The following is a recently reported compromise of personally identifiable information (PII) involving the loss of documents containing names and full Social Security numbers (SSN). Incidents such as this are reported in CHIPS to increase PII awareness. Names are changed or removed, but the details are factual and based on reports sent to the Department of the Navy Chief Information Officer (DON CIO) Privacy Office.
An administrative supervisor worked in two different offices. In order to complete online forms in one office, he needed information from paper files in the other office. For all of the employees in his office, he had created a hard copy roster of names and SSNs and placed the document in his portfolio. While walking from one office to the other, he stopped at a coffee shop for a cup of coffee and to speak with a friend, and placed his portfolio on the chair next to him. After finishing his coffee, and still talking with his friend, he continued to his office, forgetting the portfolio. When he arrived at his office he realized his mistake and quickly returned to the shop, but his portfolio was no longer on the chair. He asked the staff and management, but was unsuccessful in retrieving it. So the portfolio, with the roster of names and SSNs, was never found. Even though there has been no indication of identity fraud or identity theft, this was a PII breach.
According to the Office of Management and Budget (OMB), a breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, and for an other than authorized purpose, have access or potential access to PII, whether in hard copy or electronic format.
Several recent PII breaches have involved the mishandling of rosters. Examples include rosters being posted in publicly accessible areas; rosters being transmitted as email attachments without proper encryption and marking; rosters including full or truncated SSNs; rosters being stored on a shared drive/web portal without the appropriate access controls/permissions in place; and failure to protect hard copy rosters outside the workplace.
Lessons Learned
• This incident could have been avoided if the supervisor had followed DON policy, which prohibits the collection of SSNs in any roster.
• Disclosure of a full SSN is potentially more harmful than disclosure of a truncated (last four digits) SSN, but both elements are considered sensitive PII.
• Per DON policy, only the minimum amount of PII should be collected to do the job. If a unique identifier is needed, the DoD ID number is usually a good substitute for the SSN.
• A best practice is to use DD Form 2929, the Privacy Act Data Cover Sheet, which is available for downloading from the DON CIO web site at http://www.doncio.navy.mil/ContentView.aspx?id=2427, when hand carrying PII to a recipient with an official need to know.
• Per DON policy, all paper copy documents containing PII must be marked with the following: FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties. Refer to: Secretary of the Navy (SECNAV) Instruction 5211.5E. Privacy marking is a good and simple practice to help safeguard PII.