Web Site Postings of PII
By Steve Muck - Published, February 8, 2008
The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.
On Oct. 17, 2007, a recall roster was discovered posted to a virtual workspace portal on the Navy Marine Corps Intranet. The roster contained the names, home addresses, home phone numbers and cell phone numbers of command and contractor personnel. The portal was accessible to NMCI users only, but no other access restrictions were in place. The roster was immediately removed from the portal and the affected individuals were notified.
IT system owners and web site managers must implement strict business rules that allow access to PII posted to a web site or virtual workspace only to those with a "need to know." Commands should periodically spot check their web sites for unrestricted PII.
Spot checks are now required twice yearly as required in ALNAV 070/07, DTG 042232Z of Oct. 4, 2007: Department of the Navy Personally Identifiable Information Annual Training Policy.
A sample spot check form can be found on the DON Privacy Office web site at http://privacy.navy.mil, along with other tools and information for protecting privacy.
Steve Muck is the DON CIO privacy team lead.