeled and, when possible, kept off the floor and away from trash receptacles.
It is the government's responsibility to secure PII so that personnel who do not have a need to know do not have access to personally identifiable information.