Marine Operations Today

Safeguarding Personally Identifiable Information (PII)It happens once every 4 seconds, thousands of times a day, millions of times a year: Thats how many times experts estimate theres a phony charge made with a stolen credit card number. and this kind of fraud is just a fraction of the identity theft problem!12AgendaWhats New With DON Privacy?DefinitionsElements of a Great Privacy ProgramThe Basics about Identity TheftPII Breach Trends and Recent PII BreachesPhishingThe DON SSN Reduction Plan Top 10 Privacy Lessons LearnedFinal thoughtsPrivacy POCs

Whats New with DON Privacy?New DON CIO, Terry Halvorsen, Senior Military Component Official for Privacy oversees DON Privacy ProgramSSN Reduction Plan Phase I for Forms underwayDoD requirement to discontinue posting of last four of SSN to public facing web sites (e.g. promotion messages)

Whats New ContinuedHard Drive Disposal Policy MessageHard Drive Disposal PosterIn chop, Draft Reduction of SSN Use in DoD Instruction Jan-Mar 2011 CHIPS Magazine with SSN focus available todayConsolidation of DON Privacy functions/offices under review

Privacy Awareness Posters

6Personally Identifiable Information (PII)Definition

PII Definition: information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a SSN; age; rank; grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical and financial information. DoD Memo 21 Sep 07 7Sensitive and Non-Sensitive PII Sensitive PII which may cause harm to an individual if lost/compromisedFinancial information- bank account #, credit card #, bank routing #Medical Data- diagnoses, treatment, medical historyFull Social Security NumberNSPS/Personnel ratings and pay pool informationPlace and date of birthMothers maiden namePassport #Numerous low risk PII elements aggregated and linked to a nameNon-Sensitive PII, all authorized use under DON policy and considered low riskBadge numberJob titlePay gradeOffice phone numberOffice addressOffice email address *Lineal numbersFull name

* Cautionary note: Growing problem with email phishing 8PII BreachesA breach is defined by Office of Management & Budget as:A known or suspected loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronicReporting required when a known or suspected loss, theft or compromise of PII occurs:Use OPNAV Form 5211/13 to make initial and follow up reportsSend to: US-CERT within 1 hour of discovering a breach has occurred (*United States-Computer Emergency Readiness Team)To the DON CIO Privacy Office within 1 hourTo the Defense Privacy OfficeTo Navy, USMC, BUMED chain of command, as applicableDON CIO Privacy Office will determine within 1 working day the need to notify affected personnel - weigh risk of identity fraud. Within 24 hours provide DON CIO follow up report.Within 30 days provide DON CIO lessons learned.

8TEXT FROM US-CERT WEBSITE ON SOME COMMON SECURITY POLICY VIOLATIONSIn general, types of activity that are commonly recognized as being in violation of a typical security policy include but are not limited to: -- attempts (either failed or successful) to gain unauthorized access to a system or its data, including PII related incidents-- unwanted disruption or denial of service -- the unauthorized use of a system for processing or storing data -- changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

We encourage you to report any activities that you feel meet the criteria for an incident. Note that our policy is to keep any information specific to your site confidential unless we receive your permission to release that information.

Seven Elements of a Great Privacy ProgramLeadershipRisk Management and ComplianceInformation Security Incident ResponseNotice and Redress for IndividualsPrivacy Training and Awareness Accountability

Information SecurityBuild security and privacy controls in early project development and all stages of lifecyclePrivacy and security programs are complementary must work togetherInformation security must be a priority and message continually reinforcedNeed to knowTake a less is more approach with PII collection

Incident ResponseIf your office handles PII, written procedures must be in place to:Detect, report and respond to privacy incidentsTimely response and mitigation of risk are critical The discovering contractor/vendor has an obligation to report the PII breachThe accountable vendor has the responsibility of working with DON command to notify affected personnelApplying lessons learned are key

Privacy Training and AwarenessTraining reinforces policy and best practices and helps create a privacy cultureAll contractors under contract with DON must:Require all employees to complete annual PII trainingIf responsible for causing a breach:Proposed policy will require each individual to take PII Refresher training

AccountabilityTake Big stick approach or do nothing?Must be a balance Focus on correcting human error and malicious intentEnsure contracts include FAR PII languageTake corrective action where there are program deficiencies and follow upConsider Identity theft protection

IDENTITY

THEFT

I S R E A L !15

Basic Facts About Identity TheftFTC reports 8M+ of U.S. adult population has experienced ID theft in 10, expect to see that grow during economic decline; Most fraud costs are passed to businesses.In 05 1.8M cases new account fraud; 6.5M cases existing account fraud.Account fraud only 23% of the problem!Crimes are still more often offline (90%) than online. Consumer controls 63% of potential ID theft problem; detects 47% of cases. Risk is greatest when information was stolen by someone targeting the data e.g. hacker, burglar. of known ID thieves were known by victim; were dishonest employees.Social Security numbers are "the most valuable commodity for an identity thief. Can obtain from public records free or buy on internet for $25 per SSN.Phishing attacks aimed at ID theft a real and growing threat.Banks, Pay Pal, bogus job offers Generation X (25-34) highest fraud rate (5.4%); 65+ lowest.ID theft of children and people who are deceased, a growing problem. FYI, by law, consumer credit card liability is $ 50.00; Debit card is $50.00 if reported within 48 hrs; $500.00 if reported w/in 60 days; after 60 days may lose all $s in account plus overdraft amount!16ID Theft Trends- Arrest warrants issued in victims names due to Financial Crimes 24% to 62% increase*- Fraudulent drivers licenses - 16% to 32% increase *- Fraudulent employment - 13% to 41% increase *- Fraudulent tax refunds - 11% to 59% increase *-Received Government assistance with victims information - 6% to 27% increase *-Additional 250,000 to 500,000 Victims of Medical Identity Theft reported each year *

These statistics represent the growth from 2006 to 2007*Information gathered by the IDTRC and Chicago Tribune161617What Are the Fixes To Reduce ID Theft?Must have a comprehensive, multi faceted approach.Reduce/eliminate the supply of SSNs and high risk PII available to thievesRemove SSNs from all public recordsRemove the SSN from DoD and DON forms, when possibleReduce the display, storage and transmission of SSNs and PIIImprove data and personnel security Create strict laws that make the sale of SSNs a crime Reduce the demand for SSNs by minimizing their value to ID thieves.Require/encourage adoption of more effective authentication procedures by financial institutionsAggressively prosecute ID thieves

TRENDS and PATTERNSIncrease in number of insider caused breachesConfirmed identity theft cases remains lowRise in incidents involving recall roster and spreadsheet attachments sent via email and shared drive disclosuresDrop in incidents involving SSNs from 80% to 54% over the past 12 month periodDecrease in number of impacted personnel by 50% over the past 12 months

19Recent BreachesUsed Navy copiers erroneously sold before hard drives sanitized. Error realized before copiers were received by new owner and recovered by DON. Contained PII and other sensitive info. Sep 09Unencrypted laptop stolen/missing from Naval pharmacy containing SSNs and patient names. Aug 09Employee downloaded PII to unencrypted CD, transferred to new command, soon after arriving lost the CD and filed a breach report. Oct 09.Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members. Several staff members had complained about attempts being made to take out credit in their names. Jan 10PO2 sold PII of service members to group who created bogus tax returns. All returns mailed to same address! Apr 10Laptops stolen as part of tech refresh process. Some DAR protected, some not. Investigation ongoing. Sep 10

20PII Breach MediaImproving but only takes oneStill # 1

Must have tight controls/permissions21PII Breach Media

Sent to recipients without a need to know / unencrypted.What happens to the digital images whena copier is turned in?

22Breach Causes

23Type of PII Lost, Stolen or Compromised

SOCIAL SECURITY NUMBER24 Phishing is the process of attempting to acquire sensitive information such as usernames, passwords or financial account details by masquerading as a trustworthy entity in an electronic communication.

