The most commonly reported PII breach in the Department of the Navy is also one of the easiest breaches to prevent: failure to encrypt an email message containing personally identifiable information (PII). In August 2014, failure to encrypt email resulted in almost half of all PII breaches reported, impacting a significant number of DON personnel.
DON policy requires that all email containing sensitive information, including PII, must be digitally signed and encrypted. Guidelines for email encryption were issued in a Naval message from the DON CIO: "DON Policy Updates for Personal Electronic Devices Security and Application of Email Signature and Encryption."
On the Navy Marine Corps Intranet (NMCI), all email defaults to a “digital” signature. Encrypting a message must be manually selected in the “Options” tab, and users often forget to select the encrypt option when sending PII. This “Privacy Tip” provides a step-by-step tutorial to customize the encrypt option so the “Sign” and “Encrypt” functions are clearly visible in the “Message” tab (the tab normally used when drafting an email). However, you must still manually select/highlight the “Encrypt” tab.
Two important reminders when emailing sensitive information containing PII:
- You must mark all email containing PII with the Privacy warning: "For Official Use Only, Privacy Sensitive, any misuse may result in civil and or criminal penalty.”
- All recipients of the email must have an official need to know.
For step-by-step directions on how to encrypt email messages, visit www.doncio.navy.mil/ContentView.aspx?id=5565.