The following is a recently reported personally identifiable information (PII) data breach involving the transmission of an email containing PII. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer (DON CIO) Privacy Office.
An unencrypted email was sent to three military members’ government email accounts. Attached to the email was a roster that contained the names and full Social Security numbers (SSN) of 48
service members. Not all the recipients had an official need-to-know. One of the recipients had the email autoforwarded to a personal commercial email account. Additionally, the attached document was not marked appropriately for privacy sensitive content in accordance with DON policy.
Upon confirming there was a PII breach, all copies of the unencrypted email were properly deleted. A breach report was submitted and individual written notifications were sent to the 48 affected individuals.
When emailing PII, the sender must understand and apply the following rules:
- Emails containing PII must be digitally signed and encrypted.
- Recipients must have an official need-to-know.
- Rosters may not contain SSNs in any form.
- Storage of any form of PII is prohibited on personally owned laptop computers, mobile computing devices and removable storage media.
- Auto-forwarding email to a commercial account is prohibited.
- The body of the email should include: “FOR OFFICIAL USE ONLY (FOUO) – PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both civil and criminal penalties.”
- As a best practice, the email’s subject line should contain: “FOUO - PRIVACY SENSITIVE.”
- Attachments should always be checked for PII. Excel spreadsheets can have multiple tabs. All tabs
should be double-checked for content.
- PII once transmitted outside the security of the Navy Marine Corps Intranet or other government
firewall cannot be safeguarded or controlled.
Commands should consider requiring PII awareness and PII refresher training for individuals who cause a breach. Both training sessions are available on Navy Knowledge Online, Total Workforce
Management Services and the DON CIO website. The training will also soon be available on MarineNet. Refresher training is a new resource and consists of nine short scenarios. Each standalone scenario covers a single privacy-related topic. Commands can require an individual to take any number of the scenarios as deemed appropriate. Breach notifications not only cost scarce resources (time and money), but can also negatively affect morale and trust in an organization.
Policies and Guidance on Handling PII
The following policies and guidance for handling PII can be found on the DON CIO website.
Steve Muck is the Department of the Navy privacy lead.
Steve Daughety provides support to the DON Chief Information Officer privacy team.