The following is a recently reported breach of personally identifiable information (PII) involving the improper mapping of a printer resulting in PII being exposed to those without a need to know. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Privacy Office.
A base community service office employee attempted to print a document containing over 600 names, full Social Security numbers (SSNs), and other employee information. The print job was attempted three times without apparent success. The document was not marked with the required “FOUO-Privacy Sensitive” warning. It was later determined that the employee’s work station was mapped to a printer in a different community service building. As a result, the PII was exposed to at least four different staff members. The breach was reported to the local privacy official, the office director, and the sender of the document. The privacy official reported the breach to the DON CIO Privacy Office.
The document was immediately retrieved and shredded. The work station was remapped to the correct printer. A memorandum was created containing the details of the incident and actions taken to assist in documenting and providing lessons learned to the command.
Human errors can and will occur.
- When printing documents containing PII, a best practice is to ensure that your work station is mapped to the correct printer.
- If a document doesn’t print, check the mapping before attempting additional print jobs.
- Continue to remind office personnel during training sessions, all hands meetings, in plans of the day/week, etc., of the importance of properly handling and safeguarding PII.
- Mark documents containing PII per SECNAVINST 5211.5 series.
- Verify that any collection of Social Security numbers has been validated and officially justified.
Because of the actions taken to mitigate the breach, the time and expense of notifying over 600 individuals in writing was avoided.
Additional privacy resources can be found on the DON CIO website at www.doncio.navy.mil/privacy.
Steve Daughety is the privacy lead for the Department of the Navy Chief Information Officer.