Over the past dozen years, there have been a number of personally identifiable information (PII) breaches associated with the vacating of offices and other work spaces. Documents containing sensitive PII have been left behind in and behind desk and file cabinet drawers; in office attics, closets, and other long-term storage areas; and under beds (i.e., “racks”) on board ships undergoing repair and refurbishment; and randomly discarded in dumpsters; to name but a few.
Years later, when the office space is needed again or the storage area is inventoried and/or cleared for reuse, documents containing PII are discovered, sometimes in large quantities. PII doesn’t have a shelf-life. Its compromise can affect an individual many years after the loss occurred. In many cases, an individual whose PII has been compromised may have to be notified, which can be expensive and time consuming, placing an undue burden on commands. Additionally, the impacted individual may have left the service or government creating the difficult task of locating them to make formal notification of the breach.
In the current environment, as we face the global pandemic, we are being forced to adjust our lives and workplace practices. Some of these practices have become the “new norm” resulting in long-term or permanent teleworking for many. This new norm, including long-term teleworking, may require employees to clear and vacate former office space and relocate either within another office space or to their place of residence. When an area is vacated, employees must ensure that all documents containing PII are properly safeguarded, destroyed, or transferred to another individual as appropriate. In addition, records management procedures must also be followed.
Lessons Learned and Best Practices when Moving or Vacating a Work Area
All office moves have the potential to result in the loss and the potential compromise of PII.
- Vacated office spaces must be thoroughly searched and all documents removed from desks and file cabinets, including behind and under furniture and hard to reach areas.
- Out-dated files containing sensitive PII present as much risk to individuals as those that are current.
- When moving large amounts of documents containing PII, documents should be packaged prior to the move and all containers accounted for at the new office.
- Records containing PII that are no longer required should be destroyed in accordance with the Department of the Navy Records Management Manual prior to the move.
- Documents containing PII should be marked per the latest DON policy.
- Before resale or disposal of desks and file cabinets, they should be thoroughly inspected and contents removed prior to being released to the public.
Steve Daughety is the Privacy Lead Cybersecurity & Privacy in the office of the Chief Information Security Officer (CISO), Department of the Navy CIO.