The following is a recently reported personally identifiable information (PII) data breach involving the loss of media containing PII. Incidents such as this will be reported in each CHIPS magazine to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer (DON CIO) Privacy Office.
The Incident
In March 2010, a test lab received a package from a Navy activity that contained a hard copy annual report of data and possibly an unencrypted disk. Both items contained the same PII which included full Social Security numbers, dates of birth and names. A few weeks later, the test lab notified the Navy activity that the disk was not with the hard copy report and requested that the Navy activity resubmit the disk. A thorough physical and electronic search was conducted. The disk was not found, and there was no indication that any electronic information from the disk was uploaded into the system database. Almost two months after the discovery of the missing disk, the test lab declared that there was a potential loss of PII.
Key Points to Consider:
• Compact disks (CDs) and other portable storage devices carry inherent risks of data compromise, due to their size and portability, if proper safeguards are not followed.
• CDs are ubiquitous in the workplace, store significant amounts of data and are easily lost or misplaced.
• Activities that routinely download, handle and mail CDs must be especially diligent in applying controls and safeguards.
• A breach occurs when PII is known or suspected to be lost, stolen or compromised. The activity making this discovery has one hour to make an official initial breach report.
• All removable storage media containing PII must be encrypted with a data at rest (DAR) encryption solution.
Lessons Learned:
The following best practices should be considered whenever downloading information to portable storage devices.
• Ensure all portable storage devices that are used to store PII are properly labeled with: "FOUO, This device contains privacy sensitive data. Any misuse of the information may result in civil or criminal penalty."
• Avoid the need to provide duplicate sources of the same information. Making two copies for the sake of convenience should be eliminated.
•Encrypt all removable storage media if they contain PII in accordance with the departments of Defense and Navy policy. If an approved DAR solution is not available, use WinZip.
•Err on the side of caution when you suspect that PII may have been lost and report the PII breach to the proper offices within one hour.
•Destroy all CDs, other storage media and files containing PII when the data is no longer needed in accordance with the DON Records Management Manual (Secretary of the Navy M-5210.1).
•Establish written procedures and training to improve handling of PII on portable storage devices.
•Routinely delete unnecessary PII from all storage files in accordance with the DON Records Management Manual.
•Ensure packages containing PII in any form are sent via a service that tracks shipping and delivery. Follow up within 48 hours if a package exceeds its scheduled delivery date.
Additional privacy information can be found on the DON CIO website at www.doncio.navy.mil.
Steve Muck is the DON CIO privacy team lead.