Serious consequences for mishandling personal ID info

Personally Identifiable Information

Personally Identifiable Information

SCOTT AIR FORCE BASE, Ill. -- Individuals who inappropriately store and transmit Personally Identifiable Information, or PII, over the Air Force Network will now have their accounts locked in response to the violation.

Patricia Feist, 375th Communications Squadron base records manager, said, "Personally Identifiable Information is information which can be used to distinguish or trace an individual's identity, such as their name, Social Security Number, or biometric records, including any other personal information that is linked or linkable to a specific individual."

A PII breach is defined as "a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access or any similar term referring to situations where persons other than authorized users and for other than authorized purpose have access or potential access to PII, whether physical or electronic."

Air Force Space Command spokeswoman, Capt. Christina Sukach, said, "These breaches can range from one individual sending a performance report containing a Social Security Number to another military account without encryption, to sending a personnel roster with thousands of pieces of PII to a personal email account, outside of the Air Force Network. These breaches do not necessarily translate to stolen identities or other malicious uses of personal information, but they do increase the risks to individuals and to the Air Force Network.

All DoD personnel are responsible for protecting PII. These new actions are in addition to, and do not circumvent or replace, the normal Privacy Act notification process which is already in place throughout the Air Force. Air Force Instruction 33-332 governs the PII breach reporting process as well as the consequences for PII violations.

"An individual who willingly releases PII can be given remedial actions. Civil remedies include payment of damages, court costs, and attorney fees in some cases. In addition, misdemeanor criminal charges and a fine of up to $5,000 may be imposed, as well as loss of employment," said Feist.

The abuse of such information not only affects individuals, but also poses a threat to the entire Air Force. In many cases in which PII has been compromised, information is released that can be used to steal someone's identity. It is vital for every individual to understand how to properly safeguard their personal information and the information of others.

Feist said, "If you are going to collect PII, you must have an authority to collect the information and should have System of Records Notice listed in the Federal registry. It is of the utmost importance you must protect that information. Identity theft is big."

Encrypting PII allows secure transmission. Additional information on protecting PII can be found on the Air Force Portal under the Cyber Threats and Information tab as well as at http://dpclo.defense.gov/privacy.

Protecting Personally Identifiable Information

Email: ensure there is an official need for the recipient(s) to receive the information. If email is used place FOUO in the subject line, the Privacy act statement "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Freedom of Information Act (5 U.S.C 552) and/or the Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or misuse of this PERSONAL INFORMATION may result in disciplinary action, criminal and/or civil penalties. Further distribution is prohibited without the approval of the author of this message unless the recipient has a need to know in the performance of official duties. If you have received this message in error, please notify the sender and delete all copies of this message." Encrypt and digitally sign the email.

Use the Army Missile Research Development and Engineering Center Safe Access File Exchange as an alternate means of transmitting PII.

Ensure personal information stored on EIM or a shared drive is only accessible to individuals who have an official, valid "need-to-know" and is required for day-to-day operations.

Remove personal information maintained within SharePoint or equivalent software programs when no longer needed for daily operations.

If faxing information, use a coversheet and have the person receiving the fax be waiting by the machine.

Paper documents and printed materials that contain PII shall be covered with the AF Form 3227, Privacy Act Cover Sheet or DD Form 2923, Privacy Act Data Cover Sheet when removed from a System of Record.

Don't send sensitive PII on CDs, DVDs, hard drives, flash drives, floppy disks or other removable media by mail or courier sensitive PII unless the data is encrypted (see AFI 33-200, Information Assurance Management).

Don't leave personal information in unsecured vehicles, unattended workspaces, unsecured file drawers, or in checked baggage.

Don't store personal information on personal media.