Report Your Breaches
By Michelle Schmith - Published, August 19, 2011
The privacy of an individual is a fundamental right that must be respected and protected. While improved handling and security measures within the Department of the Navy are noted in recent months, the number of incidents in which loss or compromise of personally identifiable information (PII) occurs remains unacceptably high.
The DON Chief Information Officer Privacy Office evaluates an average of one PII breach report per day in which privacy sensitive information is compromised, lost or stolen. To ensure all DON personnel understand their breach reporting responsibilities, this edition of CHIPS will detail that process rather than publish the recurring "Hold Your Breaches" column.
The Department of Defense (DoD) defines PII as information about an individual that identifies, links, relates, or is unique to, or describes him or her (e.g., a Social Security number; age; military rank; civilian grade; marital status; race; salary; home phone numbers; and other demographic, biometric, personnel, medical and financial information, including any other personal information that is linked or linkable to a specific individual).
A PII breach occurs when there is a loss or suspected loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any situation where people other than authorized users, for other than authorized purposes, have access or potential access to PII. This includes PII on the SIPRNET, which carries the same inherent risks of disclosure if sensitive information is not properly protected.
PII breaches affect all DON personnel, whether military, civilian or support contractor. Eighty percent of all breaches are caused by human error; the majority of breaches involve the loss, theft or compromise of SSNs. And while identity fraud linked to the loss of DON information remains low, the number of PII breaches must be reduced.
All DON personnel must protect PII so that no one can access sensitive information without a need to know. In addition, all DON personnel must report a loss or suspectedloss or compromise of PII to their supervisor or privacy official upon discovery. Finally, commands must designate a person in writing who is responsible for submitting DON breach reports using SECNAV 5211/1: "DON Loss or Compromise of Personally Identifiable Information (PII) Breach Reporting Form" and SECNAV 5211/2: "DON Loss or Compromise of Personally Identifiable Information (PII) After Action Reporting Form."
Within one hour of discovery of a loss or suspected loss of PII, the designated privacy official must notify proper authorities using SECNAV 5211/1. The initial report must include a brief description of the incident, including circumstances of the breach, type of information lost or compromised, whether the PII was encrypted, and whether the recipients had a need to know.
Within 24 hours of receipt, the DON CIO will review the initial report and determine, using DoD’s Risk Analysis Methodology, the potential risk of harm to affected personnel.
Within 10 days, if required, the designated privacy official must mail notification letters to affected personnel.
And within 30 days of the breach, the designated privacy official, using SECNAV 5211/2, must send notice to the appropriate authorities of remedial actions taken to prevent recurrence, notification status, lessons learned and disciplinary action taken, where appropriate.
All DON personnel must be aware of their roles and responsibilities related to reporting a known or suspected loss of PII. Compliance will help protect privacy sensitive information when a breach is discovered. Look for new breach reporting forms, which will be released by the DON CIO, in summer 2011. Additional information regarding safeguarding PII is located on the DON CIO website at www.doncio.navy.mil/privacy.
Michelle Schmith is a privacy analyst for the Department of the Navy Chief Information Officer.
Department of the Navy Breach Reporting Process
||Within one hour
||Breach reported to DON CIO and U.S. Computer Emergency Readiness Team
||DON CIO Message DTG 291652Z FEB 08; SECNAV 5211/1/td>
||Within 24 hours
||Individual notification determination made; command notified whether individual notifications required
||DoD Risk Analysis Methodology
||Assign US-CERT number
||Within 48 hours
||Forward breach report to the DoD Privacy and Civil Liberties Office
||Within 10 days
||If required, signed letter sent to each affected individual
||Sample notification letter
||Within 30 days
||days After action report sent to DON CIO
For all DON PII breach reporting resources visit: www.doncio.navy.mil/privacy.