Presentation is loading. Please wait.

Presentation is loading. Please wait.

D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Safeguarding Personally Identifiable Information (PII) Steve Muck DON CIO Safeguarding Personally.

Published bySuzanna Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Safeguarding Personally Identifiable Information (PII) Steve Muck DON CIO Safeguarding Personally."— Presentation transcript:

1 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Safeguarding Personally Identifiable Information (PII) Steve Muck DON CIO Safeguarding Personally Identifiable Information (PII) Steve Muck DON CIO 11 February 2014

2 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Agenda  Introduction  The PII breach process, trends, metrics and impact  Phases of the DON SSN Reduction Plan  Use of the DoD ID Number  Handling PII in the office  Your PII responsibilities  PIAs and SORNs  What’s new in the DON?  Helpful Links 2

3 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Definition of Personally Identifiable Information (PII) PII : “…information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a SSN; age; rank; grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical and financial information.” ~ DoD Memo 21 Sep 07 3

4 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER High and Low Risk PII “High risk” PII: may cause harm to an individual if lost/compromised  Financial information- bank account #, credit card #, bank routing #  Medical Data- diagnoses, treatment, medical history  Full or truncated Social Security number  Place and date of birth  Mother’s maiden name  Passport #  Numerous low risk PII elements aggregated and linked to a name Considered “low risk” PII: business related PII; releasable under FOIA or authorized use under DON policy and Job title  Pay grade  Office phone number  Office address  Office email address *  Full name  DoD ID / EDIPI  DoD Benefits number * Cautionary note: Growing problem with email phishing 4

5 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Discovery of a loss or suspected loss/compromise of PII Within 1 hour, CMD reports loss of PII to DON CIO using OPNAV form 5211/13 and takes action to mitigate potential risk Within 24 hours, DON determines level of risk and notifies CMD if written notification is required DON CIO will assign risk by assessing: - Sensitivity of PII - Extent of exposure to individuals without a need to know - Means by which PII was lost, stolen or compromised - Potential embarrassment that could be caused - Context DON CIO will assign risk by assessing: - Sensitivity of PII - Extent of exposure to individuals without a need to know - Means by which PII was lost, stolen or compromised - Potential embarrassment that could be caused - Context If written notification is required, CMD must send letters to affected personnel within 10 days of breach report date CMD submits After Action Report to DON CIO NLT 30 days after discovery DON Breach Reporting Process Within 48 hours, DON CIO reports PII breach to DoD Risk is assessed as either “high “ or “low”. If Government auth credit cards lost/stolen, must notify bank immediately. If applicable, include actions taken to address accountability, date letters were mailed and lessons learned CMD must have a written breach process. If PHI is involved, Defense Health Agency will assess risk & respond Forms can be found on DON CIO website. A sample letter can be found on The DON CIO website. PII found during CMD spot checks mitigates risk Send breach report even if not sure a breach has occurred. 5

6 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Identity Theft/Fraud Trends  The Bureau of Justice Statistics (BJS) reports ~ 7% of adults (12 million) were victims of ID fraud in 2012  Government documents/benefits fraud (46%) most common, credit card 13% (Source: FTC)  1 in 4 data breach victims became ID fraud victims (Source: Javelin Strategy & Research)  1 victim every 3 seconds (Source: Javelin Strategy & Research)  Miami/Ft Lauderdale had highest incidence of identity fraud in 2012 (Source: FTC)  3 out of every 5 victims did not know the source of their fraud (Source: Javelin Strategy & Research)  85% of cases involved use of existing accounts such as credit card or bank accounts (Source: BJS)  29% of victims spent a month or more resolving credit problems (Source BJS)  Individuals who had SSN stolen were 5 times more likely to be a fraud victim than average person (source: Javelin Strategy & Research)  “Friendly Fraud” 1 in 7 ID thieves were known by their victims (Source: Javelin Strategy & Research)  >50% of victims detected fraud using financial alerts, credit monitoring, or by monitoring their own accounts (Source: Javelin Strategy & Research)  ID fraud of children and deceased people is a growing problem 6

7 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Breach Statistics 7 FY 2011FY 2012FY 2013FY 2014 1,118/mo1,780/mo 19.5/mo 17.3/mo Number Impacted Number of “high risk” breaches

8 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER DON High Risk Breach Causes 8 Jan 2014

