During the past 18 months, the Department of the Navy (DON) has reported more than 100 incidents involving the loss of personally identifiable information (PII). These incidents affected more than 200,000 Navy and Marine Corps personnel, including retirees, civilians and their family members.
The most common causes of loss or compromise have been the loss or theft of laptop computers, thumb drives and other portable removable media; material being erroneously posted to DON Web sites; documents being misplaced or stolen; e-mails with attachments being improperly forwarded; and documents placed into recycling and trash bins before being rendered unrecognizable (i.e., beyond reconstruction).
These losses and compromises are costly, time consuming, and interfere with the Department's mission! They also create unnecessary risk of identity theft for our warfighters and the DON workforce.
To bring awareness to this issue, CHIPS will be reporting on specific incidents of PII breaches, in hopes that it will shed light on areas where PII in your care may be compromised and enable you to correct any shortfalls in how you handle PII before a loss occurs.
The following is a synopsis of a recently reported loss of PII that highlights a common mishandling mistake made by individuals within the DON. Names have been changed but details are factual and based on reports sent to the DON Privacy Office.
Chief Smith believes his iPod was stolen Aug. 12, 2007, while he stayed at the Marriott hotel close to Dulles International Airport just outside Washington D.C. He returned to his room in the afternoon that day and did not see his iPod near his computer where he thinks he left it.
A day later, Chief Smith e-mailed the hotel to report the stolen iPod, which contained PII, including full names, Social Security numbers, rank and unit assigned. No police report was filed.
Aug. 20, 2007, Chief Smith reported this issue to his supervisor when he arrived at his duty station in Iraq. He stated that the iPod was password protected.
In this particular instance, the iPod was password protected, and the DON does not believe PII was compromised. However, had the iPod not been electronically locked, there could have been a high potential for identity theft and financial harm to those affected by the loss because the iPod contained PII.
Lessons learned from this example:
• Do not store PII on personal electronic devices.
• Wherever possible, delete Social Security numbers from any list, database or e-mail before transmission or storage. SSNs are a critical component of stealing a person's identity.
• Do not lose physical control of PII.
• Keep PII in controlled government spaces and when removed, exercise proper security controls at all times to safeguard PII.
• Immediately file a police report for any theft.
The DON CIO and the Office of the Chief of Naval Operations (DNS-36) are currently co-chairing a PII Incident Reduction Working Group to review existing policy and provide new guidance and policy as necessary. A comprehensive review of PII handling and storage is underway and new policy will be forthcoming.
In the meantime, the DON CIO issued a message in April, day time group: 171952952952Z Apr 07, subject: Safeguarding Personally Identifiable Information (PII), which establishes interim policy for PII when stored on government furnished computers, mobile computing devices and removable storage media.
Go to the DON CIO Web site at www.doncio.navy.mil and type "PII" in the search bar for a copy of the interim guidance.
Effective Oct. 1, 2007, storage of any form of PII is prohibited on personally owned laptop computers, mobile computing devices and removable storage media.
For privacy information and resources, go to the Navy Privacy Office Web site at http://privacy.navy.mil/.
Steve Muck is the DON CIO critical infrastructure protection and privacy team lead.