The following is a recently reported personally identifiable information (PII) data breach involving a Sailor who improperly handled PII. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
A Sailor removed several boxes of personnel and training records from his command and stored them, along with his personal gear, in an off-base commercial facility. Months passed during which time the Sailor failed to pay his monthly storage fee. While the bills remained unpaid, the Sailor transferred to a new command. After a several months-long delinquency period, the storage facility auctioned off the property to a church. In assessing the contents, the church discovered hundreds of documents containing PII and notified the base security officer who then retrieved the boxes and reported the incident as a PII breach.
The records had to be reviewed to identify the extent and seriousness of the PII breach. Names of more than 2,800 personnel with associated personally identifiable information were identified. A list of personnel with high-risk PII elements, such as Social Security number, date of birth and place of birth, reduced the total number of personnel who were considered at risk for potential identity fraud to 1,200. The DON CIO Privacy Office determined that notifications to the high-risk personnel were required. Approximately half the high-risk personnel had left the command and in those cases, home addresses were researched. The irresponsible Sailor was punished for mishandling PII and failure to follow DON policy in accordance with the Privacy Act of 1974.
•Unless it is your own, personally identifiable information should never be taken home.
•PII must be physically secured at all times.
•A breach of this magnitude requires extensive administrative work to mitigate.
•Supervisors must monitor their workplace and be mindful that subordinates need continual training and supervision.
•Paper and electronic records must be reviewed on a routine basis for retention or destruction.
•The DON CIO Privacy Office can provide assistance in finding addresses of personnel who have transferred to a new command or have left the service.
Similar acts of carelessness are frequently reported to the DON CIO Privacy Office. While this particular incident caused a number of people a substantial amount of administrative work, the department is fortunate in that a responsible person returned the documents to government control. This minimized the potential risk to those personnel whose documents were improperly stored. DON personnel are reminded to properly safeguard all PII when it is under their control and to report any breach as soon as it is discovered.
Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer.