Email this Article Email   

CHIPS Articles: Hold Your Breaches, July-September 2009

Hold Your Breaches, July-September 2009
By Steve Muck - July-September 2009
The following is a recently reported compromise of personally identifiable information (PII) involving the improper disposal of human resources documents. Incidents such as this will be reported in each CHIPS magazine to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

The Incident

Some time between late February 2009 and mid-March 2009, three boxes were discovered in a recently vacated office. The office had been completely stripped of all furniture, supplies and equipment in preparation for another office code to move in. The empty office was unlocked and probably remained so until the movers arrived with the new office equipment. The boxes contained more than 240 employee records, with Social Security numbers, home addresses and other personal information dating back to the early 1980s. All personnel in the building were questioned, but no one claimed to have any knowledge of how the boxes appeared in the empty office.

This incident is a privacy official's worst nightmare: Old records containing high-risk PII in an unlocked office that no one could account for. Like most PII breaches, this one could have easily been prevented.

Additional privacy protection information can be found on the DON CIO Web site:

Lessons Learned

• Office moves are common and present unique challenges when moving paper and electronic records. The command privacy official should ensure that all personnel involved in an office move take extra precautions when packing, shipping and relocating records that contain PII.

• Develop a moving plan and ensure PII safeguard considerations are factored in.

• Human resources, law enforcement, medical, administrative, legal and financial offices are especially vulnerable to this type of PII compromise/loss due to the personal records that these offices maintain.

• All vacated offices should be locked.

• Remember that PII has a very long shelf life and can be used fraudulently even after a person is deceased. Commands should develop and implement a document destruction policy following guidelines issued in the DON Records Management Manual (SECNAV M-5210.1) available from the DON CIO Web site,, under the Policy and Guidance tab.

• Most documents can be destroyed after five years.

Steve Muck is the DON CIO privacy team lead.

TAGS: Privacy, RM
A new PII brochure is available with protective measures you can take to help you understand PII and its hazards.
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer