National Cyber Security Awareness Month: Protecting PII everyone's responsibility

by Tech. Sgt. Scott McNabb
24th Air Force Public Affairs

10/16/2012 - JOINT BASE SAN ANTONIO-LACKLAND, Texas -- Safeguarding information is a way of life in the Air Force and the service trains military members, Department of Defense and contract civilians alike to avoid releasing personally identifiable information about themselves or others.

A letter from the secretary of defense defined PII as information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, and biometric records, including any other personal information which is linked or linkable to a specified individual.

"I would agree that DoD community members have access to, and use, PII on a near daily basis," said David Swartwood, Joint Information Operations Warfare Center operations security analyst. "PII is embedded in nearly every aspect of what we do: military pay, travel orders, permanent change of station orders, medical, appraisals, record keeping, training, etc. For example, an identify thief can take your name, SSN and address and potentially open up fake banking accounts or obtain fraudulent credit cards. When we mishandle and improperly release PII it is like we're handing our exploitable information straight to the bad guy - we might as well put a bow on it."

The Bureau of Justice Website says that in 2010, seven percent of households in the United States (about 8.6 million households) had at least one member age 12 or older who experienced one or more types of identity theft victimization.

Swartwood said the Department of Defense has provided clear guidance on how to handle and protect PII and it's up to those who work for the department to recognize and protect PII.

"Mishandling PII places the individuals at risk and jeopardizes our mission," he said. "If my military member is distracted or harmed by a loss of their PII, then they're not focused on the mission and we're losing valuable time and resources resolving the issue. People need to understand there are adversaries out there who want to get a hold of their information and use it to harm them. When handling someone else's personal info, people should think, 'How would I want my information handled and protected?'"

Swartwood said JIOWC teams conduct OPSEC surveys around the world in support of combatant commands and they often find more PII than they should by monitoring communications and digging through trash and recycle containers.

"In a recent OPSEC survey our team recovered a small stack of improperly discarded personal paperwork in a recycle container," he explained. "It provided the service member's name, unit and SSN."

The OPSEC team did what most people do when they're looking for information. They went online.

"We did a quick 30 minute search online for the member's name and found: date of birth, phone number, personal e-mail address, social media profile, child's name, child's date of birth, child's school, child's age, school address and spouse's name," he said. "This military member had recently deployed overseas while their family remained at home. How effective do you think they would be if someone targeted their family while they were deployed? How easy do you think it would be to steal their identity and ruin their finances?"

That much information in just 30 minutes shows how easy it would have been, but there are ways to avoid such a breach of PII.

Do not leave items such as performance reports, recall rosters, social rosters or alpha rosters in an area that could result in their loss or theft. Do not place PII on public websites or SharePoint. Encrypt all emails that contain PII, put (FOUO) at the beginning of the subject line, and apply the following statement at the beginning of the e-mail:

"The information herein is For Official Use Only (FOUO) which must be protected under the Privacy Act of 1974, as amended. Unauthorized disclosure or misuse of this personal information may result in criminal and/or civil penalties."

Once you are finished working with PII, dispose of the documents (paper or electronic) properly. Disposal methods may include: tearing, erasing, burning, melting chemical decomposition, pulping, pulverizing, shredding and mutilation. Use shredders that produce a crosscut to ensure paper pieces are indecipherable. Permanently delete electronic records.

If you discover any disclosures of PII, report it immediately through your supervisor and chain of command and contact the base Privacy Act manager. Additionally, lost, stolen or possible compromised PII must be reported to U.S. CERT within one hour of the discovery. An investigation will be initiated and those who are found guilty of causing the breach could be charged with criminal and civil penalties.

DOD Instruction 5400.11-R, DOD Privacy Program and AFI 33-332, Air Force Privacy Program establishes the current DOD and Air Force guidance on PII.

"Education is the best countermeasure in my opinion," said Swartwood. "Letting people know they're responsible for protecting PII along with training them how to safeguard it is critical."