9 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER PII Breaches with the Greatest Impact  Hackers attacking public facing web sites  No file access controls to shared drive files  Sending unencrypted email with attachments  Mishandling Combined Federal Campaign forms  Mishandling rosters containing Social Security Numbers  Some good news: – The NMCI hard drive disposal process is working, zero discrepancies – A consistent reduction in breaches involving:  FAXing of PII  Insider threat /curiosity  Car and home theft/break in involving recruiter documentation  Dumpster diving and abandoned files 9

10 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Handling PII in the Office…  FAX machine  Copier  Email  Mail  Spreadsheets, electronic lists, memos, rosters  Hard copy storage  Shared drive  Collecting PII from DON CIO employees  FOUO privacy marking  Disposal 10

11 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Your Privacy Responsibilities  Safeguard PII to prevent unauthorized disclosure  Report a breach/suspected breach to your supervisor  Take annual PII awareness training  Encrypt and digitally sign all email w/ PII  Never store PII on a personal computer  Collect only the minimum amount of PII to do your job  Wherever possible, eliminate the use of Social Security Numbers  Dispose of PII so that it is unrecognizable  Never view a person’s PII out of curiosity or to “help out” a coworker 11

12 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER 12 DON SSN Reduction Plan  Phase 1 – Review and justify continued use/collection of SSNs in official Navy/Marine Corps forms  Phase 2 – Review and justify continued use/collection of SSNs in Navy/Marine Corps IT systems  Phase 3 – Continue to safeguard and reduce the use of the SSN – The last four digits of the SSN are now “sensitive” PII – Where possible, substitute the Electron Data Interchange Personal Identifier (EDIPI)/DoD ID number for the SSN in forms and IT systems – All letters, memoranda, spreadsheets, electronic and hard copy lists and surveys must meet the acceptable use criteria (1 Oct ‘15) – DON is prohibited from collecting the SSN in rosters – DON may not transmit the SSN via FAX if a more secure method is available

13 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER DON Guidelines for Use of the DoD ID  Presence or knowledge of an individual’s DoD ID alone shall be considered as no more significant than presence or knowledge of that individual’s name.  The EDIPI/DoD ID by itself or with name is considered PII. However, it is considered internal government ops related PII (like work phone #, job title) and low risk. No breach if lost, stolen or compromised.  The DoD ID shall only be used for DoD business purposes.  The DoD ID may not be shared with other federal agencies unless a DoD/DON approved MOU is used.  Hand-out provided 13

14 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Official DON/DoD Forms  Goal is to reduce the collection of the SSN and to eliminate the use of “bogus” forms.  An official form has: – Form title (e.g., “PII Breach Report”) – Form number (e.g., OPNAV 5211/13) – Date form created or last updated – If form collects PII directly from individual, a Privacy Act Statement (PAS) is required – Authority, purpose, routine use(s), disclosure  If form has pre-populated PII and does not collect from individual, may not have PAS  Contact forms manager if form appears to be bogus/ unofficial 14

15 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER FAXING SSNs and Other PII is a Bad Idea  Faxing is one of the most non-secure means to transmit data – Uses non-secure phone lines – Easy to send to wrong person/wrong FAX number – Copy of transmission often left on machine – Recipient may not immediately pick up document, exposing PII to others without a need to know  Use an alternative – Send encrypted/digitally signed email – Use Safe Access File Exchange (SAFE) – Use United States Postal Service 15

16 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER What’s New in the DON?  Launched new PII refresher training course NKO/TWMS  Insourced privacy contractor position to Government  DON FOIA policy and oversight moved to DON CIO  Implemented FOIAonline, enterprise e-FOIA tool  New PIA guidance requiring approved PIA with C&A package  New FAX guidance- do not FAX PII if there is a better alternative  Draft SECNAV 5211.5E “DON Privacy Program” in progress  New DON CIO web section for identity theft 16

17 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER A Privacy Impact Assessment (PIA) is an analysis of how information is handled to:  Ensure handling conforms to applicable legal, regulatory, and policy requirements  Determine the risks and effects of collecting, using, maintaining, and disseminating PII in an electronic information system, and  Mitigate potential privacy risks -OMB 03-22 (9/26/2003), EGOV 208(b) Privacy Impact Assessments (PIAs) 17

