PII breaches can be avoided

INDIANAPOLIS, IN, UNITED STATES

04.16.2019

Story by Bruce Drake 

Defense Finance and Accounting Service

✔ ✗ Subscribe

14

DFAS employees on a daily basis are required to handle financial files for federal employees and military service members. Preserving that personally identifiable information is a special charge of employees.

What is PII? Simply stated, PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or is linkable to a specific individual.

According to the Federal Office of Management and Budget memorandum M-17-12, a PII breach occurs when there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where:
1.A person other than an authorized user accesses or potentially accesses PII; or


2.An unauthorized user access or potentially accesses PII for any other than authorized purpose.



PII items DFAS employees may see in their daily operations include items such as names; social security numbers; gender; place of birth/home of record; mailing or home addresses; marital status; security clearances; number and names of dependents. This list is not inclusive and the DFAS Incident Reporting Aid shows even more PII examples DFAS employees should be aware of.

Several steps can be done by DFAS employees to help secure PII when they are accessing these sensitive files.
1.Ensure all emails with PII in the body of the email or attached are encrypted when sent out by email or file transfer services.


2.Safely dispose or destroy media in accordance with DFAS Records retention and disposal instructions (DFAS Reference. 5015.2) when PII files are no longer required.


3.Keep computer workstations current with all updates to operating systems, anti-virus programs and mobile device security aspects.


4.When teleworking, secure the VPN connection before opening any PII-related files.


5.When away from the desk, lock the computer by removing the Common Access Card.


6.Ensure all printed PII material has a cover page - DD Form 2923 Privacy Act Data Cover Sheet - covered by a blank sheet at a minimum, or is maintained in a folder to help protect the data.


7.Attach a screen filter over the computer monitor screen.


8.Be aware of Shoulder-Surfing, Tailgating and Dumpster Diving.

Shoulder-surfing occurs when a person attempts to gain PII material by looking at other people's computer screens, written documents or even mobile and tablet devices.

Tail-gating happens when a cyber-criminal attempts to gain unauthorized entry into a physical location. Confirm as people are coming into office spaces correctly by gaining access using their passcards, if they aren't being escorted by another DFAS employee.

Dumpster Diving, as gross as it might seem, hackers will go through trash bins to gain PII material. Safeguard printed or written PII documents by disposing of them properly in secured waste bins within office spaces.

If anyone becomes aware of a PII breach, follow these four steps to help protect from further breaches:

Step 1: Identify the PII information that has been compromised. Verify the information was sent to a non-DoD email address or personnel who did not have a need to know.

Step 2: Immediately attempt to safeguard the information; recall the message, inform recipients not to forward or allow others to view. Annotate and track who was contacted.

Step 3: If a PII breach is suspected, the DFAS user is to notify their supervisor, who will then contact DMI at 888-615-7451. If the supervisor is not available, the DFAS user should notify DMI and ensure their supervisor is made aware at the first opportunity.

Step 4: Supervisor must contact the DFAS Site Operations Center immediately for guidance to prepare and submit a Situation Report on the incident.