210 likes | 661 Views
Navy Day Privacy Presentation 15 August 2011. Objectives. Understand the cause and effect of mishandling PII. Define “PII”, “Sensitive” and “Non Sensitive PII” and a “PII breach”. Appreciate the scope of the DON PII breach problem.
E N D
Navy Day Privacy Presentation 15 August 2011
Objectives • Understand the cause and effect of mishandling PII. • Define “PII”, “Sensitive” and “Non Sensitive PII” and a “PII breach”. • Appreciate the scope of the DON PII breach problem. • Understand the different phases of the DON SSN Reduction Plan and the impact you can make. • Know how to handle PII in the office. • Understand your responsibilities w/regard to PII.
Personally Identifiable Information (PII)Definition PII Definition: “…information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a SSN; age; rank; grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical and financial information.” DoD Memo 21 Sep 07
“High risk” PII which may cause harm to an individual if lost/compromised Financial information- bank account #, credit card #, bank routing # Medical Data- diagnoses, treatment, medical history Full or truncated Social Security number Place and date of birth Mother’s maiden name Passport # Numerous low risk PII elements aggregated and linked to a name Business related PII, all releasable under FOIA or authorized use under DON policy and considered “low risk” Job title Pay grade Office phone number Office address Office email address * Full name * Cautionary note: Growing problem with email phishing High and Low Risk PII
PII Breaches • A breach is defined by Office of Management & Budget as: “A known or suspected loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic”. • Reporting required when a known or suspected loss, theft or compromise of PII occurs: • Use OPNAV Form 5211/13 to make initial and follow up reports • Send to: US-CERT within 1 hour of discovering a breach has occurred (*United States-Computer Emergency Readiness Team) • To the DON CIO Privacy Office within 1 hour • To the Defense Privacy Office • To Navy, USMC, BUMED chain of command, as applicable • DON CIO Privacy Office will determine within 1 working day the need to notify affected personnel - weigh risk of harm. • Within 24 hours provide DON CIO follow up report. • Within 30 days provide DON CIO w/lessons learned using OPNAV 5211/14.
Identity Fraud • FTC reports 7M+ of U.S. adult population has experienced ID fraud in 2010 • In ’05, 1.8M cases new account fraud; 6.5M cases existing account fraud • Crimes are still more often offline than online but thieves becoming more organized and sophisticated • Risk is greatest when information was stolen by someone targeting the data e.g. hacker, burglar. Insider threat is growing • “Friendly Fraud” 1 in 7 ID thieves were known by victim • SSNs with full name are "the most valuable commodities for an identity thief.“ Sources: old public records , internet, old official DoD photos • Phishing attacks aimed at ID theft affect all of us • Banks, Pay Pal, bogus job offers • Social Media scams on the rise – the “Grandparent Scam” • ID fraud of children and people who are deceased, a growing problem • Most banks have zero liability for consumer credit card thefts; Only 44% of major banks offer same protection for debit card transactions; 33 % for ATM withdrawals. • The average consumer cost of ID fraud involving debit card is $795.00
DON PII High Risk Breach Statistics by Number of Breaches "High risk" PII which may cause harm to an individual if lost/compromised
DON PII High Risk Breach Statistics by Number Impacted "High Risk" PII which may cause harm to an individual if lost/compromised
DON High Risk Breach Causes July 2011
High Interest DON Breaches • Used Navy owned copiers erroneously sold before hard drives sanitized. Error realized before copiers were received by new owner and recovered by DON. Contained PII and other sensitive info. Sep 09 • Unencrypted laptop stolen/missing from Naval pharmacy containing SSNs and patient names. Aug 09 • Employee downloaded PII to unencrypted CD, transferred to new command, soon after arriving lost the CD and filed a breach report. Oct 09. • Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members. Several staff members had complained about attempts being made to take out credit in their names. Jan 10 • PO2 sold PII of service members to group who created bogus tax returns. All returns mailed to same address! Apr 10 • Laptops stolen as part of “tech refresh” process. Some DAR protected, some not. Sep 10
DON SSN Reduction Plan GOAL: Significantly reduce the use, display, collection, dissemination or storage of SSNs across the DON. • Phase 1 – review and justify continued use/collection of SSNs in official Navy/Marine Corps forms . Eliminate all unofficial forms! • Phase 2 - review and justify continued use/collection of SSNs in Navy/Marine Corps Information Technology (IT) systems. Phase 3 – Where SSNs are justified, substitute the SSN for another unique identifier (e.g. Electronic Data Interchange Personal Identifier (EDIPI)/DoD ID number). Additionally, reduce the use of the SSN from surveys, electronic collections, spreadsheets, email and hard copy lists. • Challenges: • Many forms and IT systems interface with DON but not controlled by DON. • Elimination/substitution of the SSN will incur unfunded program costs. • DoD must provide guidance on the use of the EDIPI- need controls or we create another SSN. • How do you enforce the limited use of SSN in email, memos, spreadsheets?
