A Navy support contractor was recently reported to have improperly handled personally identifiable information. As an exercise, the Navy CIO office has recounted the event to prevent future instances.
As they said on Dragnet, the names have been changed to protect the innocent, but the details below are factual and based on reports sent to the DON Chief Information Officer Privacy Office.
From the report:
The Incident
A contractor working on a contractor-owned and operated information technology system sent an email to 10 recipients, including four government personnel and six contractors, with an attached list of unique Social Security numbers from the IT system to be used for testing and further processing. The list did not contain data elements that could uniquely link the SSNs to individuals. The recipients did not have a “need to know” and the sender had never completed the annual PII training course. The email was not digitally signed and did not carry the “For Official Use Only (FOUO)” privacy warning. The IT system was registered in the Department of Defense IT Portfolio Repository-Department of the Navy (DITPR-DON), had an approved privacy impact assessment (PIA), and accurately reflected that it collected PII.
Actions Taken
Approximately two hours after the email was sent, a DON recipient sent an email asking the nine other recipients to delete the email immediately, purge file copies, and reply with an email confirmation. The DON CIO Privacy Office was contacted a short time after the action was taken.
The DON CIO Privacy Office advised that an SSN by itself may or may not constitute a high risk breach when context becomes the determining factor. In this case, the SSNs were contained in a Microsoft Excel file, there was one SSN without the dashes per data cell, and there was no other information contained within the file. Therefore, the SSNs could not be linked to an individual. Accordingly, the DON CIO determined that notifications to the personnel whose SSNs were emailed were not required.
While this breach was considered low risk to affected personnel, it could easily have been determined to be high risk if there had been a linkage between the SSN and a person’s name.
Lessons Learned
- DON support contractors who handle PII must receive annual PII training.
- DON support contractors must comply with all privacy protections under the Privacy Act when handling PII.
- Contractor-owned or maintained IT systems under contract to the DON must be registered in the DITPR-DON.
- There are many IT systems that are contractor owned or operated, and contracts between the commercial vendor and the DON must contain two specific contract clauses from Federal Acquisition Regulation (FAR) 52.224-2 as noted on the next page.
Additional Lessons Learned
- Real/live PII data should never be used to test or evaluate a new or altered IT system.
- PII should only be disclosed to those who have a need to know in the performance of their official duties.
- Managers and supervisors must review PII processes and procedures to ensure they are complying with DON privacy policy. They must ensure that a PII compliance spot check is completed twice yearly as required by DON policy.
- All electronic or paper copy documents and attachments containing PII must be marked with the following: FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties. Refer to Secretary of the Navy (SECNAV) Instruction 5211.5E.
- Emails containing PII must be digitally signed.
- Emails containing 25 or more PII records must be encrypted using WinZip or another authorized DON enterprise solution. Refer to DON CIO message DTG 171952Z APR 07: “Safeguarding Personally Identifiable Information.”
- PII collected and/or disseminated in separate data calls may not be PII, but when combined with other data elements becomes PII, such as using SSNs in one data call and names in a separate data call. Put together, data calls containing privacy data may result in a PII breach.