Department of the Navy Privacy Issues “A few weeks ago, I received a letter from the Commanding Officer of my Navy Operational Support Center. While I am no stranger to trouble, I still wondered what had warranted such a letter. Much to my chagrin, it was sent to notify me that (for the fifth time) my PII had been compromised. And just this past week, I received a letter from the Army -- an organization I have not worked for in 24 years -- notifying me that my PII had been compromised (for the sixth time). Needless to say, privacy -- the protection of PII and the elimination of PII compromises -- is a burning passion of mine. “ Rob Carey, DON CIO Jan ‘10
Agenda • My HR Assumptions • DON Privacy Update • Definitions • Recent PII Breaches • PII Breach Trends • Phishing • Social Media • SSNs: A Perfect Storm • Purpose and Background Of SSN Reduction Plan • Acceptable SSN Uses • DON SSN Reduction Plan (DRAFT) • Privacy Lessons Learned • Final thoughts…
My HR Assumptions • You handle, store, transmit significant PII in a variety of functional areas • Use of the SSN in many of your processes is absolutely critical • Your processes are heavily reliant on official forms and the use of IT systems • Use of unofficial forms for convenience and expediency is probably very high • HR professionals serve 200K + people in locations around the world • The likelihood of a loss or compromise of privacy sensitive information is higher than average • You have volumes of paper and electronic records that exceed prescribed storage times
Privacy Update • DON CIO designated as Senior Military Component Official for Privacy (SMCOP) • Roles and Responsibilities • Oversee the Department’s Privacy Program. • Oversee the Department’s implementation of the Privacy Act. • Lead policy oversight and coordination in the Department’s development and evaluation of policy proposals. • Ensure the Services are responsible and accountable for implementation of information privacy protections. • Ensure the Services take appropriate steps to protect personal information. • Oversee the Department’s compliance efforts. • Ensure the Services take appropriate steps to provide the Department's employees with appropriate privacy training.
Privacy Update SMCOP has directed: • Amend SECNAV 5211.5E to reflect SMCOP roles • Memo to senior DON leadership from SECNAV • Accelerate Data at Rest (DAR) implementation • Explore use of Data Loss Prevention (DLP) software • Implement DON SSN reduction plan • Update privacy training modules • Tie network logon to completion of annual PII training • Explore use of identity theft protection (credit monitoring)
Update- Civil Liberties • Implementing Recommendations of the 9/11 Commission Act of 2007, PL 110-53 - Govt has a solemn obligation to protect the legal rights of all Americans including freedoms, civil liberties and privacy. • Select Federal Agencies must create CL Offices • DoD directs components to designate CLO • OGC felt DON CIO was best suited to assume the CL duties • Examples: Guantanamo detention, military police conduct, mil voting • Roles and Responsibilities of the Civil Liberties Office include: • Develop and lead an assessment team to determine any civil liberties issues and/or concerns within DON • Develop implementing policy and guidance consistent with DoD • Ensure DON-wide basic CL training completed annually and promote awareness • Receive, investigate, and respond to CL complaints from field • Monitor general compliance; submit quarterly reports • Challenges: • New office with little/no experience and no resources - Close tie with Privacy Act
Personally Identifiable Information (PII)Definition PII Definition: “…information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a SSN; age; rank; grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical and financial information.” DoD Memo 21 Sep 07
Sensitive PII which may cause harm to an individual if lost/compromised Financial information- bank account #, credit card #, bank routing # Medical Data- diagnoses, treatment, medical history Full Social Security Number NSPS/Personnel ratings and pay pool information Place and date of birth Mother’s maiden name Passport # Numerous low risk PII elements aggregated and linked to a name Non-Sensitive PII, all authorized use under DON policy and considered “low risk” Badge number Job title Pay grade Office phone number Office address Office email address * Lineal numbers Full name * Cautionary note: Growing problem with email phishing Sensitive and Non-Sensitive PII
PII Breaches • A breach is defined by Office of Management & Budget as: “A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic” • Reporting required when a known or suspected loss, theft or compromise of PII occurs: • Use OPNAV Form 5211/13 to make initial and follow up reports • Send to: US-CERT within 1 hour of discovering a breach has occurred (*United States-Computer Emergency Readiness Team) • To the DON CIO Privacy Office within 1 hour • To the Defense Privacy Office • To Navy, USMC, BUMED chain of command, as applicable • DON CIO Privacy Office will determine within 1 working day the need to notify affected personnel - weigh risk of identity fraud. • Within 24 hours provide DON CIO follow up report. • Within 30 days provide DON CIO lessons learned.
