For the CHIPS July-September privacy theme edition, the DON Privacy Team is rolling out a new title for our quarterly column and presenting five scenarios instead of our usual one. Look for our column under “Privacy Awareness Tips… From the DON Privacy Team” in each edition of CHIPS. The situations discussed here are based on actual personally identifiable information (PII) breaches reported to the Department of the Navy Chief Information Officer Privacy Team. These scenarios illustrate a number of common breaches received regularly by the DON CIO, and cover insider threat, need to know, the compliance spot check, transporting PII, and unauthorized disclosure of PII. The Privacy Team is sharing these examples, lessons learned, and best practices to increase privacy awareness and encourage proper handling of PII. You are encouraged to give this information the widest dissemination throughout your command.
Scenario # 1: Insider Threat and PII
A supervisor and his team interviewed an applicant for a contractor position to support a Department of the Navy (DON) computer network. They agreed he was qualified for the position and appeared to be a great fit for their department.
The contract required a background check and security clearance for the position. However, because the team was in a hurry to get someone on the job to reduce an existing backlog, the supervisor decided to go ahead and allow the applicant to begin work before confirming that his background check was completed and his security clearance granted.
Several months later, the applicant was arrested when he attempted to sell personally identifiable information (PII) containing Social Security numbers, home addresses, and other data elements on thousands of DON employees to an undercover law enforcement agent. A joint investigation by the Naval Criminal Investigative Service and Federal Bureau of Investigation found that he had a criminal record.
He was found guilty of aggravated identity theft and exceeding authorized access to a computer for personal gain.
Insider threat is the most difficult breach to detect and prevent. While it currently represents a small number of DON PII breaches, it appears to be a growing problem. Based on this scenario, best practices to consider regarding insider threat and PII include the following:
-- Everyone must be vigilant and aware of the potential for insider threat activity. Problems have occurred when disgruntled or fired employees continue to have network access when their situation warrants an immediate suspension or revocation of access rights.
-- Department of Defense (DoD) and DON policies require personnel who access PII to receive a favorable personnel security investigation. DoD Directive 5200.2-R, “Department of Defense Personnel Security Program”
and SECNAV M-5510.30, “Department of the Navy Personnel Security Program”
contain details of this security guidance.
-- Supervisors must be aware of the potential for personnel to misuse PII and respond appropriately.
-- DON personnel, including military, civilian, and contractors, are responsible for protecting an individual’s privacy when collecting, maintaining, using, or disseminating PII about that individual.
-- Curiosity about a fellow employee’s personal life is never a valid reason to access PII records.
Scenario #2: PII and the “Need to Know”
After a system upgrade, a payroll specialist wanted to verify that the information in her command database was still correct. She sent an encrypted email to all civilian employees who worked at the command, asking them to confirm that their information in the attached document was accurate. The attachment contained the following personally identifiable information (PII) for each member of the command: name, civilian grade, full Social Security number, and the employee identification number assigned by the civilian payroll center.
Her well-intentioned action was a PII breach. Despite encrypting her email, she sent PII on each employee to all employees, many of whom did not have a “need to know.” Regardless of whether the information was encrypted or not, personnel who do not routinely handle or use PII in the performance of their official duties (e.g., as a payroll specialist would) should never have access to someone else’s personally identifiable information.
According to the Office of Management and Budget (OMB), a breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations in which persons other than authorized users, and for an other than authorized purpose, have access or potential access to PII, in either physical or electronic form.
Unencrypted email containing PII is the most common breach reported within the Department. Associated PII best practices and specific guidance follows:
-- You can customize your NMCI email to make encryption easier. For information on this process, go to: http://www.doncio.navy.mil/ContentView.aspx?id=5565
-- Before sending an email that contains PII, ask the question: “Do the recipients have a “Need to Know?” Just because a recipient has a common access card (CAC) and/or a security clearance does not automatically qualify them as having a “Need to Know.”
-- When sending an email with PII, always digitally sign and encrypt the email.
-- Safe Access File Exchange (SAFE) can be used to encrypt transmissions of PII when no other method is available. The SAFE application can be found at: http://www.doncio.navy.mil/ContentView.aspx?id=4098
-- All electronic or paper copies of documents containing PII must be marked with the following: “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties.” The DON CIO has posted a “Quickstep” process for marking emails. To view this process visit: http://www.doncio.navy.mil/ContentView.aspx?preview=true&id=8009
Scenario # 3: Privacy Compliance Spot Check
During a privacy compliance spot check of a DON work center, the work center supervisor discovered sensitive personally identifiable information in a file that had no security controls within a network shared drive folder.
Although the network was protected because users were required to log on using their Common Access Card (CAC), there were no additional file permissions in place, so anyone with general access to the network could open the file containing the PII.
