The privacy of an individual is a fundamental right that must be respected and protected. While improved handling and security measures within the Department of the Navy (DON) have been noted in recent months, the number of incidents where the loss or compromise of personally identifiable information (PII) occurs remains unacceptably high.
The DON Chief Information Officer (CIO) Privacy Office evaluates an average of one PII breach report per day in which privacy sensitive information has been compromised, lost or stolen. To ensure all DON personnel understand their breach reporting responsibilities, this article details that process.
PII is defined as information about an individual that identifies or links, relates, or is unique to, or describes him or her, e.g., Social Security number (SSN); age; military rank; civilian grade; marital status; race; salary; home phone numbers; and other demographic, biometric, personal, medical and financial information, including any other personal information that is linked or linkable to a specific individual.
A PII breach occurs when there is a loss or suspected loss of control; a compromise; unauthorized disclosure, acquisition, or access; or any situation in which individuals other than authorized users, for other than authorized purposes, have access or potential access to PII. This includes PII on the SIPRNET, which carries the same inherent risks of disclosure if sensitive information is not properly protected.
PII breaches affect all DON personnel, whether military, civilian or support contractor. Eighty percent of all breaches are caused by human error. The majority of breaches involve the loss, theft or compromise of SSNs. And while identity fraud linked to the loss of DON information remains low, the number of PII breaches must be reduced.
All DON personnel must protect PII so that no one can access sensitive information without an official need to know. In addition, all DON personnel must report a loss, suspected loss or compromise of PII to their supervisor or privacy official upon discovery. Finally, commands (SECNAVINST 5211.5E requires echelon 2 and 3 commands and Marine Corps major Subordinate Commands) must designate a person in writing who is responsible for submitting DON breach reports using SECNAV 5211/1: "DON Loss or Compromise of Personally Identifiable Information (PII) Breach Reporting Form" and SECNAV 5211/2: "DON Loss or Compromise of Personally Identifiable Information (PII) After Action Reporting Form."
Within one hour of discovery of a loss or suspected loss of PII, the command must notify proper authorities using the SECNAV 5211/1 form. The initial report must include a brief description of the incident, including circumstances of the breach, type of information lost or compromised, whether the PII was encrypted, and whether the recipients had an official need to know. A local command investigation may be initiated, and when appropriate, the Naval Criminal Investigative Service (NCIS) may pursue a criminal investigation.
Within 24 hours of receipt, the DON CIO will review the initial report and determine, using the DON’s risk analysis methodology, the potential risk of harm to affected personnel. The DON CIO will advise the accountable command (i.e., the command responsible for causing the breach) if individual notification of affected personnel is required. If so, the command causing the breach must mail notification letters to all affected personnel within 10 days. On a case by case basis, DON CIO may recommend — or the accountable command may on its own choose to provide — identity theft services. If such services are provided, the accountable command is responsible for all costs incurred.
Within 30 days of the breach, the command must submit a breach After Action Report, SECNAV Form 5211/2, reporting remedial actions taken to prevent recurrence, notification status, lessons learned, and disciplinary action taken, where appropriate.
All DON personnel must be aware of their roles and responsibilities related to recognizing PII and must be prepared to report a known or suspected loss of PII, should one occur, thereby protecting DON employees from identity theft or fraud.
A high level reference chart noting major actions and responsibilities within the DON breach reporting process is provided here, but for additional, specific information regarding safeguarding PII and reporting PII breaches, visit the DON CIO website at www.doncio.navy.mil/.