The Cost of A PII Breach • The most significant cost to an organization results from lost confidence and trust by our sailors, marines, government civilians and public • for a company that translates into customer turnover and loss of brand equity • for DON it impacts employee morale, ability to recruit new hires and job satisfaction • Potential class action law suits and or criminal prosecution • Mailings, call center costs and credit monitoring • Expenses associated with identity theft
Recent Breaches • Used Navy copiers erroneously sold before hard drives sanitized. Error realized before copiers were received by new owner and recovered by DON. Contained PII and other sensitive info. Sep 09 • Unencrypted laptop stolen/missing from Naval pharmacy containing SSNs and patient names. Aug 09 • Employee downloaded PII to unencrypted CD, transferred to new command, soon after arriving lost the CD and filed a breach report. Oct 09. • Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members. Several staff members had complained about attempts being made to take out credit in their names. Jan 10 • PO2 sold PII of service members to group who created bogus tax returns. Felony charges pending, investigation ongoing. Apr 10 • “At Navy, Sluggish Response to Data Breach”, title of 2 Apr 10 Washington Post article. Potential compromise of PII reported by command May 08, DON CIO directed notification letters be sent, command responded 17 months later.
PII Breach Media Must have tight controls/permissions Improving but only takes one Still # 1
PII Breach Media Sent to recipients “without a need to know” / unencrypted. What happens to the digital images when a copier is turned in?
Type of PII Lost, Stolen or Compromised SOCIAL SECURITY NUMBER
Phishing is the process of attempting to acquire sensitive information such as usernames, passwords or financial account details by masquerading as a trustworthy entity in an electronic communication. This is a growing activity within the DON. They generally ask you to click a link back to a spoof web site. Doing so could subject you to the installation of key logging software or viruses. They use fear to motivate you to respond – “your account has been temporarily suspended due to recent fraudulent activity, we need you to verify your account information…” Never open emails from unknown sources or institutions soliciting: Passwords Credit card information ATM/Debit Card number Social Security Number Bank/financial account number If in doubt about validity of the email, call their customer service number. Notify your network adminstrator. For NMCI go to:https://www.homeport.navy.mil/support/articles/report-spam-phishing/ Phishing
Responsible and Effective Use of Social Media • Directive-Type Memorandum (DTM) 09-026 – Responsible and Effective Use of Internet-based Capabilities 25 Feb 10 • Effective immediately, the DTM states that the default for the DoD non-classified network (the NIPRNET) is for open access so that all of DoD can use new media • Directs open and consistent access across the board • Commanders at all levels and heads of DoD components will continue to keep networks safe from malicious activity and take actions, as required, to safeguard missions • Service members and DoD employees are welcome and encouraged to use new media to communicate with family and friends — at home stations or deployed — but do it safely • For more info go to: (http://socialmedia.dod.gov) • Implementation guidance is in development • SNS sites, web mail, etc
Human error Budget and resources Changing business processes IT systems Flash storage media Records management Teleworking DON culture Hard drives Hackers Blogs Official and unofficial forms Disposal of storage media Contractor services Web portals and shared drives Spreadsheets Insider threat SSNs: A PERFECT STORM Email Malicious software Data mining DAR encryption implementation
In April ‘07, the President’s Task Force on Identity Theft issued a strategic plan which required that every agency develop and implement a plan to reduce the unnecessary use of SSNs This requirement was included also in OMB Memorandum M-07-16 of May 22, ‘07 Per the DoD Senior Privacy Official response to OMB, the DoD SSN Reduction Plan is required to be developed by April ‘08 The SSN Reduction Plan was developed by the SSN Reduction Tiger Team, under the auspices of the Identity Protection and Management Senior Coordination Group DMDC took the lead in developing this plan, developed a Directive-Type Memo, still under review SSN Reduction Plan Background GOAL: To reduce or eliminate the use, display, collection, dissemination or storage of SSNs across the DON.
