safeguarding personally identifiable information pii n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Safeguarding Personally Identifiable Information (PII) PowerPoint Presentation
Download Presentation
Safeguarding Personally Identifiable Information (PII)

Loading in 2 Seconds...

play fullscreen
1 / 30

Safeguarding Personally Identifiable Information (PII) - PowerPoint PPT Presentation


  • 135 Views
  • Uploaded on

Safeguarding Personally Identifiable Information (PII).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Safeguarding Personally Identifiable Information (PII)' - louise


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
safeguarding personally identifiable information pii

Safeguarding Personally Identifiable Information (PII)

It happens once every 4 seconds, thousands of times a day, millions of times a year: That’s how many times experts estimate there’s a phony charge made with a stolen credit card number. …and this kind of fraud is just a fraction of the identity theft problem!

agenda
Agenda
  • What’s New With DON Privacy?
  • Definitions
  • Elements of a Great Privacy Program
  • The Basics about Identity Theft
  • PII Breach Trends and Recent PII Breaches
  • Phishing
  • The DON SSN Reduction Plan
  • Top 10 Privacy Lessons Learned
  • Final thoughts…
  • Privacy POC’s
what s new with don privacy
What’s New with DON Privacy?
  • New DON CIO, Terry Halvorsen, Senior Military Component Official for Privacy– oversees DON Privacy Program
  • SSN Reduction Plan Phase I for Forms underway
  • DoD requirement to discontinue posting of last four of SSN to public facing web

sites (e.g. promotion messages)

what s new continued
What’s New Continued…
  • Hard Drive Disposal Policy Message
  • Hard Drive Disposal Poster
  • In chop, Draft Reduction of SSN Use in DoD Instruction
  • Jan-Mar 2011 CHIPS Magazine with SSN focus – available today
  • Consolidation of DON Privacy functions/offices under review
personally identifiable information pii definition
Personally Identifiable Information (PII)Definition

PII Definition: “…information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a SSN; age; rank; grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical and financial information.” DoD Memo 21 Sep 07

sensitive and non sensitive pii
Sensitive PII which may cause harm to an individual if lost/compromised

Financial information- bank account #, credit card #, bank routing #

Medical Data- diagnoses, treatment, medical history

Full Social Security Number

NSPS/Personnel ratings and pay pool information

Place and date of birth

Mother’s maiden name

Passport #

Numerous low risk PII elements aggregated and linked to a name

Non-Sensitive PII, all authorized use under DON policy and considered “low risk”

Badge number

Job title

Pay grade

Office phone number

Office address

Office email address *

Lineal numbers

Full name

* Cautionary note: Growing problem with email phishing

Sensitive and Non-Sensitive PII
pii breaches
PII Breaches
  • A breach is defined by Office of Management & Budget as:

“A known or suspected loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic”

  • Reporting required when a known or suspected loss, theft or compromise of PII occurs:
    • Use OPNAV Form 5211/13 to make initial and follow up reports
    • Send to: US-CERT within 1 hour of discovering a breach has occurred (*United States-Computer Emergency Readiness Team)
      • To the DON CIO Privacy Office within 1 hour
      • To the Defense Privacy Office
      • To Navy, USMC, BUMED chain of command, as applicable
  • DON CIO Privacy Office will determine within 1 working day the need to notify affected personnel - weigh risk of identity fraud.
  • Within 24 hours provide DON CIO follow up report.
  • Within 30 days provide DON CIO lessons learned.
seven elements of a great privacy program
Seven Elements of a Great Privacy Program
  • Leadership
  • Risk Management and Compliance
  • Information Security
  • Incident Response
  • Notice and Redress for Individuals
  • Privacy Training and Awareness
  • Accountability
information security
Information Security
  • Build security and privacy controls in early project development and all stages of lifecycle
  • Privacy and security programs are complementary – must work together
  • Information security must be a priority and message continually reinforced
  • Need to know
  • Take a “less is more” approach with PII collection
incident response
Incident Response
  • If your office handles PII, written procedures must be in place to:
    • Detect, report and respond to privacy incidents
  • Timely response and mitigation of risk are critical
  • The discovering contractor/vendor has an obligation to report the PII breach
  • The accountable vendor has the responsibility of working with DON command to notify affected personnel
  • Applying lessons learned are key
privacy training and awareness
Privacy Training and Awareness
  • Training reinforces policy and best practices and helps create a privacy culture
  • All contractors under contract with DON must:
    • Require all employees to complete annual PII training
  • If responsible for causing a breach:
    • Proposed policy will require each individual to take PII Refresher training
accountability
Accountability
  • Take “Big stick” approach or do nothing?
    • Must be a balance
    • Focus on correcting human error and malicious intent
  • Ensure contracts include FAR PII language
  • Take corrective action where there are program deficiencies and follow up
  • Consider Identity theft protection
slide14

