Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Breach Panel 11/16/2009

Published byLodewijk Verbeek Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy Breach Panel 11/16/2009"— Presentation transcript:

1 Privacy Breach Panel 11/16/2009
Brian T. Zickel, HQDA Privacy Office…….Background & Process Chris Kaloudis, HQDA Privacy Office……..Metrics and Template Walkthrough Jennifer Nikolaisen, National Guard…………….Major Breach Best Practices Anastasia Kakel, TRADOC……………… Remedial Action Richard Frank, Corps of Engineers……………Notification Linda Genovese, Corps of Engineers………..Reporting

2 Personally Identifiable Information (PII) Defined
Personally Identifiable Information (PII) is data that links or can be combined with other PII elements to link to an individual. PII can be used to distinguish or trace an individual’s identity * OMB M-07-16 PII can be on stored in hard copy or electronic media form. The type of storage does not affect its status as PII or alter reporting requirements* Types of PII* Social Security Number regardless of truncation Physical Characteristics Race/Ethnicity, Biometrics etc) ID Numbers (i.e. badge numbers, driver's license etc.) Civilian Information (Dependant data, emergency contact info) Social/non-business data (religious affiliation, marital status) Truncated SSN Name You Home Address Ethnicity = FOUO Name SSN Brian T. Zickel 11/162009

3 Reporting Loss or Suspected Breach of PII Flow Chart
A BREACH OCCURS WHEN….* AN ACTUAL OR POSSIBLE LOSS OF CONTROL, UNAUTHORIZED DISCLOSURE, OR ACCESS, OCCURS REGARDLESS OF WHETHER DATA WAS EXPOSED INTERALLY OR EXTERNALLY *OMB M-07-16 Discoverer of the PII Breach Your Chain of Command cc: Within 24 hours U.S. Computer Emergency Response Team (USCERT) HQDA Privacy Office Immediately Within 1 hour Remedial Training Work with local Privacy Office to determine notification procedures Internal/External Investigation Notify Affected Individuals Within 10 days DAASA DoD Privacy Office Public Affairs CIO-G6 Brian T. Zickel 11/16/2009 2

4 Tracking PII Incidents
Keep leadership informed Track success of PII Safeguarding Training Purposes Trends of Breach Chris Kaloudis 11/16/2009

5 Laptop Incidents Chris Kaloudis 703-428-7499
11/16/2009

6 Thumbdrive Incidents Chris Kaloudis 703-428-7499
11/16/2009

7 Individuals Potentially Affected
Chris Kaloudis 11/16/2009

8 DoD - PII Reporting Template
DoD Component and organization involved: Component Name       Organization POC Title/Organization Telephone 6. Total number of individuals affected by the breach: # Unknown       6a. Breakout number by category: Government Civilians       Government Contractors Military (Reserve) Military (Dependent) Military (Active) Military (Retired) Other/Unknown (please specify)       Chris Kaloudis 11/16/2009

9 PII Breach Lessons Learned
Establishment of call center procedures/script News release template & public website Leadership brief/daily SITREP templates Media inquiries/interview requests Privacy complaint handling procedures Internal announcements about incident Contract review/accountability Process for non-deliverable notice letters Answering Congressional committee inquiries Jennifer Nikolaisen 11/16/2009

10 What to Expect After A Major Breach
Increased Privacy focus from leadership Requests for privacy training for personnel DoD attention on PIA completion on systems Scrutiny and more review of program Revision/development of procedures Possible increase in complaints/FOIAs Credit monitoring requests from those impacted Planning/preparation to avoid another one! Jennifer Nikolaisen 9/18/2018

11 Remediation Remedial actions: If negligence or failure to follow established policy and procedures Counseling/additional training/removal of authority to access information or systems /administrative and/or disciplinary actions Financial liability investigation of property loss (FLIPL) or statement of charges Criminal penalties (Privacy Act – guilty of a misdemeanor and fined up to $5,000) Anastasia Kakel / DSN 11/16/2009

12 TRADOC Case Study Soldier left laptop unsecure in car at mall
Failure to follow policy Investigation FLIPL: Soldier required to pay for replacement of computer ($ ) Counseling Anastasia Kakel / DSN 11/16/2009

13 Good to know Conduct spot checks of security and data at rest encryption Information Assurance Manager (NETCOM/TNOSC/DOIM) – force protection and OPSEC review info loss Scrutinize the collection of PII, in particular SSNs; ensure the DTM USD(P&R) – DOD SSN Reduction Plan DOD “acceptable uses” apply Anastasia Kakel / DSN 11/16/2009

14 Good to know Sources of breach identification
Data mining to verify PII is contained Update PII loss policy for common issues New system of records in APMS Follow record disposition schedules Anastasia Kakel / DSN 11/16/2009

15 External Notification
Is Breach Notification Required? Response Team Risk of Harm (5 factors) and Level of Risk/Impact Timeliness of Notification Within 10 days of discovering breach and identifying individuals Source of Notification Component Head or Senior Official Contents of Notification What happened, type of data, was it protected, individual steps, agency actions, agency contact - See DoD list Means of Providing Notification First Class Mail, Telephone, , Generalized (substitute) Who Receives Notification Individuals, Media, Businesses POC: Richard Frank, (202) 11/16/2009

16 External Notification
Is Breach Notification Required? Response Team Risk of Harm (5 Factors) Nature of Data Elements - Type of Data in Context Number Affected Accessible and Usable Likelihood Breach May Lead to Harm Ability to Mitigate Risk of Harm Level of Risk/Impact Mitigating Factors - Protections, Chilling Effects, Ongoing Investigation, false alarm 15 POC: Richard Frank, (202) 11/16/2009

17 US Army Corps of Engineers PII Incident Reporting Business Process
Linda Genovese 11/16/

Download ppt "Privacy Breach Panel 11/16/2009"

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act

Overview of the Privacy Act
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.

PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
2015 ANNUAL TRAINING By: Denise Goff

2015 ANNUAL TRAINING By: Denise Goff
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

Similar presentations

Ads by Google