Acceptable SSN Uses DoD Guidance lists 12 cases for Acceptable Uses of SSNs (Collection, Use, or Retention): - Geneva Conventions Serial Number (on a timeline to to change/eliminate SSNs from ID cards) - Law Enforcement, National Security, and Credentialing - Security Clearance Investigation or Verification - Interactions with Financial Institutions - Confirmation of Employment Eligibility - Administration of Federal Worker’s Compensation - Federal Taxpayer Identification Number - Computer Matching - Foreign Travel - Noncombatant Evacuation Operations - Legacy System Interface - Other Cases (with specified documentation)
DRAFT DON SSN Reduction Plan • Phase 1 - focus on justifying continued use/collection of SSNs in official Navy/Marine Corps forms and IT systems. • Phase 2 – Where SSNs are still needed and where applicable, substitute using the Electronic Data Interchange Personal Identifier (EDIPI). • Challenges: • DoD must provide guidance on the use of the EDIPI -must have controls or we create another SSN. • Elimination of the SSN or substituting the SSN for the EDIPI will incur unfunded program costs.
Catalog all official DON forms using NAVAL Forms Online. Using SECNAV 5213/1 Jan 2010, each form that collects SSNs must provide written justification for continued use. DON Forms Management Officers, consulting with Privacy Official, draft justifications for all forms that fall within their area of responsibility. This includes: DD/SD forms, component-wide forms, command forms and installation forms All reviews must include: Copy of Privacy Act Statement Copy of official form Acceptable use (from list of 12). If use “Other Cases”, must describe Actions taken to truncate, hide or mask SSN Statement regarding impact to business process if SSN were to be eliminated Potential for SSN to be replaced with the EDIPI DRAFT SSN Reduction Plan for Forms
Data fields in DITPR DON for IT systems with PII must be verified for accuracy: Does the system contain SSNs? Acceptable use selection for SSNs completed? Using SECNAV 5213/1 Jan 2010, each IT system that collects, maintains, uses or disseminates SSNs must have written justification for continued use. System owner in consultation with Privacy Official completes Justifications must include: Acceptable use (from list of 12) If “Other Cases”, must describe Actions taken to truncate, hide or mask SSN Statement regarding impact to business process if SSN were to be eliminated Potential for SSN to be replaced with the EDIPI DRAFT SSN Reduction Plan for IT Systems
Privacy Lessons Learned • Support and involvement from senior leadership is key • Aggressive PII compliance spot checks with corrective action taken are very effective • Reduce the use, display and storage of all PII whenever possible • Mark all documents containing PII with FOUO Privacy Sensitive warning. • Ensure shared drive access permissions are established and routinely checked • Special care must be taken when moving, closing or consolidating offices that handle PII • Paper documents and hard drive disposal methods must be better defined and tightly controlled • A command records management program with records disposal schedule is an effective tool to reducing PII • Campaign continuously to increase PII awareness
Some final thoughts… • Penalties under the Privacy Act • Revision of SECNAV 5211.5E needed • Re-look transfer of DON PA and FOIA under DON CIO • Doncio.navy.mil web site is a great privacy resource: • FAQs, PIA Gouge, Breach Reporting Forms, Credit Monitoring Info, Privacy Reading List, Table Of Consequences, Posters, Tips of the Month • PII Info Alert
DON Privacy Points of Contact • DON CIO Privacy Office – 703 614 5987 • CHINFO Web Privacy – 703 695 1887 • DON Privacy Act (PA) Manager – 703 685 6545 • HQMC ARSF PA Manager – 703 614 4008 • HQMC C4 PIAs – 703 693 3490