The following is a recently reported breach of personally identifiable information involving PII left behind in a vacated office. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Privacy Office.
A forty-three page visitor log and laptop computer were left behind in a locked file cabinet when the office occupants vacated the space. The visitor log contained the names and full Social Security number (SSN) for almost 900 individuals. The list was dated 2007. The document and laptop were discovered when the new occupants unlocked the file cabinet. The laptop was examined to determine whether data-at-rest (DAR) encryption software was installed and what PII may have been present. The breach was reported to the local privacy official. The privacy official reported the breach to the DON CIO Privacy Office.
The document was reviewed and shredded. The laptop was examined and did have the correct encryption software installed. Training was conducted regarding office moves and the necessity to safeguard PII to prevent access by those without a need to know. The DON CIO Privacy Team determined the breach to be high risk and that individual notifications were required.
All office moves have the potential to result in the loss or potential compromise of PII.
- Vacated office spaces must be thoroughly searched and all documents removed from desk and file cabinets.
- Out-dated files containing sensitive PII present as much risk to individuals as those that are current.
- All PII documents should be packaged prior to the move and all containers accounted for at the new office.
- PII that is no longer required should be destroyed in accordance with the Department of the Navy Records Management Manual prior to the move.
- Mark documents containing PII per SECNAVINST 5211.5 series.
- Before resale or disposal of desks and file cabinets they should be thoroughly inspected and contents removed prior to being released to the public.
Because of the sensitive nature of the PII, the breach was evaluated as high risk, requiring notifications. Numerous PII breaches with similar scenarios have been reported recently. Three were reported by different commands in a 24-hour period, highlighting the frequency of this occurrence.
Additional privacy resources can be found on the DON CIO website at www.doncio.navy.mil/privacy .
Steve Daughety is the privacy lead for the Department of the Navy Chief Information Officer.