The following is a recently reported personally identifiable information (PII) data breach involving the storage of paper documents containing PII. Incidents such as this one will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
A Navy recreational office was burglarized after it was secured for the evening. The perpetrator broke into a locked file cabinet containing membership applications for 180 Navy personnel. The applications contained Social Security numbers and either a copy of a person’s passport or birth certificate, which was used to verify citizenship.
No files or personal property were stolen during the burglary. However, a breach report was submitted because of the potential compromise of personal information, and written notifications were sent to the 180 people who were affected. Further, leadership requested sample application forms from similar offices and reviewed all application processes to ensure conformance to Department of the Navy policy for safeguarding PII and improve application handling.
There are a number of lessons that others can learn from this incident and that apply to handling paper records and forms that collect PII. Paper records containing PII must only be accessible to those with an official need to know. In this example, the office and file cabinet were properly secured.
However, the form used by the office was not an official Navy form. All forms that commands use to collect PII must be an official form. This means commands must follow procedures established by the DON CIO, as the Senior Military Component Official for Privacy. Forms must be reviewed by a forms manager and privacy official, and if approved, they are assigned a form number. The form must include a Privacy Act Statement and the specific authority that allows PII to be collected. Finally, the form must be registered and posted to the Naval Forms Online website (https://
navalforms.documentservices.dla.mil/). For additional information, please contact your command forms manager or OPNAV DNS-51 at (703)614-7585.
There are other considerations as well. The collection of PII may require a System of Records Notice (SORN). Please contact your command privacy official or the OPNAV DNS-36 Privacy Act Branch at (202)685-0412 to determine if a SORN is required.
If you are collecting personal information on 10 or more members of the public in a 12-month period, the form may also require Office of Management and Budget approval and an OMB control
number. To determine if an OMB control number is required, contact OPNAV DNS-51 at (703)614-7585.
If the form collects SSNs, it must go through the SSN reduction review process established by the DON CIO to reduce the use of SSNs in business processes under the department’s control. If it is determined that the continued collection of SSNs is required, then a document justifying the collection must be developed and signed by a flag officer, a civilian senior executive or an individual
given by direction authority. More information on the DON SSN reduction process is available at www.doncio.navy.mil/contentview.aspx?id=1912.
Minimize the collection of PII wherever possible. The Navy office in the example was collecting SSNs and verifying citizenship for members by maintaining a file copy of either their passport or birth
certificate. The Department of Defense ID number or other unique identifier should be used in place of SSNs whenever possible. And while passport or birth certificate information should be confirmed, there is no need to keep a copy on file.
Finally, paper copies of the application could be scanned and filed electronically, eliminating the need to keep hard copy documents in file cabinets.
PII breaches not only cost the department scarce resources, such as time and money, but also have the potential to undermine morale and trust in the organization. Additional privacy resources
can be found at www.doncio.navy.mil/privacy.
Steve Muck is the Department of the Navy privacy lead.
Steve Daughety provides support to the DON Chief Information Officer privacy team.