Military Overuses PII Raises ID Theft Risk

Report: Uninformed, Cavalier Culture Limits Efforts to Curb PII Use

By , December 8, 2010.
Military Overuses PII Raises ID Theft Risk

T

See Also: 2015 Insider Threat Report

he military's use of Social Security numbers and other forms of personal identifiable information such as birth dates places service members at a higher risk of identity theft than the population at large, and efforts to limit their use are meeting resistance by an "uninformed, sometimes cavalier" military culture.

That's the thrust of a paper written by four senior Army officers and West Point faculty members, entitled The Military's Cultural Disregard for Personal Information, which appears on the website of Small Wars Journal.

"In an era when an individual's Social Security number and date of birth have become the keys to identity theft, the ubiquitous use of the Social Security number by the military services is reckless," the paper says. "The problem is compounded by an uninformed, sometimes cavalier, culture and attitude surrounding the protection of PII that is common in the military."

In an interview, one of the paper's authors addresses the ubiquitous of Social Security numbers in military life. "We use the Social Security number in every aspects, both mundane and sensitive," Lt. Col. Gregory Conti says. "We use the Social Security number as an identifier and as a password. Children 10 years old and up have a military ID card with their sponsor's Social Security number on it. It's in every facet of our lives. It's in our recycling bins. We shout it out in formation; we thumbtack it to bulletin boards. It's everywhere, so we're courting disaster in how we us it."

Most senior military leaders understand the harm of exposing PII and have taken steps to limit their use, but a significant disconnect between high-level policy and a culture that promotes use of personal identifiable information exists, the paper says. "As a result," the authors write, "the military services lag a decade or more behind best practices found in other sectors of government, industry, and academia in the proper use and handling of PII.

"While positive progress has been made by the services, such progress is slow, ad-hoc, frequently ignored, and overshadowed by the common usage of the Social Security number as a way of tracking and identifying individuals. The systemic leakage of personal information in day to day operations, and a pervasive attitude of disregard for personal privacy is unsettling. Such issues are not tolerated outside the military - the time for substantive change within the military has arrived."

This problem is magnified for military personnel deployed to Afghanistan and Iraq when much damage could occur without their knowledge, placing additional stress on already strained families back home, the paper says. And, the authors write, identity theft that uses PII occurs after death, creating immense problems for surviving family members.

The paper lists a dozen examples of the military's misuse of PII (see Dozen Misuses of PII in the Military). It also enumerate six common misconceptions - myths, in the words of the authors -- about how the military protects and employs personal information:

  1. Military data does not spill,
  2. Birth date and SSN cannot be guessed,
  3. Last 4 numbers of SSN are safe to use as a secret or public identifier,
  4. The Privacy Act will protect privacy,
  5. Individual efforts to fix systemic problems will likely succeed, and
  6. People will follow confusing and unenforced policy and procedures.

Some progress on limiting overuse of PII has been made: Service members and their families no longer must write their Social Security numbers on checks and promotion lists no longer contain SSNs. And, the military routinely wipes all data from hard drives before disposal. But, the underlying problem remains, and the authors offer these recommendations:

    Broadly Employ a Service Number System, Protect the SSN: "The biggest step, and we believe the most important, is for the Department of Defense to discontinue the use of the Social Security number, whether as a "secret" password or unique identifier, and institute a service number system."

    Better Understand the Problem: "These insights will yield an understanding of what is being done well and what is being done poorly and will help focus subsequent efforts."

    Change Culture and Raise Awareness: Empower officials to "find and recommend fixes to local policies and procedures that could lead to the abuse of PII, much like unit intelligence officers are empowered to enforce rules that keep classified data secure."

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FBI's Sony Attribution: Doubts Continue

FBI Director James Comey's Jan. 7 defense of the bureau's attribution of the Sony Pictures hack to...

Latest Tweets and Mentions

ARTICLE FBI's Sony Attribution: Doubts Continue

FBI Director James Comey's Jan. 7 defense of the bureau's attribution of the Sony Pictures hack to...

The ISMG Network