Acceptable SSN Uses -Law Enforcement, National Security, Credentialing -Security Clearance Investigation or Verification -Interactions With Financial Institutions -Confirmation of Employment Eligibility -Administration of Federal Worker’s Compensation -Federal Taxpayer Identification Number -Computer Matching -Foreign Travel -Geneva Conventions Serial Number -Noncombatant Evacuation Operations -Legacy System Interface -Operational Necessity -Other Cases (with specified documentation)
Official DON/DoD Forms • Form title (e.g. “PII Breach Report”) • Form number (e.g. OPNAV 5211/13) • Date form created or last updated • If form collects PII directly from individual, a Privacy Act Statement (PAS) is required • Authority, purpose, routine use(s), disclosure • If form has pre-populated PII and does not collect from individual, may not have PAS • Contact your forms manager if form appears to be unofficial
Privacy Lessons Learned • Get support and involvement from senior leadership • Conduct and document PII compliance spot checks w/corrective action • Eliminate/reduce the use, display and storage of all PII whenever possible • Mark all documents containing PII with FOUO Privacy Sensitive warning • Ensure shared drive access permissions are established and routinely checked • Plan office moves, office closing or office consolidation • Scrutinize employees/contractors that have access to PII • Control paper document and hard drive disposal processes • Develop a records management program • Campaign continuously to increase PII awareness
Handling PII in the office… • FAX machine • Working at your computer • Copier • Email • Mail • Telephone • Hard copy storage • Shared drive • Collecting PII from DON CIO employees • FOUO privacy marking • Disposal
Your responsibilities…you must • Safeguard PII to prevent unauthorized disclosure • Report a breach/suspected breach to your supervisor • Take annual PII awareness training • Encrypt and digitally sign all email w/PII • Never store PII on a personal computer • Collect only the minimum amount of PII to do your job • Wherever possible, eliminate the use of the SSN • Dispose of PII so that it is unrecognizable • Never view a person’s PII out of curiosity or “help out” a coworker
What Lies Ahead in FY 12? • New annual privacy training • Stronger accountability measures for mishandling PII • New Breach reporting form • FOIA policy and oversight moving to DON CIO • Implement Phase 3 of SSN Reduction Plan • Complete efficiency review of DON Privacy and FOIA programs • Update SECNAV 5211.5E “DON Privacy Program”
DON Privacy POCs STEVE MUCK DON CIO DON Privacy Team Lead Phone: (703) 695-1297 Email: steven.muck@navy.mil ROBIN PATTERSON OPNAV DNS-36 DON Privacy Act Program Manager Phone: (202) 685-6545 Email: robin.patterson@navy.mil SAM YOUSEF HQMC C4 CYBER SECURITY DIVISION PII/PIA Analyst Phone: (571) 256-8876 Email: sam.yousefzadeh@hqmc.mil STEVE DAUGHETY DON CIO Phone: (703) 602-6393 Email: steve.daughety1.ctr@navy.mil LAURIE SOMERS HQMC Phone: (703) 6614-2951 Email: laurie.somers@hqmc.mil DEBORAH CONTAOI OPNAV DNS-36 Phone: (202) 685-6546 Email: teri.contaoi.ctr@navy.mil BARBARA FIGUEROA DON Forms Manager (DNS 51) Phone: (202) 433-2835 Email: barbara.figueroa@navy.mil www.doncio.navy.mil/privacy 18