I

D

E

N

T

I

T

Y

T

H

E

F

T

I S R E A L !

basic facts about identity theft
Basic Facts AboutIdentity Theft
  • FTC reports 8M+ of U.S. adult population has experienced ID theft in ‘10, expect to see that grow during economic decline; Most fraud costs are passed to businesses.
  • In ’05 1.8M cases new account fraud; 6.5M cases existing account fraud.
  • Account fraud only 23% of the problem!
  • Crimes are still more often offline (90%) than online.
  • Consumer controls 63% of potential ID theft problem; detects 47% of cases.
  • Risk is greatest when information was stolen by someone targeting the data e.g. hacker, burglar.
  • ½ of known ID thieves were known by victim; ¼ were dishonest employees.
  • Social Security numbers are "the most valuable commodity for an identity thief.“ Can obtain from public records free or buy on internet for $25 per SSN.
  • Phishing attacks aimed at ID theft a real and growing threat.
    • Banks, Pay Pal, bogus job offers
  • Generation X (25-34) highest fraud rate (5.4%); 65+ lowest.
  • ID theft of children and people who are deceased, a growing problem.
  • FYI, by law, consumer credit card liability is $ 50.00; Debit card is $50.00 if reported within 48 hrs; $500.00 if reported w/in 60 days; after 60 days may lose all $’s in account plus overdraft amount!
id theft trends
ID Theft Trends

- Arrest warrants issued in victims names due to Financial Crimes – 24% to 62% increase*

- Fraudulent drivers licenses - 16% to 32% increase *

- Fraudulent employment - 13% to 41% increase *

- Fraudulent tax refunds - 11% to 59% increase *

-Received Government assistance with victims information - 6% to 27% increase *

-Additional 250,000 to 500,000 Victims of Medical Identity Theft reported each year *

These statistics represent the growth from 2006 to 2007

*Information gathered by the IDTRC and Chicago Tribune

what are the fixes to reduce id theft
What Are the Fixes To Reduce ID Theft?

Must have a comprehensive, multi faceted approach.

  • Reduce/eliminate the supply of SSNs and “high risk” PII available to thieves
    • Remove SSNs from all public records
    • Remove the SSN from DoD and DON forms, when possible
    • Reduce the display, storage and transmission of SSNs and PII
    • Improve data and personnel security
    • Create strict laws that make the sale of SSNs a crime
  • Reduce the demand for SSNs by minimizing their value to ID thieves.
    • Require/encourage adoption of more effective authentication procedures by financial institutions
    • Aggressively prosecute ID thieves
trends and patterns
TRENDS and PATTERNS
  • Increase in number of “insider” caused breaches
  • Confirmed identity theft cases remains low
  • Rise in incidents involving recall roster and spreadsheet attachments sent via email and shared drive disclosures
  • Drop in incidents involving SSNs from 80% to 54% over the past 12 month period
  • Decrease in number of impacted personnel by 50% over the past 12 months
recent breaches
Recent Breaches
  • Used Navy copiers erroneously sold before hard drives sanitized. Error realized before copiers were received by new owner and recovered by DON. Contained PII and other sensitive info. Sep 09
  • Unencrypted laptop stolen/missing from Naval pharmacy containing SSNs and patient names. Aug 09
  • Employee downloaded PII to unencrypted CD, transferred to new command, soon after arriving lost the CD and filed a breach report. Oct 09.
  • Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members. Several staff members had complained about attempts being made to take out credit in their names. Jan 10
  • PO2 sold PII of service members to group who created bogus tax returns. All returns mailed to same address! Apr 10
  • Laptops stolen as part of “tech refresh” process. Some DAR protected, some not. Investigation ongoing. Sep 10
pii breach media
PII Breach Media

Must have tight controls/permissions

Improving but only takes one

Still # 1

pii breach media1
PII Breach Media

Sent to recipients “without a need to know” / unencrypted.

What happens to the digital images when

a copier is turned in?

slide24
Phishing is the process of attempting to acquire sensitive

information such as usernames, passwords or financial account details by

masquerading as a trustworthy entity in an electronic communication.

This is a growing activity within the DON.

