Supervisor Sends PII Without Encrypting Email

By Steve Muck & Steve Daughety - Published, October 27, 2011

The following is a recently reported personally identifiable information (PII) data breach involving a Department of the Navy support contractor who improperly handled PII. Incidents such as this will be reported in CHIPS magazine to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the DON Chief Information Officer Privacy Office.

The Incident

A supervisor sent an unencrypted email containing full name, Social Security number, home address and phone number of 37 active duty personnel to dot-mil user accounts within a single command. All recipients had a "need to know" and routinely receive email like this to perform their assigned duties. The email was not digitally signed and did not carry the "For Official Use Only (FOUO)" privacy warning.

Actions Taken

Recipients were immediately contacted and asked to delete the email and all file copies and to reply with an email confirmation. The DON CIO Privacy Office was contacted a short time after this action was taken and was advised that all recipients had taken the appropriate action.

The DON CIO Privacy Office advised the accountable command/unit that because the email remained within the Defense Department firewall, had been sent to only those with a need to know, and the email was deleted from all files immediately after transmission, that the incident did not constitute a "high risk" breach. Accordingly, the DON CIO determined that notifying the personnel whose SSNs and other PII were emailed, without the required PII safeguards, was not required.

While this breach was considered low risk to affected personnel, it could easily have been determined high risk if:

• The email was sent to individuals who did not have a need to know; or
• The email was sent to a commercial account; or
• The email was stored on a personal computer or a personal removable storage device.

Lessons Learned

• All PII sent by email must be digitally signed and encrypted.
• When mistakes are made that result in theft, loss or compromise of PII, prompt corrective action can mitigate the potential risk of harm to affected personnel.
• Marking documents containing PII can be a simple but effective breach preventive measure.
• All attachments should be opened and read completely before email transmission to ensure there is no unintended PII contained within the document.

Encryption Guidelines

Guidelines for email encryption were issued in a naval message from the DON CIO: DTG 032009Z OCT 08, "DON Policy Updates for Personal Electronic Devices Security and Application of Email Signature and Encryption."

Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer. Steve Daughety is a privacy analyst supporting the DON CIO.

TAGS: Cybersecurity, Privacy

Related News
Related CHIPS Magazine