Marines

HomeNewsMessagesMessages Display

REPORTING PROCESS FOR LOSS OR COMPROMISE OF PERSONALLY IDENTIFIABLE INFORMATION
Date Signed: 4/19/2007 | MARADMINS Number: 267/07
PRINT
MARADMINS : 267/07
UNCLAS 182210Z APR 07
CMC WASHINGTON DC(UC)
TO AL MARADMIN(UC)
MARADMIN 267/07
MSGID/GENADMIN/CMC WASHINGTON DC C4 IA//
SUBJ/REPORTING PROCESS FOR LOSS OR COMPROMISE OF PERSONALLY
IDENTIFIABLE INFORMATION (PII)//
REF/A/MSGID:SECNAVINST 5211.5E/DON PRIVACY PROGRAM//
REF/B/MSGID:GENADMIN/DON CIO WASHINGTON DC/301540ZNOV2006//
REF/C/MSGID:MCO5740.2F /OPREP 3SIR SERIOUS INCIDENT/REPORT//
NARR/REF A GOVERNS THE COLLECTION, SAFEGUARDING, USE AND MAINTENANCE
OF PII FOR DON PRIVACY SYSTEM OF RECORDS COLLECTIONS. REF B IS
DEPARTMENT OF THE NAVY (DON) CHIEF INFORMATION OFFICER(CIO) MSG
PROVIDING GUIDANCE FOR REPORTING OF ACTUAL OR SUSPECTED PII COMPROMISE.
REF C IS MARINE CORPS ORDER FOR REPORTING EVENTS OR INCIDENTS ON
MATTERS INVOLVING MARINE CORPS PERSONNEL, UNITS OR INSTALLATIONS. //
POC/JOSEPH S. UCHYTIL/CAPT/HQMC C4 IA/-/TEL:703-693-3490 /
TEL:DSN 223-3490/EMAIL:JOSEPH.UCHYTIL@USMC.MIL//
POC/TERESA ROSS/GS-14/HQMC ARSF/-/TEL:703-614-4008/- /
EMAIL:TERESA.D.ROSS@USMC.MIL//
POC/GINGER V. DOLAN/GS-12/HQMC ARSF/-
/TEL:703-614-4008 /EMAIL:GINGER.V.DOLAN@USMC.MIL//
POC/CHRISTINE
HESEMANN/CTR/HQMC C4 IA/-/TEL:703-693-3490 /TEL:DSN 223-3490/
EMAIL:CHRISTINE.HESEMANN.CTR@USMC.MIL//
GENTEXT/REMARKS/1. PURPOSE. MANAGING THE LOSS OR COMPROMISE OF
PERSONALLY IDENTIFIABLE INFORMATION (PII) IS OF GREAT CONCERN TO
THE MARINE CORPS. LOSS OR COMPROMISE CAN PLACE AN UNDUE BURDEN
UPON MARINES, SAILORS, CONTRACTORS, CIVIL SERVANTS AND CIVILIANS
ALIKE, AND POTENTIALLY CAST THE MARINE CORPS IN AN UNFAVORABLE LIGHT
TO THE PUBLIC AT LARGE. FOLLOWING THE REPORTING PROCESS IS KEY TO
PROVIDING TIMELY NOTIFICATION AND INFORMATION TO THOSE INDIVIDUALS
THAT MAY HAVE HAD THEIR PERSONAL DATA COMPROMISED WHILE AT THE SAME
TIME MITIGATING A PUBLIC AFFAIRS CRISIS. 2. DEFINITION. PII IS ANY
INFORMATION ABOUT AN INDIVIDUAL MAINTAINED BY AN AGENCY, INCLUDING,
BUT NOT LIMITED TO, EDUCATION, FINANCIAL TRANSACTIONS, MEDICAL HISTORY,
AND CRIMINAL OR EMPLOYMENT HISTORY AND INFORMATION WHICH CAN BE USED
TO DISTINGUISH OR TRACE AN INDIVIDUALS IDENTITY, SUCH AS THEIR NAME,
SOCIAL SECURITY NUMBER, DATE AND PLACE OF BIRTH, MOTHER'S MAIDEN NAME,
BIOMETRIC RECORDS, ETC., INCLUDING ANY OTHER PERSONAL INFORMATION
WHICH IS LINKED OR LINKABLE TO AN INDIVIDUAL. DATA WHICH FALLS
UNDER THE PURVIEW OF THE PRIVACY ACT OF 1974 IS A SUBSET OF PII
AND WILL FOLLOW THE REPORTING PROCEDURES OUTLINED IN THIS POLICY.