The supervisor immediately had the file moved to a secure network location. Then he contacted the organization’s Privacy Official, who filed a PII Breach Incident Report within one hour of discovery using the DON Loss or Compromise of PII Breach Reporting Form, SECNAV 5211/1, downloaded from the DON CIO website.
After completing the privacy spot check, the supervisor reviewed the results with his work center team, ensuring that all discrepancies were properly resolved. He then briefed his department head and emailed a copy of the spot check form to the organization’s privacy office, where it will be maintained for three years.
A privacy spot check is an effective tool to assess a command’s privacy program. Best practices and required actions when conducting compliance spot checks include the following:
-- All DON commands must conduct and document semiannual privacy spot checks. The privacy spot check form is an auditable record that must be kept for three years by the command privacy office.
-- To assist commands in this effort, they may adapt the DON privacy compliance spot checklist for their use after downloading it from the “Privacy” page of the DON CIO website at: http://www.doncio.navy.mil/ContentView.aspx?id=760
-- Software tools that focus on PII elements such as the Social Security number are commercially available to run periodic checks on shared drives and portals.
-- It is very important to place security controls on documents that contain PII, even when those documents are protected behind PKI-enabled websites and networks. Numerous incidents involving lack of access controls on shared drive files have been reported after network maintenance has been performed.
-- Only those personnel with a “Need to Know” should have access to PII.
Scenario #4: Transporting PII in an Automobile
When a Command Duty Officer (CDO) left work for the day she took her Navy laptop and the CDO notebook with her. In addition to various checklists and other information, the CDO notebook contained a command recall roster on a spreadsheet containing the name, rank, home phone number, home address, spouse’s name, and personal email address of each member of the command.
While driving home, she stopped at a local restaurant to pick up carryout. During the brief time she was inside the restaurant, her car was broken in to and the CDO notebook and her Navy laptop were stolen.
Upon discovery of the robbery, she immediately reported the incident to her command’s executive officer and commanding officer, as well as the local police department. Neither the laptop nor the CDO notebook was recovered. Fortunately, her Navy laptop was protected with official data-at-rest (DAR) software which prevents unauthorized access to the data contained on it. However, because of the personally identifiable information (PII) contained on the command recall roster, she contacted the command Privacy Officer so that proper breach reporting and mitigation action could be initiated.
The DON Privacy Office receives an average of four to five PII breaches a month that involve either the break-in or theft of a vehicle. In most cases, the PII involved is not recovered. Best practices and guidance that applies to transporting PII in an automobile include the following:
-- DON data-at-rest (DAR) encryption software is required to effectively safeguard unclassified data stored on portable computer hard drives and other portable storage devices.
-- Command recall rosters should only contain the minimum information necessary to recall personnel. Per DON policy, rosters of any type should never contain an individual’s Social Security number.
-- When transporting PII, never leave it unattended in a car, even a car that is locked.
-- Within one hour of the discovery of a loss or suspected loss of PII, notify your command’s designated Privacy Officer, who will execute the PII reporting process.
Scenario #5: Unauthorized Disclosure of PII
While shopping at the Navy Exchange, a petty officer (PO) ran into two shipmates who were assigned to the local medical clinic’s lab. The two shipmates greeted the PO by congratulating him on the good news. Perplexed, he asked them what they were talking about and they responded that he was going to be a father. Still confused, he asked them to explain further. His shipmates said that they came across his wife’s medical records and noticed she had a positive pregnancy test in her lab reports.
Upset by this privacy violation of his wife’s medical records, the PO contacted the health clinic’s Health Insurance Portability and Accountability Act (HIPAA) Privacy Officer to report the incident.
A legal investigation was conducted and both Sailors were referred to their command for captain’s mast for Violation of the Uniform Code of Military Justice (UCMJ), Article 92 (Failure to obey a lawful order or regulation). Both were found guilty of the violations. They were each given 30 days of extra duty, a reduction in rank, and forfeiture of half a month’s pay for two months. Results are pending an appeal.
Best practices and required actions when you are entrusted with access to PII involving medical information include the following:
-- Protection of medical information and PII is mandated by federal law.
-- An individual’s medical information is private and should only be available and disclosed to — those with a “Need to Know.”
-- Handling PII is a trust and, as such, you are expected to properly handle and protect PII.
-- Curiosity is not a legitimate reason to access a database or paper records containing PII.
-- System administrators can identify who accesses specific records. Confirmation that unauthorized access occurred with or without disclosure can result in an adverse personnel action.
-- Mishandling medical information and PII is a serious matter. Improperly disclosed information can cause embarrassment or harm to the individual and result in disciplinary action for the violator(s).