Department of the Navy Privacy Issues

1
Department of the Navy Privacy Issues

• A few weeks ago, I received a letter from the
  Commanding Officer of my Navy Operational Support
  Center. While I am no stranger to trouble, I
  still wondered what had warranted such a letter.
  Much to my chagrin, it was sent to notify me that
  (for the fifth time) my PII had been compromised.
  And just this past week, I received a letter from
  the Army -- an organization I have not worked for
  in 24 years -- notifying me that my PII had been
  compromised (for the sixth time). Needless to
  say, privacy -- the protection of PII and the
  elimination of PII compromises -- is a burning
  passion of mine. Rob Carey, DON CIO Jan 10

2
Agenda

• My HR Assumptions
• DON Privacy Update
• Definitions
• Recent PII Breaches
• PII Breach Trends
• Phishing
• Social Media
• SSNs A Perfect Storm
• Purpose and Background Of SSN Reduction Plan
• Acceptable SSN Uses
• DON SSN Reduction Plan (DRAFT)
• Privacy Lessons Learned
• Final thoughts

3
My HR Assumptions

• You handle, store, transmit significant PII in a
  variety of functional areas
• Use of the SSN in many of your processes is
  absolutely critical
• Your processes are heavily reliant on official
  forms and the use of IT systems
• Use of unofficial forms for convenience and
  expediency is probably very high
• HR professionals serve 200K people in locations
  around the world
• The likelihood of a loss or compromise of privacy
  sensitive information is higher than average
• You have volumes of paper and electronic records
  that exceed prescribed storage times

4
Privacy Update

• DON CIO designated as Senior Military Component
  Official for Privacy (SMCOP)
• Roles and Responsibilities
• Oversee the Departments Privacy Program.
• Oversee the Departments implementation of the
  Privacy Act.
• Lead policy oversight and coordination in the
  Departments development and evaluation of policy
  proposals.
• Ensure the Services are responsible and
  accountable for implementation of information
  privacy protections.
• Ensure the Services take appropriate steps to
  protect personal information.
• Oversee the Departments compliance efforts.
• Ensure the Services take appropriate steps to
  provide the Department's employees with
  appropriate privacy training.

5
Privacy Update

• SMCOP has directed
• Amend SECNAV 5211.5E to reflect SMCOP roles
• Memo to senior DON leadership from SECNAV
• Accelerate Data at Rest (DAR) implementation
• Explore use of Data Loss Prevention (DLP)
  software
• Implement DON SSN reduction plan
• Update privacy training modules
• Tie network logon to completion of annual PII
  training
• Explore use of identity theft protection (credit
  monitoring)

6
Update- Civil Liberties

• Implementing Recommendations of the 9/11
  Commission Act of 2007, PL 110-53 - Govt has a
  solemn obligation to protect the legal rights of
  all Americans including freedoms, civil liberties
  and privacy.
• Select Federal Agencies must create CL Offices
• DoD directs components to designate CLO
• OGC felt DON CIO was best suited to assume the CL
  duties
• Examples Guantanamo detention, military police
  conduct, mil voting
• Roles and Responsibilities of the Civil Liberties
  Office include
• Develop and lead an assessment team to determine
  any civil liberties issues and/or concerns within
  DON
• Develop implementing policy and guidance
  consistent with DoD
• Ensure DON-wide basic CL training completed
  annually and promote awareness
• Receive, investigate, and respond to CL
  complaints from field
• Monitor general compliance submit quarterly
  reports
• Challenges
• New office with little/no experience and no
  resources
• - Close tie with Privacy Act

7
Personally Identifiable Information
(PII)Definition

• PII Definition information about an
  individual that identifies, links, relates, or is
  unique to, or describes him or her, e.g., a SSN
  age rank grade marital status race salary
  home/office phone numbers other demographic,
  biometric, personnel, medical and financial
  information. DoD Memo 21 Sep 07

8
Sensitive and Non-Sensitive PII

• Sensitive PII which may cause harm to an
  individual if lost/compromised
• Financial information- bank account , credit
  card , bank routing
• Medical Data- diagnoses, treatment, medical
  history
• Full Social Security Number
• NSPS/Personnel ratings and pay pool information
• Place and date of birth
• Mothers maiden name
• Passport
• Numerous low risk PII elements aggregated and
  linked to a name

• Non-Sensitive PII, all authorized use under DON
  policy and considered low risk
• Badge number
• Job title
• Pay grade
• Office phone number
• Office address
• Office email address
• Lineal numbers
• Full name
• Cautionary note Growing problem with email
  phishing