SYSTEMS RETRIEVING INFORMATION VIA ANY ELEMENT OF PII ARE SUBJECT
TO THE PRIVACY ACT OF 1974. 3. SCOPE. THIS POLICY APPLIES TO ALL
MARINE CORPS COMMANDS.
4. POLICY
A. WITHIN ONE HOUR OF DISCOVERY OF ACTUAL OR SUSPECTED LOSS, THEFT,
OR COMPROMISE OF PII, THE COMMAND WILL ASSEMBLE AND REPORT THE
FOLLOWING INFORMATION:
(1) COMPONENT/ORGANIZATION INVOLVED.
(2) DATE OF INCIDENT.
(3) NUMBER OF INDIVIDUALS AFFECTED, PERCENTAGE OF THAT NUMBER WHO
ARE GOVERNMENT (MILITARY, CIVIL SERVICE, NAF, AND DOD CONTRACTORS),
AND PERCENTAGE WHO ARE PRIVATE CITIZENS.
(4) SYNOPSIS OF INCIDENT, INCLUDING CIRCUMSTANCES SURROUNDING THE
COMPROMISE, SPECIFIC DATA ELEMENTS INVOLVED, SAFEGUARDS IN PLACE
TO PROTECT THE DATA (I.E. ENCRYPTION, PASSWORD PROTECTION). B.
REPORT THE INFORMATION TO THE FOLLOWING OFFICES AND AGENCIES.
PRIMARY MEANS SHALL BE A SINGLE EMAIL. IF ACCESS TO EMAIL IS NOT
AVAILABLE COMMANDS SHALL REPORT VIA TELEPHONE.
(1) UNITED STATES COMPUTER EMERGENCY READINESS TEAM (US-CERT),
EMAIL: SOC@US-CERT.GOV. TELEPHONE: 888-282-0870
(2) DON CHIEF INFORMATION OFFICER (CIO) IDENTITY MANAGEMENT AND
PRIVACY TEAM, EMAIL: DON.PRIVACY.FCT@NAVY.MIL. TELEPHONE:
703-601-0120/6882.
(3) DON PRIVACY ACT OFFICER, EMAIL: PRIVACY@OGC.LAW.NAVY.MIL.
TELEPHONE: 202-685-6545.
(4) MARINE CORPS CIO, HQMC C4 IA, IDENTITY MANAGEMENT (IDM) TEAM,
EMAIL: HQMC_C4IA_IDMGT@USMC.MIL TELEPHONE:(703) 693-3490.
(5) HQMC PUBLIC AFFAIRS MEDIA BRANCH (PAM), EMAIL:
M_HQMC_PA_MEDIARELATIONS@USMC.MIL. TELEPHONE: 703-614-8029.
(6) MARINE CORPS PRIVACY OFFICER,
EMAIL: SMBHQMCPRIVACYACT@USMC.MIL. TELEPHONE: 703-614-4008.
(7) LOCAL NAVAL CRIMINAL INVESTIGATIVE SERVICE (NCIS) OFFICE OR
MARINE CORPS INVESTIGATION DIVISION (CID).
(8) LOCAL STAFF JUDGE ADVOCATE (SJA) OFFICE C. MARINE CORPS UNITS
ARE REQUIRED TO ISSUE A NAVAL MESSAGE TO THE DOD ORGANIZATIONS
OUTLINED IN PARAGRAPH 4B WITHIN 72 HOURS OF THE INITIAL REPORT.
