The following is a recently reported breach of personally identifiable information (PII) involving the posting of PII on a personal website by a well-intentioned service member. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
The Incident
A service member in an effort to provide a useful resource to other Sailors, created a personal website containing various Navy instructions, guides, and other information. In addition, a spreadsheet with more than 2,000 full Social Security numbers (SSNs), test scores, and education information was posted.
Actions Taken
Once discovered, the website was immediately taken down. A breach report was submitted for the potential compromise of personal information because of the high risk that disclosure of names and associated SSNs presents. Written notifications were sent to the individuals affected.
Lessons Learned
The following apply to the posting of PII and other official information to websites:
- Official information including PII should only be posted to DON approved websites. Officially approved sites have gone through a certification and accreditation process which includes security and privacy safeguards.
- When PII is posted to a DON approved website, access must be restricted to only those with an official need to know and marked with the "FOUO - Privacy Sensitive" statement.
- Duplicating lists of PII for convenience is not a valid reason to collect it.
- The collection of PII must be authorized and serve an official purpose.
Breach notifications cost not only scarce resources (e.g., time and money), but have the potential to negatively affect morale and trust in an organization.
More DON Privacy Resources can be found at www.doncio.navy.mil/privacy.
Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer.
Steve Daughety provides support to the Department of the Navy Chief Information Officer Privacy Team.