Perpetrators ask you to click a link back to a spoof web site. Doing so could subject you to the installation of key logging software or viruses.

They use fear to motivate you to respond – “your account has been temporarily suspended due to recent fraudulent activity, we need you to verify your account information…”

Never open emails from unknown sources or institutions soliciting:

Passwords

Credit card information

ATM/Debit Card number

Social Security Number

Bank/financial account number

If in doubt about validity of the email, call their customer service number.

Notify your network administrator. For NMCI go to:https://www.homeport.navy.mil/support/articles/report-spam-phishing/

Phishing

slide25

Human error

Budget and resources

Changing business processes

IT systems

Flash storage media

Records management

Teleworking

DON culture

Hard drives

Hackers

Blogs

Official and unofficial forms

Disposal of storage media

Contractor services

Web portals and shared drives

Spreadsheets

Insider threat

SSNs: A PERFECT STORM

Email

Malicious software

Data mining

DAR encryption implementation

acceptable ssn uses
Acceptable SSN Uses

DoD Guidance lists 12 cases for Acceptable Uses of SSNs (Collection, Use, or Retention):

- Geneva Conventions Serial Number (on a timeline to to change/eliminate SSNs from ID cards)

- Law Enforcement, National Security, and Credentialing

- Security Clearance Investigation or Verification

- Interactions with Financial Institutions

- Confirmation of Employment Eligibility

- Administration of Federal Worker’s Compensation

- Federal Taxpayer Identification Number

- Computer Matching

- Foreign Travel

- Noncombatant Evacuation Operations

- Legacy System Interface

- Other Cases (with specified documentation)

draft don ssn reduction plan
DRAFT DON SSN Reduction Plan

GOAL: Reduce or eliminate

the use, display, collection,

dissemination or storage of SSNs

across the DON.

  • Phase 1 - focus on justifying continued use/collection of SSNs in official Navy/Marine Corps forms and IT systems.
  • Phase 2 – Where SSNs are still needed and where applicable, substitute using the Electronic Data Interchange Personal Identifier (EDIPI).
  • Challenges:
    • DoD must provide guidance on the use of the EDIPI-must have controls or we create another SSN.
    • Elimination of the SSN or substituting the SSN for another identifier will incur unfunded program costs.
privacy lessons learned
Privacy Lessons Learned
  • Support and involvement from senior leadership is key.
  • Aggressive PII compliance spot checks with corrective action taken are very effective.
  • Eliminate/Reduce the use, display and storage of all PII whenever possible.
  • Mark all documents containing PII with FOUO Privacy Sensitive warning.
  • Ensure shared drive access permissions are established and routinely checked.
  • Special care must be taken when moving, closing or consolidating offices that handle PII.
  • Closely scrutinize employees/contractors that have access to PII.
  • Paper documents and hard drive disposal methods must be better defined and tightly controlled.
  • A command records management program with records disposal schedule is an effective tool to reducing PII.
  • Campaign continuously to increase PII awareness.
some final thoughts
Some final thoughts…
  • Penalties under the Privacy Act apply to contractors
  • Revisions to the FAR under discussion
  • Consider credit monitoring for vendor caused breaches
  • Doncio.navy.mil web site is a great privacy resource:
    • FAQs, PIA Gouge, Breach Reporting Forms, Credit Monitoring Info, Privacy Reading List, Table Of Consequences, Posters, Tips of the Month
  • PII Info Alert
don privacy pocs
DON Privacy POCs

STEVE MUCK

DON CIO

DON Privacy Team Lead

Phone: (703) 601-0081

Email: steven.muck@navy.mil

ROBIN PATTERSON

OPNAV DNS-36

DON Privacy Act Program Manager

Phone: (202) 685-6545

Email: robin.patterson@navy.mil

SAM YOUSEF

HQMC C4 CYBER SECURITY DIVISION

PII/PIA Analyst

Phone: (571) 256-8876

MICHELLE SCHMITH

DON CIO

Phone: (703) 602-6110

Email: michelle.schmith@navy.mil

DEBORAH CONTAOI

OPNAV DNS-36

Phone: (202) 685-6546

Email: teri.contaoi.ctr@navy.mil

MAJOR PRASSERTH YANG

HQMC C4 CYBER SECURITY DIVISION

Identity Management Branch Head

Phone: (571) 256-8862

Email: prasserth.yang@usmc.mil

STEVE DAUGHETY

DON CIO

Phone: (703) 602-6393

Email: steve.daughety1.ctr@navy.mil

30