by Tech. Sgt. Scott McNabb
24th Air Force Public Affairs
10/16/2012 - JOINT BASE SAN ANTONIO-LACKLAND, Texas -- Safeguarding
information is a way of life in the Air Force and the service trains
military members, Department of Defense and contract civilians alike to
avoid releasing personally identifiable information about themselves or
A letter from the secretary of defense defined PII as information which
can be used to distinguish or trace an individual's identity, such as
their name, social security number, date and place of birth, mother's
maiden name, and biometric records, including any other personal
information which is linked or linkable to a specified individual.
"I would agree that DoD community members have access to, and use, PII
on a near daily basis," said David Swartwood, Joint Information
Operations Warfare Center operations security analyst. "PII is embedded
in nearly every aspect of what we do: military pay, travel orders,
permanent change of station orders, medical, appraisals, record keeping,
training, etc. For example, an identify thief can take your name, SSN
and address and potentially open up fake banking accounts or obtain
fraudulent credit cards. When we mishandle and improperly release PII it
is like we're handing our exploitable information straight to the bad
guy - we might as well put a bow on it."
The Bureau of Justice
Website says that in 2010, seven percent of households in the United
States (about 8.6 million households) had at least one member age 12 or
older who experienced one or more types of identity theft victimization.
Swartwood said the Department of Defense has provided clear guidance on
how to handle and protect PII and it's up to those who work for the
department to recognize and protect PII.
"Mishandling PII places the individuals at risk and jeopardizes our
mission," he said. "If my military member is distracted or harmed by a
loss of their PII, then they're not focused on the mission and we're
losing valuable time and resources resolving the issue. People need to
understand there are adversaries out there who want to get a hold of
their information and use it to harm them. When handling someone else's
personal info, people should think, 'How would I want my information
handled and protected?'"
Swartwood said JIOWC teams conduct OPSEC surveys around the world in
support of combatant commands and they often find more PII than they
should by monitoring communications and digging through trash and
"In a recent OPSEC survey our team recovered a small stack of improperly
discarded personal paperwork in a recycle container," he explained. "It
provided the service member's name, unit and SSN."
The OPSEC team did what most people do when they're looking for information. They went online.
"We did a quick 30 minute search online for the member's name and found:
date of birth, phone number, personal e-mail address, social media
profile, child's name, child's date of birth, child's school, child's
age, school address and spouse's name," he said. "This military member
had recently deployed overseas while their family remained at home. How
effective do you think they would be if someone targeted their family
while they were deployed? How easy do you think it would be to steal
their identity and ruin their finances?"
That much information in just 30 minutes shows how easy it would have been, but there are ways to avoid such a breach of PII.
Do not leave items such as performance reports, recall rosters, social
rosters or alpha rosters in an area that could result in their loss or
theft. Do not place PII on public websites or SharePoint. Encrypt all
emails that contain PII, put (FOUO) at the beginning of the subject
line, and apply the following statement at the beginning of the e-mail:
"The information herein is For Official Use Only (FOUO) which must be
protected under the Privacy Act of 1974, as amended. Unauthorized
disclosure or misuse of this personal information may result in criminal
and/or civil penalties."
Once you are finished working with PII, dispose of the documents (paper
or electronic) properly. Disposal methods may include: tearing, erasing,
burning, melting chemical decomposition, pulping, pulverizing,
shredding and mutilation. Use shredders that produce a crosscut to
ensure paper pieces are indecipherable. Permanently delete electronic
If you discover any disclosures of PII, report it immediately through
your supervisor and chain of command and contact the base Privacy Act
manager. Additionally, lost, stolen or possible compromised PII must be
reported to U.S. CERT within one
hour of the discovery. An investigation will be initiated and those who
are found guilty of causing the breach could be charged with criminal
and civil penalties.
DOD Instruction 5400.11-R, DOD Privacy Program and AFI 33-332, Air Force
Privacy Program establishes the current DOD and Air Force guidance on
"Education is the best countermeasure in my opinion," said Swartwood.
"Letting people know they're responsible for protecting PII along with
training them how to safeguard it is critical."