Navy took more than a year to announce personal data breach

[Richard Forno <rforno () infowarrior org>]

Navy took more than a year to announce personal data breach
By Federal Diary
Friday, April 2, 2010; B03

http://www.washingtonpost.com/wp-dyn/content/article/2010/04/01/AR2010040103745_pf.html
In case of danger or a natural disaster, the U.S. Navy can rapidly  
dispatch troops, fighter jets or relief supplies to troubled areas  
around the world.

So why did it take the Navy 17 months to inform employees at the Naval  
Facilities Engineering Service Center in Port Hueneme, Calif., that  
their Social Security numbers had been inadvertently released?

The information was sent in May 2008 to three other employees whose  
security access had been suspended for reasons unrelated to the  
information breach.

E-mails obtained by The Washington Post indicate that Navy officials  
quickly realized employees should be informed. But that was not done  
until October 2009. The names of those sending and receiving the  
messages were blocked out, but their offices, and in some cases their  
positions, were not.

An e-mail dated June 6, 2008, to the chief of naval operations and the  
Navy's chief information officer, among others, cites a report from a  
month earlier on personally identifiable information and reads, "A  
list of employees was generated (128) that reflected the names, social  
security numbers and perceived security clearance issues relating to  
each of named employees."

The June 6 e-mail says there was no criminal activity involved, though  
the Navy's general counsel was notified. It also says that the  
personal data are confidential and that their use is restricted. A  
June 9 e-mail from a Navy "privacy team leader" says the employees  
"must be issued letters stating that they are at increased risk for  
identity theft due to the high risk nature of PII [personally  
identifiable information] that was compromised." This note even  
indicates where a sample letter can be found on the Navy's Web site.

But the 244 employees -- subsequently increased from 128 -- were not  
notified until much later.

On Oct. 9, 2009, Capt. P.B. Gomez, commanding officer of the  
engineering service center, sent a letter to employees calling the  
breach "a potential compromise of your Personally Identifiable  
Information (PII) that was recently brought to my attention although  
it occurred over a year ago."

Gomez added: "The Command is not aware of any evidence to suggest that  
your PII has been misused or further distributed. . . . We regret this  
unfortunate development and any inconvenience or undue concerns this  
may cause."

Employee organizations have pressed the Navy for identity-theft  
insurance, so far with no luck. "They have not negotiated with us at  
all," said Rodney Raether, president of the National Association of  
Government Employees. "They just held us off."

In a letter to Navy officials, Raether said the harm to employees  
could go beyond identity theft, because that can lead to a poor credit  
rating, which could affect an employee's security clearance.  
"Employees are at risk and face loss of reputation and then face the  
loss of their security clearance for the failure of the Command to act  
to protect them and to ensure that procedures are followed to make it  
harder for it to happen again," Raether wrote.

Officials at the engineering service center declined to answer several  
specific questions submitted by Federal Diary. As "our command's  
official response," the public affairs office did provide a copy of a  
letter from Gomez -- who was not in charge at the time of the breach  
-- to the editor of the Ventura County Star, which broke the story.

The letter says the information was sent to three employees who  
"already had access to this personal information in the performance of  
their normal duties." The employees, however, had their security  
access privileges suspended at the time and expected to get  
information only related to their cases.

"When it came to my attention that there was a release of personal  
information," Gomez continued, "I decided to notify the more than 200  
affected employees that a non-government entity may have seen their  
personal information." The "non-government entity" was lawyers for two  
of the three workers who fought their security access suspension.

The Navy did provide employee organizations a limited amount of  
information in reply to questions they submitted. The answers,  
however, were not very informative and in some cases directly  
contradict what was in the e-mails.

In answer to a question about why it took so long for employees to be  
notified, the Navy told the Federal Union of Scientists and Engineers  
that "in June 2008 the command believed there was no compromise of PII  
as the information was provided only to members of the command who  
already had access to this information in the performance of their  
duties."

The notion that officials didn't believe there was a compromise of  
personal information is challenged not only by the June 9, 2008, e- 
mail from the privacy team leader, but also by a June 6 e-mail from  
"NAVFAC Wash," Naval Facilities Washington, which says, "NFESC needs  
to make a notification of the PII breach today."

Today didn't come until more than a year later. 
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php