Email this Article Email   

CHIPS Articles: Hold Your Breaches!

Hold Your Breaches!
Emailing Personally Identifiable Information
By Steve Muck and Steve Daughety - January-March 2013
The following is a recently reported personally identifiable information (PII) data breach involving the transmission of an email containing PII. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer (DON CIO) Privacy Office.

The Incident

An unencrypted email was sent to three military members’ government email accounts. Attached to the email was a roster that contained the names and full Social Security numbers (SSN) of 48 service members. Not all the recipients had an official need-to-know. One of the recipients had the email autoforwarded to a personal commercial email account. Additionally, the attached document was not marked appropriately for privacy sensitive content in accordance with DON policy.

Actions Taken

Upon confirming there was a PII breach, all copies of the unencrypted email were properly deleted. A breach report was submitted and individual written notifications were sent to the 48 affected individuals.

Lessons Learned

When emailing PII, the sender must understand and apply the following rules:

  • Emails containing PII must be digitally signed and encrypted.
  • Recipients must have an official need-to-know.
  • Rosters may not contain SSNs in any form.
  • Storage of any form of PII is prohibited on personally owned laptop computers, mobile computing devices and removable storage media.
  • Auto-forwarding email to a commercial account is prohibited.
  • The body of the email should include: “FOR OFFICIAL USE ONLY (FOUO) – PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both civil and criminal penalties.”
  • As a best practice, the email’s subject line should contain: “FOUO - PRIVACY SENSITIVE.”
  • Attachments should always be checked for PII. Excel spreadsheets can have multiple tabs. All tabs should be double-checked for content.
  • PII once transmitted outside the security of the Navy Marine Corps Intranet or other government firewall cannot be safeguarded or controlled.

Commands should consider requiring PII awareness and PII refresher training for individuals who cause a breach. Both training sessions are available on Navy Knowledge Online, Total Workforce Management Services and the DON CIO website. The training will also soon be available on MarineNet. Refresher training is a new resource and consists of nine short scenarios. Each standalone scenario covers a single privacy-related topic. Commands can require an individual to take any number of the scenarios as deemed appropriate. Breach notifications not only cost scarce resources (time and money), but can also negatively affect morale and trust in an organization.

Policies and Guidance on Handling PII

The following policies and guidance for handling PII can be found on the DON CIO website.

Steve Muck is the Department of the Navy privacy lead.

Steve Daughety provides support to the DON Chief Information Officer privacy team.

Related CHIPS Articles
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer