DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Safeguarding

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Safeguarding Personally Identifiable Information (PII) Steve Muck DON CIO 11 February 2014

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Agenda § § § § § Introduction The PII breach process, trends, metrics and impact Phases of the DON SSN Reduction Plan Use of the Do. D ID Number Handling PII in the office Your PII responsibilities PIAs and SORNs What’s new in the DON? Helpful Links 2

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Definition of Personally Identifiable Information (PII) PII: “…information about an individual that identifies, links, relates, or is unique to, or describes him or her, e. g. , a SSN; age; rank; grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical and financial information. ” ~ Do. D Memo 21 Sep 07 3

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER High and Low Risk PII Considered “low risk” PII: business related PII; releasable under FOIA or authorized use under DON policy and Job title Financial information- bank account #, § Pay grade credit card #, bank routing # § Office phone number Medical Data- diagnoses, treatment, § Office address medical history § Office email address * Full or truncated Social Security number § Full name Place and date of birth § Do. D ID / EDIPI Mother’s maiden name § Do. D Benefits number Passport # Numerous low risk PII elements * Cautionary note: Growing problem with aggregated and linked to a name email phishing “High risk” PII: may cause harm to an individual if lost/compromised § § § § 4

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER DON Breach Reporting Process Discovery of a loss or suspected loss/compromise of PII CMD must have a written breach process. Within 1 hour, CMD reports loss of PII to DON CIO using OPNAV form 5211/13 and takes action to mitigate potential risk Send breach report even if not sure a breach has occurred. If Government auth credit cards lost/stolen, must notify bank immediately. Forms can be found on DON CIO website. Within 24 hours, DON determines level of risk and notifies CMD if written notification is required DON CIO will assign risk by assessing: - Sensitivity of PII - Extent of exposure to individuals without a need to know - Means by which PII was lost, stolen or compromised - Potential embarrassment that could be caused - Context Within 48 hours, DON Risk is assessed as either “high “ or “low”. If PHI is involved, Defense Health Agency will assess risk & respond PII found during CMD spot checks mitigates risk CIO reports PII breach to Do. D If written notification is required, CMD must send letters to affected personnel within 10 days of breach report date CMD submits After Action Report to DON CIO NLT 30 days after discovery A sample letter can be found on The DON CIO website. If applicable, include actions taken to address accountability, date letters were mailed and lessons learned 5

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Identity Theft/Fraud Trends § The Bureau of Justice Statistics (BJS) reports ~ 7% of adults (12 million) were victims of ID fraud in 2012 § Government documents/benefits fraud (46%) most common, credit card 13% (Source: FTC) § 1 in 4 data breach victims became ID fraud victims (Source: Javelin Strategy & Research) § 1 victim every 3 seconds (Source: Javelin Strategy & Research) § Miami/Ft Lauderdale had highest incidence of identity fraud in 2012 (Source: FTC) § 3 out of every 5 victims did not know the source of their fraud (Source: Javelin Strategy & Research) § 85% of cases involved use of existing accounts such as credit card or bank accounts (Source: BJS) § 29% of victims spent a month or more resolving credit problems (Source BJS) § Individuals who had SSN stolen were 5 times more likely to be a fraud victim than average person (source: Javelin Strategy & Research) § “Friendly Fraud” 1 in 7 ID thieves were known by their victims (Source: Javelin Strategy & Research) § >50% of victims detected fraud using financial alerts, credit monitoring, or by monitoring their own accounts (Source: Javelin Strategy & Research) § ID fraud of children and deceased people is a growing problem 6

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Breach Statistics FY 2011 FY 2012 Number Impacted 1, 118/mo 1, 780/mo Number of “high risk” breaches 19. 5/mo 17. 3/mo FY 2013 FY 2014 7

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER DON High Risk Breach Causes Jan 2014 8

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER PII Breaches with the Greatest Impact § § § Hackers attacking public facing web sites No file access controls to shared drive files Sending unencrypted email with attachments Mishandling Combined Federal Campaign forms Mishandling rosters containing Social Security Numbers Some good news: – The NMCI hard drive disposal process is working, zero discrepancies – A consistent reduction in breaches involving: w w FAXing of PII Insider threat /curiosity Car and home theft/break in involving recruiter documentation Dumpster diving and abandoned files 9

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Handling PII in the Office… § FAX machine § Copier § Email § Mail § Spreadsheets, electronic lists, memos, rosters § Hard copy storage § Shared drive § Collecting PII from DON CIO employees § FOUO privacy marking § Disposal 10

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Your Privacy Responsibilities § Safeguard PII to prevent unauthorized disclosure § Report a breach/suspected breach to your supervisor § Take annual PII awareness training § Encrypt and digitally sign all email w/ PII § Never store PII on a personal computer § Collect only the minimum amount of PII to do your job § Wherever possible, eliminate the use of Social Security Numbers § Dispose of PII so that it is unrecognizable § Never view a person’s PII out of curiosity or to “help out” a coworker 11

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER DON SSN Reduction Plan § Phase 1 – Review and justify continued use/collection of SSNs in official Navy/Marine Corps forms § Phase 2 – Review and justify continued use/collection of SSNs in Navy/Marine Corps IT systems § Phase 3 – Continue to safeguard and reduce the use of the SSN – The last four digits of the SSN are now “sensitive” PII – Where possible, substitute the Electron Data Interchange Personal Identifier (EDIPI)/Do. D ID number for the SSN in forms and IT systems – All letters, memoranda, spreadsheets, electronic and hard copy lists and surveys must meet the acceptable use criteria (1 Oct ‘ 15) – DON is prohibited from collecting the SSN in rosters – DON may not transmit the SSN via FAX if a more secure method is available 12

