Photo Information

According to the Bureau of Justice website, 7 percent of households in the United States in 2010 (about 8.6 million households) had at least one member age 12 or older who experienced one or more types of identity theft victimization. (U.S. Air Force graphic/William Parks)

Photo by William Parks.

Air Force continues PII protection education

19 Oct 2012 | Tech. Sgt. Scott McNabb

The Air Force continues to train military members and Department of Defense and contract civilians alike to avoid releasing personally identifiable information about themselves or others.

A letter from the secretary of defense defined PII as information that can be used to distinguish or trace an individual's identity, such as their name, Social Security number, date and place of birth, mother's maiden name, and biometric records, including any other personal information that is linked or linkable to a specific individual.

"I would agree that DOD community members have access to, and use, PII on a near daily basis," said David Swartwood, Joint Information Operations Warfare Center operations security analyst. "PII is embedded in nearly every aspect of what we do: military pay, travel orders, permanent change of station orders, medical, appraisals, record keeping, training, etc.

"When we mishandle and improperly release PII, it is like we're handing our exploitable information straight to the bad guy; we might as well put a bow on it," Swartwood continued. "For example, an identify thief can take your name, (Social Security number) and address and potentially open up fake banking accounts or obtain fraudulent credit cards."

According to the Bureau of Justice website, 7 percent of households in the United States in 2010 (about 8.6 million households) had at least one member age 12 or older who experienced one or more types of identity theft victimization.

Swartwood said the DOD has provided clear guidance on how to handle and protect PII, and it's up to those who work for the department to recognize and protect PII.

"Mishandling PII places the individuals at risk and jeopardizes our mission," he said. "If my military member is distracted or harmed by a loss of their PII, then they're not focused on the mission and we're losing valuable time and resources resolving the issue. People need to understand there are adversaries out there who want to get a hold of their information and use it to harm them. When handling someone else's personal info, people should think, 'How would I want my information handled and protected?'"

Swartwood said JIOWC teams conduct operational security surveys around the world in support of combatant commands, and they often find more PII than they should by monitoring communications and digging through trash and recycle containers.

"In a recent OPSEC survey, our team recovered a small stack of improperly discarded personal paperwork in a recycle container," he explained. "It provided the service member's name, unit and (Social Security number)."

The OPSEC team did what most people do when they're looking for information. They went online.

"We did a quick 30-minute search online for the member's name and found date of birth, phone number, personal email address, social media profile, child's name, child's date of birth, child's school, child's age, school address and spouse's name," Swartwood said. "This military member had recently deployed overseas while their family remained at home. How effective do you think they would be if someone targeted their family while they were deployed? How easy do you think it would be to steal their identity and ruin their finances?"

That much information in just 30 minutes shows how easy it would have been, but there are ways to avoid such a breach of PII:

- Do not leave items such as performance reports, recall rosters, social rosters or alpha rosters in an area that could result in their loss or theft.

- Do not place PII on public websites or SharePoint.

- Encrypt all emails that contain PII, put FOUO (For Official Use Only) at the beginning of the subject line, and apply the following statement at the beginning of the email:

"The information herein is For Official Use Only (FOUO), which must be protected under the Privacy Act of 1974, as amended. Unauthorized disclosure or misuse of this personal information may result in criminal and/or civil penalties."

Once a person is finished working with PII, he should dispose of the documents -- paper or electronic -- properly. Disposal methods may include tearing, erasing, burning, melting chemical decomposition, pulping, pulverizing, shredding and mutilation. People should use shredders that produce a crosscut to ensure paper pieces are indecipherable and permanently delete electronic records.

If any disclosures of PII are discovered, people should report it immediately through their supervisor and chain of command and contact the base Privacy Act manager. Additionally, lost, stolen or possibly compromised PII must be reported to the U.S. Computer Emergency Readiness Team within one hour of the discovery. An investigation will be initiated and those who are found guilty of causing the breach could be charged with criminal and civil penalties.

DOD Instruction 5400.11-R, DOD Privacy Program, and Air Force Instruction 33-332, Air Force Privacy Program, establishes the current DOD and Air Force guidance on PII.

"Education is the best countermeasure in my opinion," said Swartwood. "Letting people know they're responsible for protecting PII along with training them how to safeguard it is critical."