The following is a recently reported data breach involving the disclosure of personally identifiable information contained in an alpha roster sent as an attachment in an unencrypted e-mail. Names have been changed or omitted but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
Background
Identity theft affected almost 10 million Americans last year. It is more important than ever that we protect the privacy information of DON personnel. Several recent breaches of personally identifiable information (PII) have involved the mishandling of recall rosters. Examples include rosters posted in: publicly accessible areas; rosters transmitted as e-mail attachments without proper encryption and marking; inclusion of the full or truncated Social Security number (SSN) on rosters; rosters stored on a shared drive/Web portal without the appropriate access controls/permissions in place; and failure to protect hard copy rosters outside the workplace. Data elements have included various combinations of names, SSNs, dates of birth, family members' names, home addresses, telephone numbers, and security clearances. Reasons given for dissemination included: all-hands meetings, training, social functions and access requests. Note: Alpha rosters (used to identify essential personnel who must report to duty despite adverse weather conditions or other unusual conditions) and flight rosters are considered recall rosters.
The Incident
In July 2010, a DON command received notification that a breach had occurred. An individual had sent an unencrypted e-mail with an attached alpha roster to several training representatives. The alpha roster contained PII for more than 1,000 personnel. The alpha roster contained SSNs, names, date of birth, health information and other PII. While the recipients had a "need to know" some of the PII elements for the purpose of personnel recall, some of the information (i.e., SSNs and health information) should not have been disclosed. All of the training representatives were notified to delete the unencrypted e-mail immediately.
Lessons Learned
The most valuable lesson learned from this incident is that before sending an e-mail that contains PII, ask: Do the recipient(s) have a need to know? Is the information appropriately marked as "FOUO – Privacy Sensitive"? Are the means of transmission secured? Should the information be displayed in this location? Are only essential PII elements listed? In this instance, if in fact the alpha roster had been properly marked, contained only essential PII elements (SSNs should NEVER be included), and the recipients had a "need to know" all of the information, then it could have been sent within the Defense Department firewall as an attachment to an encrypted e-mail.
Other preventive actions include:
• Establish procedures for proper maintenance, storage and dissemination of recall rosters;
• Provide PII training to ensure DON personnel follow established procedures;
• Ensure that compliance spot checks include recall rosters;
• Ensure that the sole purpose of the recall roster is to recall personnel and/or notify them of building, base or office closings;
Limit PII elements to only the minimum required to recall an individual, e.g., names, addresses and telephone numbers (home, work, cell);
• Post recall rosters to intranet sites only when proper access controls/permissions are in place; and
• Include a Privacy Act Statement on every document containing PII.
View the Chief of Naval Operations (CNO) Memorandum, Recall Rosters, dated Sept. 7, 2006 for additional information.