This is a growing activity within the DON.Perpetrators ask you to click a link back to a spoof web site. Doing so could subject you to the installation of key logging software or viruses. They use fear to motivate you to respond your account has been temporarily suspended due to recent fraudulent activity, we need you to verify your account informationNever open emails from unknown sources or institutions soliciting:PasswordsCredit card informationATM/Debit Card numberSocial Security NumberBank/financial account numberIf in doubt about validity of the email, call their customer service number.Notify your network administrator. For NMCI go to: https://www.homeport.navy.mil/support/articles/report-spam-phishing/

Phishing25

SSNs: A PERFECT STORMWeb portals and shared drivesBlogsEmailHackersHuman errorInsider threatOfficial and unofficial formsDON cultureMalicious softwareRecords managementDisposal of storage media IT systemsContractor servicesData miningTeleworkingSpreadsheetsHard drivesFlash storage mediaDAR encryption implementationBudget and resourcesChanging business processes26Acceptable SSN UsesDoD Guidance lists 12 cases for Acceptable Uses of SSNs (Collection, Use, or Retention):- Geneva Conventions Serial Number (on a timeline to to change/eliminate SSNs from ID cards)- Law Enforcement, National Security, and Credentialing- Security Clearance Investigation or Verification- Interactions with Financial Institutions- Confirmation of Employment Eligibility- Administration of Federal Workers Compensation- Federal Taxpayer Identification Number- Computer Matching- Foreign Travel- Noncombatant Evacuation Operations- Legacy System Interface- Other Cases (with specified documentation)26 The primary guiding principle of NSPS is to put mission first, while still respecting the individual NSPS will allow the government to be more competitive with the private sector through increased flexibilities

27 DRAFT DON SSN Reduction Plan GOAL: Reduce or eliminatethe use, display, collection, dissemination or storage of SSNsacross the DON.

Phase 1 - focus on justifying continued use/collection of SSNs in official Navy/Marine Corps forms and IT systems.Phase 2 Where SSNs are still needed and where applicable, substitute using the Electronic Data Interchange Personal Identifier (EDIPI).Challenges: DoD must provide guidance on the use of the EDIPI-must have controls or we create another SSN.Elimination of the SSN or substituting the SSN for another identifier will incur unfunded program costs.

28Privacy Lessons LearnedSupport and involvement from senior leadership is key.Aggressive PII compliance spot checks with corrective action taken are very effective.Eliminate/Reduce the use, display and storage of all PII whenever possible.Mark all documents containing PII with FOUO Privacy Sensitive warning. Ensure shared drive access permissions are established and routinely checked. Special care must be taken when moving, closing or consolidating offices that handle PII.Closely scrutinize employees/contractors that have access to PII.Paper documents and hard drive disposal methods must be better defined and tightly controlled.A command records management program with records disposal schedule is an effective tool to reducing PII.Campaign continuously to increase PII awareness.

29Some final thoughtsPenalties under the Privacy Act apply to contractorsRevisions to the FAR under discussionConsider credit monitoring for vendor caused breachesDoncio.navy.mil web site is a great privacy resource:FAQs, PIA Gouge, Breach Reporting Forms, Credit Monitoring Info, Privacy Reading List, Table Of Consequences, Posters, Tips of the MonthPII Info Alert

30DON Privacy POCsSTEVE MUCKDON CIODON Privacy Team LeadPhone: (703) 601-0081Email: steven.muck@navy.milMICHELLE SCHMITHDON CIOPhone: (703) 602-6110Email: michelle.schmith@navy.milSTEVE DAUGHETYDON CIOPhone: (703) 602-6393Email: steve.daughety1.ctr@navy.milROBIN PATTERSONOPNAV DNS-36DON Privacy Act Program Manager Phone: (202) 685-6545Email: robin.patterson@navy.milDEBORAH CONTAOIOPNAV DNS-36Phone: (202) 685-6546Email: teri.contaoi.ctr@navy.milMAJOR PRASSERTH YANGHQMC C4 CYBER SECURITY DIVISIONIdentity Management Branch HeadPhone: (571) 256-8862Email: prasserth.yang@usmc.milSAM YOUSEFHQMC C4 CYBER SECURITY DIVISIONPII/PIA AnalystPhone: (571) 256-8876

Chart1168206431

Number of Incidents

Sheet1Human ErrorTheftUnknownPostalInsider ThreatHacker168206431SSNMedicalFinancialNSPSPassport175221043EmailDocumentsLaptopsOtherPortal/Shared DrivesThumb Drives68574417102

Sheet2

Sheet3

Chart1175221043

Number of Incidents

Sheet1Human ErrorTheftUnknownPostalInsider ThreatHacker168206431SSNMedicalFinancialNSPSPassport175221043EmailDocumentsLaptopsOtherPortal/Shared DrivesThumb Drives68574417102

Sheet2

Sheet3