The Department of the Navy's Information Technology Magazine Notify Me of New Issue
Email this Article Email   

CHIPS Articles: Hold Your Breaches, July-September 2009

Hold Your Breaches, July-September 2009
By Steve Muck - July-September 2009
The following is a recently reported compromise of personally identifiable information (PII) involving the improper disposal of human resources documents. Incidents such as this will be reported in each CHIPS magazine to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

The Incident

Some time between late February 2009 and mid-March 2009, three boxes were discovered in a recently vacated office. The office had been completely stripped of all furniture, supplies and equipment in preparation for another office code to move in. The empty office was unlocked and probably remained so until the movers arrived with the new office equipment. The boxes contained more than 240 employee records, with Social Security numbers, home addresses and other personal information dating back to the early 1980s. All personnel in the building were questioned, but no one claimed to have any knowledge of how the boxes appeared in the empty office.

This incident is a privacy official's worst nightmare: Old records containing high-risk PII in an unlocked office that no one could account for. Like most PII breaches, this one could have easily been prevented.

Additional privacy protection information can be found on the DON CIO Web site: www.doncio.navy.mil.

Lessons Learned

• Office moves are common and present unique challenges when moving paper and electronic records. The command privacy official should ensure that all personnel involved in an office move take extra precautions when packing, shipping and relocating records that contain PII.

• Develop a moving plan and ensure PII safeguard considerations are factored in.

• Human resources, law enforcement, medical, administrative, legal and financial offices are especially vulnerable to this type of PII compromise/loss due to the personal records that these offices maintain.

• All vacated offices should be locked.

• Remember that PII has a very long shelf life and can be used fraudulently even after a person is deceased. Commands should develop and implement a document destruction policy following guidelines issued in the DON Records Management Manual (SECNAV M-5210.1) available from the DON CIO Web site, www.doncio.navy.mil, under the Policy and Guidance tab.

• Most documents can be destroyed after five years.

Steve Muck is the DON CIO privacy team lead.
TAGS: Privacy, RM
A new PII brochure is available with protective measures you can take to help you understand PII and its hazards.
A new PII brochure is available with protective measures you can take to help you understand PII and its hazards.
Related CHIPS Articles
Factsheet: National Background Investigations Bureau
BUPERS Continues to Reduce its Use of the SSN
Strengthening Privacy Awareness and Protection
SECNAV Revises & Reissues OPNAV Personally Identifiable Information (PII) Breach Reporting Forms
Mobile Apps Released for Records Management and Personally Identifiable Information
Related DON CIO News
DON IT Conference Schedule Now Available
Register for DON IT East and West 2017
Navy Mobile Apps Bring Information and Training to Your Smartphone and Tablet
DON IT Conference Presentations Available
Rules for Handling PII by DON Contractor Support Personnel
Related DON CIO Policy
DITPR-DON Process Guidance v1.0
Code of Federal Regulations (32 CFR Part 701)
Privacy Act of 1974
CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988