PII Breach Reporting FAQs
By DON CIO Privacy Team - Published, February 19, 2019
A privacy breach is defined as a known or suspected loss of Department of the Navy personally identifiable information (PII).
When a privacy breach occurs, under what circumstances should the command release a Situation Report (SITREP)?
A SITREP is always sent at the discretion of the Commanding Officer or Officer-in-Charge. Some things to consider are that SITREPs are usually sent when media interest is expected. Media interest occurs when a very large breach occurs (i.e., those affected number in the thousands or when there are unusual circumstances regarding the loss or theft of PII, such as in the spring of 2008 when a "spy" attempted to sell PII to a foreign government and was arrested by the FBI).
When a privacy breach occurs, should the command/unit notify the individuals affected?
The DON CIO Privacy Team will make that determination through a risk analysis. The analysis considers: nature of the data elements breached; likelihood the information is accessible and usable; likelihood the breach may lead to harm; and ability of the command or unit to mitigate the risk of harm.
Why is there such urgency in both the reporting of PII breaches and the written notifications to affected personnel?
The United States Computer Emergency Readiness Team (U.S. CERT) must be contacted within one hour of discovery of a loss, compromise or theft of PII. This requirement is set by the Office of Management and Budget (OMB). U.S. CERT is looking for patterns across the Federal Government that may have significant identity theft consequences. U.S. CERT will provide the originator of the breach report with a reference number. This number should be sent to DON CIO for future reference and tracking. Written notifications are sent to affected personnel (when directed by the DON CIO Privacy Team) and must be made within 10 calendar days of discovery. This is also an OMB requirement and provides the affected personnel time to monitor their financial accounts for possible suspicious activity.
Who submits the PII breach report?
The command or unit that discovers the breach usually submits the breach report. The report is generally submitted by the Privacy Act Coordinator, Administrative Officer, Executive Officer or Legal Officer. When directed by the DON CIO Privacy Team, the owner of the data normally issues written notifications to affected personnel.
Should the names of people involved be included in the breach report?
Names of individuals and any other specific PII should not be identified in the breach report.
Should every incident involving loss of PII be reported?
The short answer is, yes, report every incident. While it is prudent to report all PII incidents, it is acceptable to not report the loss of most business-related PII (e.g., badge number, rank, position, office phone number, etc.). This information is considered very low or no risk to the individual. If in doubt, contact the DON CIO Privacy Team.
What format should be used to make an initial report to U.S. CERT?
U.S Cert, now known as the National Cybersecurity and Communications Integration Center (NCCIC) is included on the distribution list when SECNAV Form 5211/1 or SECNAV From 5211/2 is used to report breaches. These auto-fill PDF forms are available from Naval Forms Online, or can be downloaded directly from the PII Breach Reporting Resources page.
How long should a command/unit maintain breach report files?
In accordance with the SECNAV Records Manual, SECNAV M-5210.1, dated November 2007, record keepers should maintain breach reports for two years or destroy sooner if no longer needed for administrative use, whichever is earlier. These reports fall under Privacy Act General Administrative files, relating to the general agency implementation of the Privacy Act, including notices, memoranda, routine correspondence and related records. Refer to: SECNAV M-5210.1 under SSIC 5211 para 2. f.