The following is a recently reported compromise of personally identifiable information (PII) involving the transmission of an un-encrypted e-mail which contained National Security Personnel System (NSPS) performance ratings of employees within a Navy region. Incidents such as this will be reported in each subsequent CHIPS magazine to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.
Two non-password-protected attachments to an e-mail were sent to approximately 700 employees. The attachments were created for each NSPS pay pool and provided a bar chart of pay pool results presented as a single Microsoft PowerPoint slide.
A subordinate field activity reported that some of the employees had access to the underlying information that was used to build the slides. The initial investigation showed that, despite command efforts to prevent disclosure, it was possible to manipulate the attachments and reveal privacy sensitive data.
Data included: name; civilian grade; employee identification number, as assigned by the Defense Civilian Personnel Data System (DCPDS); salary; and fiscal year 2008 rating of record for the NSPS employees at the affected command.
No Social Security numbers or other PII was compromised.
Lessons Learned
• This incident could have been avoided if proper warnings from the NSPS Program Office about downloading NSPS data to a PowerPoint presentation had been followed.
• While performance rating information does not meet the standard definition of PII, the information in this breach is privacy sensitive and must be treated as such.
• Strict controls must be in place so that only those personnel with a need to know have access to performance rating information.
• The NSPS Program Office has been advised of the compromise of information and will work on a fix to prevent a recurrence.
• All electronic or paper copy documents containing PII must be marked with the following: FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties. Refer to: Secretary of the Navy (SECNAV) Instruction 5211.5E.
• Official e-mails containing sensitive information must be digitally signed. Refer to DON CIO message DTG 032009Z OCT 08.
• E-mails containing 25 or more PII records must be encrypted using WinZip or another authorized DON enterprise solution. Refer to DON CIO message DTG 171952Z APR 07.
• Additional privacy information can be found on the DON CIO's Web site: www.doncio.navy.mil.
Steve Muck is the DON CIO privacy team lead.