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER DON Guidelines for Use of the Do. D ID § Presence or knowledge of an individual’s Do. D ID alone shall be considered as no more significant than presence or knowledge of that individual’s name. § The EDIPI/Do. D ID by itself or with name is considered PII. However, it is considered internal government ops related PII (like work phone #, job title) and low risk. No breach if lost, stolen or compromised. § The Do. D ID shall only be used for Do. D business purposes. § The Do. D ID may not be shared with other federal agencies unless a Do. D/DON approved MOU is used. § Hand-out provided 13

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Official DON/Do. D Forms § Goal is to reduce the collection of the SSN and to eliminate the use of “bogus” forms. § An official form has: Form title (e. g. , “PII Breach Report”) Form number (e. g. , OPNAV 5211/13) Date form created or last updated If form collects PII directly from individual, a Privacy Act Statement (PAS) is required – Authority, purpose, routine use(s), disclosure – – § If form has pre-populated PII and does not collect from individual, may not have PAS § Contact forms manager if form appears to be bogus/ unofficial 14

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER FAXING SSNs and Other PII is a Bad Idea § Faxing is one of the most non-secure means to transmit data – – Uses non-secure phone lines Easy to send to wrong person/wrong FAX number Copy of transmission often left on machine Recipient may not immediately pick up document, exposing PII to others without a need to know § Use an alternative – Send encrypted/digitally signed email – Use Safe Access File Exchange (SAFE) – Use United States Postal Service 15

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER What’s New in the DON? § Launched new PII refresher training course NKO/TWMS § Insourced privacy contractor position to Government § DON FOIA policy and oversight moved to DON CIO § Implemented FOIAonline, enterprise e-FOIA tool § New PIA guidance requiring approved PIA with C&A package § New FAX guidance- do not FAX PII if there is a better alternative § Draft SECNAV 5211. 5 E “DON Privacy Program” in progress § New DON CIO web section for identity theft 16

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Privacy Impact Assessments (PIAs) A Privacy Impact Assessment (PIA) is an analysis of how information is handled to: § Ensure handling conforms to applicable legal, regulatory, and policy requirements § Determine the risks and effects of collecting, using, maintaining, and disseminating PII in an electronic information system, and § Mitigate potential privacy risks -OMB 03 -22 (9/26/2003), EGOV 208(b) 17 17

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER PIAs A PIA is required when PII is collected from: § Existing information systems and electronic collections where a PIA has not previously been completed and that collects PII about Federal personnel and contractors § New information systems or electronic collections: ‒ Prior to developing or purchasing; and ‒ When converting paper records to electronic systems. 18 18

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER When PIA is not required A PIA is not required when the information system or electronic collection: § Does not collect, maintain or disseminate personal identifying information § Is a National Security System (including systems that process classified information) 19 19

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER System of Records Notices (SORNs) What is a SORN? § A SORN is a public notice of an agency’s intent to collect and retrieve PII in a SOR § SORNs include: – The safeguards that will be applied to the system – The who, what, why, and where of the system – Processes for access and correction of records § A SORN must be published in the Federal Register before a system can begin to collect PII 20 20

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER PIA/SORN Crosswalk Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements Crosswalk PIA SORN What privacy information is collected Categories of Records in the System Why the information is collected Authority/Purpose(s) What uses are intended for the information Purposes(s) With whom the information is shared Routine Uses What opportunities individuals have to decline to provide PII Privacy Act Statement/Notification procedure How information is secured Safeguards What privacy risks need to be addressed Narrative Statement/Probable or potential effects on the privacy of individuals Whether a System of Records Notice (SORN) exists (Not applicable) 21

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Helpful Links § Email encryption tools: http: //www. doncio. navy. mil/Content. View. aspx? id=3658 § Secure Access File Exchange: http: //www. doncio. navy. mil/Products. aspx? ID=3544 § Ways to find your Do. D ID number: http: //www. doncio. navy. mil/Content. View. aspx? id=3792 22

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER DON Privacy POCs STEVE MUCK DON CIO Compliance Branch Head Phone: (703) 695 -1297 Email: steven. muck@navy. mil STEVE DAUGHETY DON CIO Privacy Lead Phone: (703) 602 -6393 Email: steve. daughety 1@navy. mil LADONNE WHITE HQMC ARSF SORN/PA Analyst Phone: (571) 256 -9042 Email: ladonne. white@hqmc. mil ROBIN PATTERSON OPNAV DNS-36 DON Privacy Act Program Manager Phone: (202) 685 -6545 Email: robin. patterson@navy. mil STEPHANIE CLEARWATER HQMC C 4 CYBER SECURITY DIVISION PII/PIA Analyst Phone: (571) 256 -8868 Email: stephanie. clearwater@hqmc. mil CRSTAL MANLEY OPNAV DNS-36 Phone: (202) 685 -6533 Email crystal. manley. ctr@navy. mil BARBARA FIGUEROA DON Forms Manager (DNS-51) Phone: (202) 433 -2835 Email: barbara. figueroa@navy. mil www. doncio. navy. mil/privacy 23 23

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER BACKUP SLIDES

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER Acceptable Uses of the SSN § § § § Law Enforcement, National Security, Credentialing Security Clearance Investigation or Verification Interactions with Financial Institutions Confirmation of Employment Eligibility Administration of Federal Worker’s Compensation Federal Taxpayer Identification Number Computer Matching Foreign Travel Geneva Conventions Serial Number Noncombatant Evacuation Operations Legacy System Interface Operational Necessity Other Cases (with specified documentation) 25