One of the most important functions the Department of the Navy can perform on behalf of its Sailors, Marines, civilians and their family members, is to protect their personally identifiable information (PII). The Social Security number (SSN) is one of the most common elements of PII, and its loss, theft and compromise can result in identity theft, financial difficulties and loss of privacy. In 2011 alone, identity fraud increased by 13 percent in the United States, affecting more than 11.6 million people according to the 2012 Identity Fraud Industry Report, released by Javelin Strategy & Research.
The Department of the Navy has taken significant steps to ensure the security of its most valuable asset — our people. The most notable of these steps came in the form of the Under Secretary of the Navy’s memo “Safeguarding Personally Identifiable Information” (February 2010) (www.doncio.navy.mil/ContentView.aspx?id=1583), which emphasized the importance of personal privacy and the safe management of the DON’s PII, including the SSN.
This is what has been done so far to limit the risk of identity theft from SSN use:
- In 2011, the department completed Phase One of the DON SSN Reduction Plan (www.doncio.navy.mil/ContentView.aspx?id=2089), as outlined in the memo, which requires the DON to justify the continued use and collection of SSNs on all official Navy and Marine Corps forms.
- In Phase Two, program managers and system owners identified information technology systems that could eliminate the collection of SSNs by substituting the Department of Defense (DoD) identification number — the Electronic Data Interchange Personal Identifier (EDIPI).
- Phase Three authorizes the use and substitution of the DoD ID number and provides strict guidelines for its use.
Yet, more remains to be done, particularly regarding Phase Three, which requires the DON to take three significant actions:
- Commands must follow strict guidelines for the use of the EDIPI. All DON business processes must meet specific criteria outlined by the DON for continued SSN use, elimination of the use of SSNs, or transition to the DoD ID number as a substitute for SSNs.
- All letters, memoranda, spreadsheets, hard copy and electronic lists must meet specific criteria if they collect SSNs.
- When changes to a process result in the elimination of the use of SSNs, DON directives and instructions shall be updated to reflect those changes.
Another significant aspect of Phase Three affects the use of fax technology to transmit PII/protected health information (PHI). The current policy states that, effective immediately, the use of fax machines to send information containing SSNs and other PII by DON personnel is prohibited, except under the following circumstances:
- When another, more secure, means of transmitting PII is not practical;
- When a process outside of DON control requires faxing to activities such as the Defense Finance and Accounting Service, Tricare, Defense Manpower Data Center, etc.;
- In cases where operational necessity requires expeditious handling; or
- When faxing PII related to internal government operations only, such as office phone number, rank or job title.
However, external customers such as service veterans, Air Force and Army personnel, family members and retirees may continue to fax documents containing SSNs to DON activities but are strongly encouraged to use alternative means, such as the U.S. Postal Service to mail documents and scanning documents. Scanned documents must then be transmitted using a secure means such as encrypted emails or the safe access file exchange (SAFE). Details regarding the use of SAFE can be found at www.doncio.navy.mil/ContentView.aspx?id=4098.
Processes that require less modern transmissions techniques, such as faxing, have inherent risks and should be reviewed to minimize their use. The same review should apply to the associated products of these processes, such as paper copies. If the department can minimize the need to fax, we can reduce or eliminate the need for storage of paper copies, the cost of paper, equipment and supplies and the likelihood of PII/PHI being lost or stolen.
Federal privacy laws require agencies to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records to protect against any
anticipated threats or hazards to their security or integrity. As a department, and within the larger DoD, we need to ensure that our processes and policies provide the most appropriate level of security for this vital information. By using the most current technology, such as encrypted emails, we can increase our security while reducing the risk of loss of PII/PHI.
As Under Secretary of the Navy Robert Work stated in his 2010 memo, “Our Sailors, Marines, and civilians, along with their dependents, expect us to keep their PII safe, and it is our charge to ensure that all systems and processes we employ adequately safeguard this information. We cannot tolerate the continued loss of this data as it directly impacts the morale, security, and financial well-being of our personnel.”
For more information visit the DON CIO’s privacy tips located on the DON CIO website at www.doncio.navy.mil/ContentView.aspx?id=906 and the Defense Privacy and Civil Liberties Office website at http://dpclo.defense.gov.
To contact a privacy subject matter expert, please submit a request via the Ask An Expert section of the DON CIO website. Be sure to select the privacy topic area.