18 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER A PIA is required when PII is collected from:  Existing information systems and electronic collections where a PIA has not previously been completed and that collects PII about Federal personnel and contractors  New information systems or electronic collections: ‒Prior to developing or purchasing; and ‒When converting paper records to electronic systems. PIAs 18

19 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER A PIA is not required when the information system or electronic collection:  Does not collect, maintain or disseminate personal identifying information  Is a National Security System (including systems that process classified information) When PIA is not required 19

20 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER System of Records Notices (SORNs) What is a SORN?  A SORN is a public notice of an agency’s intent to collect and retrieve PII in a SOR  SORNs include: – The safeguards that will be applied to the system – The who, what, why, and where of the system – Processes for access and correction of records  A SORN must be published in the Federal Register before a system can begin to collect PII 20

21 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER PIA/SORN Crosswalk Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements Crosswalk PIASORN What privacy information is collectedCategories of Records in the System Why the information is collectedAuthority/Purpose(s) What uses are intended for the informationPurposes(s) With whom the information is sharedRoutine Uses What opportunities individuals have to decline to provide PII Privacy Act Statement/Notification procedure How information is securedSafeguards What privacy risks need to be addressed Narrative Statement/Probable or potential effects on the privacy of individuals Whether a System of Records Notice (SORN) exists (Not applicable) 21

22 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Helpful Links  Email encryption tools: http://www.doncio.navy.mil/ContentView.aspx?id=3658  Secure Access File Exchange: http://www.doncio.navy.mil/Products.aspx?ID=3544  Ways to find your DoD ID number: http://www.doncio.navy.mil/ContentView.aspx?id=3792 22

23 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER 23 DON Privacy POCs STEVE MUCK DON CIO Compliance Branch Head Phone: (703) 695-1297 Email: steven.muck@navy.mil STEVE DAUGHETY DON CIO Privacy Lead Phone: (703) 602-6393 Email: steve.daughety1@navy.mil ROBIN PATTERSON OPNAV DNS-36 DON Privacy Act Program Manager Phone: (202) 685-6545 Email: robin.patterson@navy.mil CRSTAL MANLEY OPNAV DNS-36 Phone: (202) 685-6533 Email crystal.manley.ctr@navy.mil STEPHANIE CLEARWATER HQMC C4 CYBER SECURITY DIVISION PII/PIA Analyst Phone: (571) 256-8868 Email: stephanie.clearwater@hqmc.mil BARBARA FIGUEROA DON Forms Manager (DNS-51) Phone: (202) 433-2835 Email: barbara.figueroa@navy.mil www.doncio.navy.mil/privacy LADONNE WHITE HQMC ARSF SORN/PA Analyst Phone: (571) 256-9042 Email: ladonne.white@hqmc.mil 23

24 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER BACKUP SLIDES

25 D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Acceptable Uses of the SSN  Law Enforcement, National Security, Credentialing  Security Clearance Investigation or Verification  Interactions with Financial Institutions  Confirmation of Employment Eligibility  Administration of Federal Worker’s Compensation  Federal Taxpayer Identification Number  Computer Matching  Foreign Travel  Geneva Conventions Serial Number  Noncombatant Evacuation Operations  Legacy System Interface  Operational Necessity  Other Cases (with specified documentation) 25

Download ppt "D EPARTMENT OF THE N AVY C HIEF I NFORMATION O FFICER Safeguarding Personally Identifiable Information (PII) Steve Muck DON CIO Safeguarding Personally."

Similar presentations

JPMorgan Chase Purchasing Card Training

JPMorgan Chase Purchasing Card Training
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act

Overview of the Privacy Act
Office of Health, Safety and Security

Office of Health, Safety and Security
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Safeguarding Personally Identifiable Information (PII) It happens once every 4 seconds, thousands of times a day, millions of times a year: That’s how.

Safeguarding Personally Identifiable Information (PII) It happens once every 4 seconds, thousands of times a day, millions of times a year: That’s how.
Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.
BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Office of the Administrative Assistant to the Secretary of the Army Social Security Number Reduction Plan 11 February 2009 Office of the Administrative.

Office of the Administrative Assistant to the Secretary of the Army Social Security Number Reduction Plan 11 February 2009 Office of the Administrative.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures

Similar presentations

Ads by Google