When your command experiences a breach of personally identifiable information (PII), will you be ready?
Today, the Department of the Navy (DON) collects, uses, processes, stores, maintains, disseminates, discloses, and disposes of unprecedented numbers of personally identifiable information data elements, and interacts with our personnel, their families, and the public in diverse ways. The sheer volume of the data and the assorted methods to exchange and share data makes it imperative that the DON be prepared to respond to a PII breach and mitigate the impact of a breach on department personnel.
Today, on average, the office of the DON Chief Information Officer (CIO) receives reports on 60 breaches impacting almost 14,000 civilians, Marines, Sailors, family members and contractors every month. Fortunately, the vast majority of these breaches are quickly and professionally handled by the DON CIO privacy staff, and the local privacy coordinator, mitigating the impact of the breach on the individuals whose PII has been compromised or could have been compromised.
The DON CIO privacy office has well-established and time-tested guidelines on how to respond to breaches. The privacy page, on the DON CIO website, has a section for PII breach reporting resources. The documents in this section provide information on how to report a breach, to whom to report a breach, and how best to mitigate the impact of a breach. Despite the usefulness of the information in this section of the DON CIO website, accessing the page after a breach is discovered may not be soon enough.
Preparing and responding to a PII breach is a governmentwide priority and was formalized in policy by the Office of Management and Budget (OMB) Memorandum, M-17-12 Jan. 3, 2017. A key aspect of this new policy is for federal agencies to have and exercise a breach response plan at least annually. This summer the DON held a tabletop exercise to test the functionality of the department breach response plan and modify the plan to meet the changing challenges of technology and the threat to the security of DON PII.
Action officers from the Navy Secretariat, Navy staff, Marine Corps staff, and the DON CIO privacy team met over several sessions to: identify roles and responsibilities, classify the strengths and weaknesses of the DON breach response plan, run through a simulated major breach, and make recommendations to leadership on how to improve the department’s breach plan.
This is an important step in ensuring the DON is ready to respond to a major breach, should one occur. Unlike many federal agencies, the DON is deployed around the country and throughout the world with commanders and commanding officers exercising operational control in their areas of responsibility. For many commanders and commanding officers, this means they will take on the primary role of responding to and mitigating a breach within their operational areas.
All commands should have a breach response plan suited to their size and crafted around their responsibility to protect the personally identifiable information of their personnel — and other PII entrusted to them. At a minimum, the plan should identity roles and responsibilities, immediate actions to take in the event of a breach, the local resources available, and the resources that can be called upon from outside the command to assist in mitigating the impact of a breach. And, of course, it is important to periodically review the plan to ensure it continues to meet the command’s responsibilities.
Protection of DON PII is an all hands responsibility, and part of that protection is developing a plan that will best equip each command to properly and promptly respond to a PII breach.
Resources for PII breach reporting are available on the DON CIO website at http://www.doncio.navy.mil/TagResults.aspx?ID=36.