Email this Article Email   

CHIPS Articles: Emails Containing Privacy Data Must Be Properly Marked and Encrypted

Emails Containing Privacy Data Must Be Properly Marked and Encrypted
By DON Privacy Team - April-June 2018
The Incident

In February 2018, a breach of personally identifiable information (PII) was reported to the Office of the Chief Information Officer (OCIO), formerly the Department of the Navy CIO, by a DON component. This breach involved the emailing of an unencrypted Defense Travel System (DTS) Excel spreadsheet containing bank electronic funds transfer (EFT) information, bank routing numbers, truncated Social Security numbers, truncated credit card information, residential addresses, and emergency contact information affecting several hundred individuals. The document that was not encrypted, was emailed to individuals without a need to know and did not reflect the proper security markings as required in the DON Privacy Program instruction, SECNAVINST 5211.5E.

Actions Taken

Because of the sensitivity of the PII and the potential for unauthorized disclosure, affected individuals were notified by email and an additional notification was delivered by United States Postal Service to ensure receipt. A mass deletion of the email from the DON component’s servers was completed the day following the breach and all recipients were directed to delete the email. A command investigation was also ordered to determine how the breach occurred and how it could be prevented from occurring again. The DON component also directed that Identity Protection Service (IPS) to the affected individuals be provided.

Lessons Learned

There are several lessons learned and reminders that came out of this breach:

  • Examine all electronic collections of PII. The collection of SSNs must be justified and satisfy one or more of the acceptable use criteria. If the collection is authorized, determine if the number and sensitivity of PII elements can be reduced or eliminated.
  • Reinforce to command personnel that all emails containing PII must be properly marked and encrypted.
  • Continue to conduct PII compliance spot checks.
  • Ensure all personnel complete their PII training at least annually.

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer