Written by Mr. Densmore Bartly, assistant information system security officer at USCG Base National Capital Region (NCR)
Over the past year, there has been an increase in privacy incidents caused by Coast Guard personnel transmitting personally identifiable information (PII) and sensitive personally identifiable information (SPII) outside the USCG.MIL domain to personal business email accounts, without using the proper protections required by COMDTINST M5500.13E. This directive prohibits transmitting PII/SPII to personal e-mail accounts.
When users are asked why the proper protections were not used, two responses are most common:
1) I didn’t know the information I sent is considered PII/SPII, and/or
2) I didn’t know the policy on protecting PII/SPII.
ALCOAST 549/13 points out that the time and resources expended in the remediation of Privacy Incidents has an adverse impact on Coast Guard mission essential operations, readiness and morale. Furthermore, Privacy Incidents erode trust in our records management/information assurance capabilities, and subjects our agency and senior leadership to increased Departmental, public, media and Congressional scrutiny.
The Department of Homeland Security Handbook for Safeguarding Sensitive Personally Identifiable Information defines PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department. SPII is further defined as PII which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
Examples of PII/SPII include: name, date of birth, home mailing address, telephone number, social security number, home e-mail address, zip code, account numbers, certificate/license numbers, vehicle identifiers (including license plates), uniform resource locators (URLs), Internet protocol addresses, biometric identifiers (e.g., fingerprints), photographic facial images, any unique identifying number or characteristic, and other information where it is reasonably foreseeable that the information will be linked with other personal identifiers of the individual.
When you are unsure on whether a piece of information is considered PII/SPII, ask yourself, “is this information unique to an individual or to the individual’s family?” If the answer is yes, then you are dealing with PII/SPII. If you have to send a recall roster, a copy of your driver’s license, your employee ID with name, or your spouse’s cell phone number to an email address that is not USCG.MIL, then do not forget that the email must be protected. Suitable protection consists of the following steps:
- Remove any PII/SPII from the body of the email and use an attachment to include PII/SPII Information.
- Password protect the attachment PII/SPII file prior to attaching it to the email.
- Digitally sign and encrypt the email. For instructions on digitally signing and encrypting your emails, please review this “how to” guidance from DCMS-34.
- Verify that chosen recipients have the “need to know” the information being transmitted before sending.
You should note that although Coast Guard personnel are authorized to e-mail PII/SPII within Coast Guard’s internal network (CG ONE) to recipients having a need to know, it is strongly encouraged that data transmitted is contained within a password protected attachment.