9
PII Breaches

• A breach is defined by Office of Management
  Budget as
• A loss of control, compromise, unauthorized
  disclosure, unauthorized acquisition,
  unauthorized access, or any similar term
  referring to situations where persons other than
  authorized users and for an other than authorized
  purpose have access or potential access to
  personally identifiable information, whether
  physical or electronic
• Reporting required when a known or suspected
  loss, theft or compromise of PII occurs
• Use OPNAV Form 5211/13 to make initial and follow
  up reports
• Send to US-CERT within 1 hour of discovering a
  breach has occurred (United States-Computer
  Emergency Readiness Team)
• To the DON CIO Privacy Office within 1 hour
• To the Defense Privacy Office
• To Navy, USMC, BUMED chain of command, as
  applicable
• DON CIO Privacy Office will determine within 1
  working day the need to notify affected personnel
  - weigh risk of identity fraud.
• Within 24 hours provide DON CIO follow up report.
• Within 30 days provide DON CIO lessons learned.

10
The Cost of A PII Breach

• The most significant cost to an organization
  results from lost confidence and trust by our
  sailors, marines, government civilians and public
  
• for a company that translates into customer
  turnover and loss of brand equity
• for DON it impacts employee morale, ability to
  recruit new hires and job satisfaction
• Potential class action law suits and or criminal
  prosecution
• Mailings, call center costs and credit monitoring
• Expenses associated with identity theft

11
Recent Breaches

• Used Navy copiers erroneously sold before hard
  drives sanitized. Error realized before copiers
  were received by new owner and recovered by DON.
  Contained PII and other sensitive info. Sep 09
• Unencrypted laptop stolen/missing from Naval
  pharmacy containing SSNs and patient names. Aug
  09
• Employee downloaded PII to unencrypted CD,
  transferred to new command, soon after arriving
  lost the CD and filed a breach report. Oct 09.
• Sailor and his civilian girlfriend were allegedly
  attempting to steal the identity of multiple
  staff members. Several staff members had
  complained about attempts being made to take out
  credit in their names. Jan 10
• PO2 sold PII of service members to group who
  created bogus tax returns. Felony charges
  pending, investigation ongoing. Apr 10
• At Navy, Sluggish Response to Data Breach,
  title of 2 Apr 10 Washington Post article.
  Potential compromise of PII reported by command
  May 08, DON CIO directed notification letters be
  sent, command responded 17 months later.

12
PII Breach Media
Must have tight controls/permissions
Improving but only takes one
Still 1
13
PII Breach Media
Sent to recipients without a need to know /
unencrypted.
What happens to the digital images when a copier
is turned in?
14
Breach Causes
15
Type of PII Lost, Stolen or Compromised
SOCIAL SECURITY NUMBER
16
Phishing

• Phishing is the process of attempting to acquire
  sensitive
• information such as usernames, passwords or
  financial account details by
• masquerading as a trustworthy entity in an
  electronic communication.
• This is a growing activity within the DON.
• They generally ask you to click a link back to a
  spoof web site. Doing so could subject you to the
  installation of key logging software or viruses.
• They use fear to motivate you to respond your
  account has been temporarily suspended due to
  recent fraudulent activity, we need you to verify
  your account information
• Never open emails from unknown sources or
  institutions soliciting
• Passwords
• Credit card information
• ATM/Debit Card number
• Social Security Number
• Bank/financial account number
• If in doubt about validity of the email, call
  their customer service number.
• Notify your network adminstrator. For NMCI go to
  https//www.homeport.navy.mil/support/articles/rep
  ort-spam-phishing/

17
http//www.facebook.com/video/video.php?v14162933
7756refshare
http//www.cnn.com/video//video/tech/2009/11/17/m
eserve.online.privacy.cnn
18
Responsible and Effective Use of Social Media

• Directive-Type Memorandum (DTM) 09-026
  Responsible and Effective Use of Internet-based
  Capabilities 25 Feb 10
• Effective immediately, the DTM states that the
  default for the DoD non-classified network (the
  NIPRNET) is for open access so that all of DoD
  can use new media
• Directs open and consistent access across the
  board
• Commanders at all levels and heads of DoD
  components will continue to keep networks safe
  from malicious activity and take actions, as
  required, to safeguard missions 
• Service members and DoD employees are welcome and
  encouraged to use new media to communicate with
  family and friends at home stations or deployed
  but do it safely
• For more info go to (http//socialmedia.dod.gov)
  
• Implementation guidance is in development
• SNS sites, web mail, etc

19
Human error
Budget and resources
Changing business processes
IT systems
Flash storage media

Records management
Teleworking
DON culture
Hard drives
Hackers
Blogs
Official and unofficial forms
Disposal of storage media
Contractor services
Web portals and shared drives
Spreadsheets
Insider threat
SSNs A PERFECT STORM
Email
Malicious software
Data mining
DAR encryption implementation
20
SSN Reduction Plan Background

