The personal identifiable information of the Navy chief information officer has been compromised, again. And, it isn't just the second or third or fourth or even fifth time Robert Carey's PII has been exposed, but the sixth instance.
Notification of the fifth and sixth instances occurred almost concurrently, shortly before the holidays. The last compromise occurred to information maintained by the Army, which Carey hasn't worked for in 24 years.
"Needless to say, privacy - the protection of PII and the elimination of PII compromises - is a burning passion of mine," Carey wrote in his blog, adding:
"Privacy protections are connected to (even subsets of) the greater information security domain. They are very specific components with very specific processes. While we are starting to inculcate an awareness of information security/privacy into Departmental culture, we all need to understand that privacy-related information requires special handling and must be treated as confidential information. Additionally, accountability - at all levels of the workforce to include commanders, commanding officers and civilian leaders - is key."
To ensure privacy, according to his blog, Carey's Navy and Marine Corps team has taken the following steps in 2009:
- Work on a plan to remove/reduce reliance on Social Security numbers in the Navy/Marine Corps systems and processes.
- The undersecretary of the Navy designated Carey as the senior military component official for privacy. This alignment's aim is to assist the CIO organization in providing enhanced privacy program support to the Navy and Marine Corps team. The Navy CIO will provide strategy, policy and oversight, while the Navy and Marine Corps will continue to execute the privacy program components.
- An update to the Navy Department's privacy program instruction is underway and will clarify and strengthen portions of the current instruction as well as illustrate the alignment of the secretariat, Navy and Marine Corps team. Carey said his team expects to publish this update in the spring. Policy is also being written to address the disposal of hard drives through physical destruction, which will guarantee that sensitive privacy data cannot be compromised.
- Future breaches resulting from human error must have consequences. Leadership should evaluate each breach and determine how best to shape human behavior, beginning with consequences for not following the rules. This will be addressed in the new policy.
- The CIO office is working to develop a more robust set of interactive training materials to further entrench privacy protection awareness and accountability in departmental culture.
- Roll out of data at rest encryption solution: This technology should mitigate the potential impact of the loss of PII, and is being implemented for those on the Navy-Marine Corps Intranet. Other networks must press on with this implementation, Carey said.
- The CIO team has designed and deployed a back-to-basics approach to enhance awareness and educate department personnel about privacy using posters, a PII users guide and privacy tips and FAQs on the Navy CIO website.
"In today's information age, PII must be treated with extreme care because unauthorized access to someone's digital identity can and does cause grave consequences."