The following is a recently reported breach of personally identifiable information (PII) involving the theft of documents from the trunk of a locked vehicle. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
Documents containing PII for a local Drug Education for Youth (DEFY) program were stolen from the trunk of a locked vehicle belonging to an adult volunteer. The vehicle was parked off base. The documents contained PII (i.e., parent’s name, home address, phone number, and personal email address) on more than 50 children of both military and government civilians.
DEFY is a Navy and Marine Corps substance abuse prevention and comprehensive life skills program designed for children 9 through 12 years of age, sponsored by the Navy Personnel Command. Young people, with their lack of extensive financial history, are increasingly being targeted by identity thieves due to the low risk of being caught and prosecuted. This is the first documented PII breach in the program's 20-year history.
Throughout the program’s history, the application process for adult volunteers has included a criminal history background check which requires an individual's Social Security number (SSN). Prior to the theft of the PII, the local program office had revised the adult application form to exclude SSNs, thus reducing the risk of PII exposure. Adult mentors must still provide their SSN for criminal history checks, but documentation with the SSN is destroyed once the check is complete.
To determine youth eligibility, a date of birth (DOB) was previously requested on the application for youth volunteers. The latest update of this form requests the child's age, rather than DOB, to determine eligibility. This change reduces the risks associated with PII collection.
DEFY program managers discuss the security of PII at the annual train-the-trainer event attended by key staff from each DEFY program. To ensure compliance, DEFY program managers make periodic visits to local DEFY sites around the world to address and correct any PII issues that may be evident when records are reviewed.
The DEFY program processes had been reviewed in accordance with the DON-wide SSN Reduction Program. As a result, the SSN and date of birth were removed from DEFY documents. This made a huge difference in what could have been a much more serious breach of PII.
Based on these mitigating actions, this breach was determined to be low-risk, resulting in little to no harm to the affected individuals.
Breach notifications cost not only scarce resources (e.g., time and money), but have the potential to negatively affect morale and trust in an organization.
Note: A high-risk breach is a potential or actual loss/compromise of PII that could result in identity theft, fraud, or harm to those affected. The determination of whether a breach is high or low risk is made by the DON CIO Privacy Office.
Additional privacy resources can be found on the DON CIO website at www.doncio.navy.mil/privacy.
Steve Daughety is the privacy lead for the Department of the Navy Chief Information Officer.