THE MESSAGE WILL CONTAIN, AT A MINIMUM, ALL INFORMATION PROVIDED
IN ORIGINAL EMAIL. PLA FOR ORGANIZATIONS ARE: DON CIO WASHINGTON
DC, OGC WASHINGTON DC, CMC WASHINGTON DC C4 IA, CMC WASHINGTON DC
PA, AND CMC WASHINGTON DC AR. D. MARINE CORPS UNITS ASSIGNED TO
COMBATANT COMMANDS OR UNDER THE OPERATIONAL CONTROL OF COMBINED OR
JOINT FORCE COMMANDER WILL ADDITIONALLY ISSUE AN OPREP-3SIR PER REF
C. COPIES OF ALL PII COMPROMISE OPREP-3SIR WILL BE SUBMITTED TO THE
USMC PRIVACY OFFICER AS A FOLLOW UP TO THE INITIAL REPORT OF
COMPROMISE.
E. ALL FOLLOW UP ACTIONS REQUIRED BY THE REPORTING COMMAND WILL BE
COORDINATED THROUGH THE USMC PRIVACY OFFICER AT
SMBHQMCPRIVACYACT@USMC.MIL. F. WITHIN 10 DAYS OF INITIAL DISCOVERY
OF A KNOWN OR SUSPECTED COMPROMISE THE COMMAND WILL NOTIFY THE
AFFECTED PERSONNEL OF THE LOSS. AT A MINIMUM THE NOTIFICATION
SHALL INCLUDE SPECIFIC PII INVOLVED; CIRCUMSTANCES SURROUNDING THE
COMPROMISE; AND PROTECTIVE MEASURES THE INDIVIDUAL CAN TAKE.
NOTIFICATION SHALL BE MADE IN ONE OR A COMBINATION OF THE FOLLOWING
FORMS:
(1) LETTER
(2) DIGITALLY SIGNED EMAIL
(3) TOLL-FREE NUMBERED CALL CENTER FOLLOWING GUIDELINES LOCATED AT
HTTP:(SLASH)(SLASH)PRIVACY.NAVY.MIL UNDER ADMINISTRATIVE TOOLS
(4) GENERALIZED NOTICE TO THE POTENTIALLY AFFECTED POPULATION WHEN
THE COMMAND CANNOT READILY IDENTIFY THE AFFECTED INDIVIDUALS G. IF
THE COMMAND IS UNABLE TO PROVIDE NOTIFICATION WITHIN THE 10 DAY
PERIOD, A REPORT MUST BE SUBMITTED TO THE USMC PRIVACY OFFICER
(SMBHQMCPRIVACYACT@USMC.MIL) AND HQMC C4 IA IDM TEAM PROVIDING
JUSTIFICATION FOR THE DELAY, AND A PLAN OF ACTION AND MILESTONES
(POA&M) OUTLINING THE STEPS BEING TAKEN TO COMPLETE THE PROCESS. H.
REPORT LESSONS LEARNED VIA EMAIL WITHIN 10 DAYS OF THE INCIDENT TO
THE USMC PRIVACY OFFICER
(SMBHQMCPRIVACYACT@USMC.MIL) AND HQMC C4 IA IDM TEAM
(HQMC_C4IA_IDMGT@USMC.MIL). 5. HQMC C4 IA WILL WORK WITH THE MARINE
CORPS NETWORK OPERATIONS SECURITY COMMAND TO CREATE A TEMPLATE FOR
REPORT CREATION AND SUBMISSION. 6. ACTION. COMMANDERS WILL ENSURE
THE IMPLEMENTATION OF THIS POLICY WITHOUT DELAY AND ENSURE THE
INCLUSION OF ITS CONTENT WITHIN RESIDENT INFORMATION ASSURANCE TRAINING.
COMMANDERS SHALL ENSURE THIS INFORMATION IS DISSEMINATED THROUGH WIDEST
MEANS, INCLUDING POSTING ON ORGANIZATIONAL BULLETIN BOARDS. 7. QUESTIONS
REGARDING IMPLEMENTATION SHOULD BE DIRECTED TO THE POCS LISTED.
INFORMATION REGARDING PRIVACY ACT AND PII CAN BE FOUND AT HTTP:
(SLASH)(SLASH)PRIVACY.NAVY.MIL,
OR HTTPS:(SLASH)(SLASH)HQDOD.HQMC.USMC.MIL/PII.ASP //