Consider this scenario: a major university in the Eastern United States finds that its Naval Reserve Officer Training Corps information site is hacked. Important private information pertaining to enrollees is stolen. The information is posted to a popular Web site and exposed to a huge audience. The hacker also posts how it was done and invites others to duplicate the theft at their institutions. Sound like a science fiction tale? No, it really happened not too long ago!
Many federal agencies have had the misfortune of reporting the loss of personally identifiable information (PII)— information that pertains to individuals, such as their name, Social Security Number (SSN), salary, and more. Recently, one breach involved the theft of 1.3 million medical records!
Here are a few more breaches that have recently occurred:
• A Navy recruiting station reported that 31,000 individuals were impacted when two legacy laptops were stolen from its office.
• A Naval Hospital Corps School reported that 60 to 70 students were impacted when a portable data storage device was stolen along with other personal effects from an office desk drawer during normal working hours.
• A command career counselor reported that 117 Selected Reservists were impacted when his car, which contained both a laptop and thumb drive containing personnel information, was stolen.
Your Help is Needed!
The Department of the Navy (DON) needs your help in protecting private information — your own and your teammates'! Personal information breaches cost money, which is not budgeted; time to perform a myriad of administrative functions; frustration — because you will have to explain what happened; and embarrassment — to you and your organization because it happened on your watch.
The purpose of this article is to ask you to factor in privacy safeguards as you do your job. Think about your role in this effort. When you came into the government as a civilian or contractor employee, or joined the military, you knew that as a condition of your employment you would need to provide personal information about yourself.
If you were appointed to a high level position, you were required to share financial information; if you required a security clearance, you had to provide lots of personal information — much more than just the basic name, SSN and date of birth. The form contained a Privacy Act Statement to tell you why the information was needed, and it implied that every step would be taken to protect your personal information from unauthorized disclosure.
But as you know, the world we live in is changing fast! Information flow is easier and faster. Paper records have morphed into electronic records, and what used to take time to disseminate can now be done in an instant with the push of a button. Thumb drives have replaced floppy disks and personal information is stored in many forms.
Recent e-government mandates require transparency of privacy programs. The federal government is committed to the goal of having its citizens understand what private information is collected and how that information is used. At the same time, the government wants federal employees to ensure that safeguards are deployed to protect personal information.
The DON has been fortunate to team with the Naval Audit Service, which also seeks to ensure that the Department adopts and adheres to best privacy practices. During recent audits, auditors found that DON recycling bins and waste containers were filled with papers containing personally identifiable information, seemingly without a thought about better protecting this data. Some people mistakenly think that the recycler is responsible for shredding or burning these documents. But the reality is — they are not. We, the users, are responsible, and we must be vigilant in the handling of personal information!