• In April 07, the Presidents Task Force on
  Identity Theft issued a strategic plan which
  required that every agency develop and implement
  a plan to reduce the unnecessary use of SSNs
• This requirement was included also in OMB
  Memorandum M-07-16 of May 22, 07
• Per the DoD Senior Privacy Official response to
  OMB, the DoD SSN Reduction Plan is required to be
  developed by April 08
• The SSN Reduction Plan was developed by the SSN
  Reduction Tiger Team, under the auspices of the
  Identity Protection and Management Senior
  Coordination Group
• DMDC took the lead in developing this plan,
  developed a Directive-Type Memo, still under
  review

GOAL To reduce or eliminate the use, display,
collection, dissemination or storage of
SSNs across the DON.
21
Acceptable SSN Uses
DoD Guidance lists 12 cases for Acceptable Uses
of SSNs (Collection, Use, or Retention) - Geneva
Conventions Serial Number (on a timeline to to
change/eliminate SSNs from ID cards) - Law
Enforcement, National Security, and
Credentialing - Security Clearance Investigation
or Verification - Interactions with Financial
Institutions - Confirmation of Employment
Eligibility - Administration of Federal Workers
Compensation - Federal Taxpayer Identification
Number - Computer Matching - Foreign Travel -
Noncombatant Evacuation Operations - Legacy
System Interface - Other Cases (with specified
documentation)
22
DRAFT DON SSN Reduction Plan

• Phase 1 - focus on justifying continued
  use/collection of SSNs in official Navy/Marine
  Corps forms and IT systems.
• Phase 2 Where SSNs are still needed and where
  applicable, substitute using the Electronic Data
  Interchange Personal Identifier (EDIPI).
• Challenges
• DoD must provide guidance on the use of the EDIPI
  -must have controls or we create another SSN.
• Elimination of the SSN or substituting the SSN
  for the EDIPI will incur unfunded program costs.
  

23
DRAFT SSN Reduction Plan for Forms

• Catalog all official DON forms using NAVAL Forms
  Online.
• Using SECNAV 5213/1 Jan 2010, each form that
  collects SSNs must provide written justification
  for continued use.
• DON Forms Management Officers, consulting with
  Privacy Official, draft justifications for all
  forms that fall within their area of
  responsibility.
• This includes DD/SD forms, component-wide forms,
  command forms and installation forms
• All reviews must include
• Copy of Privacy Act Statement
• Copy of official form
• Acceptable use (from list of 12). If use Other
  Cases, must describe
• Actions taken to truncate, hide or mask SSN
• Statement regarding impact to business process if
  SSN were to be eliminated
• Potential for SSN to be replaced with the EDIPI

24
DRAFT SSN Reduction Plan for IT Systems

• Data fields in DITPR DON for IT systems with PII
  must be verified for accuracy
• Does the system contain SSNs?
• Acceptable use selection for SSNs completed?
• Using SECNAV 5213/1 Jan 2010, each IT system
  that collects, maintains, uses or disseminates
  SSNs must have written justification for
  continued use.
• System owner in consultation with Privacy
  Official completes
• Justifications must include
• Acceptable use (from list of 12) If Other
  Cases, must describe
• Actions taken to truncate, hide or mask SSN
• Statement regarding impact to business process if
  SSN were to be eliminated
• Potential for SSN to be replaced with the EDIPI

25
Privacy Lessons Learned

• Support and involvement from senior leadership is
  key
• Aggressive PII compliance spot checks with
  corrective action taken are very effective
• Reduce the use, display and storage of all PII
  whenever possible
• Mark all documents containing PII with FOUO
  Privacy Sensitive warning.
• Ensure shared drive access permissions are
  established and routinely checked
• Special care must be taken when moving, closing
  or consolidating offices that handle PII
• Paper documents and hard drive disposal methods
  must be better defined and tightly controlled
• A command records management program with records
  disposal schedule is an effective tool to
  reducing PII
• Campaign continuously to increase PII awareness

26
Some final thoughts

• Penalties under the Privacy Act
• Revision of SECNAV 5211.5E needed
• Re-look transfer of DON PA and FOIA under DON CIO
• Doncio.navy.mil web site is a great privacy
  resource
• FAQs, PIA Gouge, Breach Reporting Forms, Credit
  Monitoring Info, Privacy Reading List, Table Of
  Consequences, Posters, Tips of the Month
• PII Info Alert

27
DON Privacy Points of Contact

• DON CIO Privacy Office 703 614 5987
• CHINFO Web Privacy 703 695 1887
• DON Privacy Act (PA) Manager 703 685 6545
• HQMC ARSF PA Manager 703 614 4008
• HQMC C4 PIAs 703 693 3490