thedrifter
07-18-06, 12:38 PM
Protecting your privacy
Rash of data incidents prompts Corps to focus on private-information safety
By John Hoellwarth
Marine Corps Times Staff writer
More than three months after a Marine major at the Naval Postgraduate School in Monterey, Calif., lost a thumb drive containing the Social Security numbers of more than 200,000 Marines, the device remains missing.
Although there is no evidence that the information on the thumb drive — a removable device that stores data — has been compromised, Marine Corps headquarters’ manpower information systems branch is working on recommendations to the commandant about how the service can better safeguard personal information protected by the Privacy Act.
At the time of the thumb drive incident, the major was a student at the Monterey school and was doing a thesis project on retention. The data he was crunching included personal information on Marines who began or ended an active-duty contract between January 2001 and December 2005. Officials said the information likely wouldn’t fall into the wrong hands, since the drive was lost on a government installation.
But the loss began a string of incidents in the following weeks involving the loss of service members’ personal information.
In May, the home of a Department of Veterans Affairs employee was burglarized and a government laptop computer containing the Social Security numbers of 28.7 million active-duty service members and veterans, including National Guard and reserve members, was stolen. The computer was later recovered, and the FBI concluded the missing data were neither accessed nor compromised, according to a government investigation report released July 11.
On July 6, Navy officials discovered that personal information on more than 100,000 aviation sailors and Marines was available on the Naval Safety Center’s Web site. The discovery followed a recent incident in which Privacy Act information on more than 30,000 sailors was available on a civilian Web site that listed military members affected by Hurricane Katrina in 2005.
Cumulatively, these events have created a “political window” for the Marine Corps to examine new approaches to handling Privacy Act information in ways that would keep the data from falling into the wrong hands, according to Lt. Col. Mike Perry, head of the manpower information systems technology branch.
“We were aware of this a year and a half ago, but it’s amazing how it is now the topic du jour,” he said.
Standard practice
Perry said the Marine Corps’ use of Social Security numbers on just about every document, roster and list has been standard business practice for the Corps.
He said he recently looked back at the letters he received while in Officer Candidates School. His full Social Security number was on all the envelopes because, at the time, it had been part of his address, he said.
He also has awards certificates from the Marine Corps that include his Social Security number right under his name, which is why he can’t hang them up in the office, he said.
“People didn’t think twice about putting your SSN on a piece of paper routed through 15 layers of [Marine Corps] headquarters,” he said. “We’re a small organization, so I’d like to think we can be more nimble at being responsive to technological threats.”
Perry said the Corps is considering moving away from using Social Security numbers to identify Marines. Instead, the service may go back to the Vietnam-era use of service numbers or develop hybrid identification numbers that use the last four digits of a Social Security number, the Marine’s name and his military occupational specialty.
Bob Brown, head of manpower information systems, said going back to service numbers has been examined, but that it is ultimately not feasible because the Corps does not have the authority to issue its own unique military identification cards, which currently include a service member’s SSN. Until the Defense Department decides to adopt service numbers for all branches of the military, the ID cards will continue to identify military members by SSN.
In the meantime, Brown said, the Corps is creating a working group that will include all elements of Marine Corps headquarters. The group would forward recommendations on how the service can cut down on its internal use of Social Security numbers by modifying the software of the Corps’ information systems.
“Here’s the concept: If you’re a database user and you need to sort hundreds of thousands of people, the SSN allows you to rapidly sort,” Brown said. “But if I would simply mask that field, the system would be able find and sort by SSN, but the user wouldn’t see it.”
Brown said every idea is on the table and that the Corps is also looking at encrypting SSNs so that “the user thinks it looks like a ‘Social,’” but only the computer knows what number the digits truly represent.
Perry said the Corps is taking a comprehensive look at its widespread use of full SSNs on printed personnel reports, rosters, awards certificates, e-mail correspondence and other documents, to see whether this is necessary.
“Eight out of 10 times, it isn’t,” he said.
Now a priority
Both Brown and Perry say the push toward a more frugal use of Privacy Act information in the way the Corps does business is a priority for many of the service’s top officers, including Lt. Gen. H.P. Osman, deputy commandant for Manpower and Reserve Affairs, who insisted that his Marines scour their units’ Web sites for Privacy Act information, following the Naval Safety Center incident.
Brown said he wants to spread the word about the individual responsibility of Marines to safeguard Privacy Act information by password-protecting it when storing it on shared drives and encrypting it when storing it on removable hard drives.
“We’re trying to tell folks that a ‘Social’ is the same as a loaded weapon, and we teach Marines how to handle loaded weapons. So we’re trying to teach people the proper care and handling of Privacy Act data.”
Brown said Marines may soon see a Corpswide message that spells out exactly how they are expected to handle sensitive personal information.
The Privacy Act mandates “no disclosure without consent of the record subject,” and Marines who handle personal information face possible disciplinary action if the information is misused or misplaced.
To avoid getting into trouble accidentally, Brown advises Marines to visit www.privacy.navy.mil and study the procedures for handling and storing sensitive data.
Rash of data incidents prompts Corps to focus on private-information safety
By John Hoellwarth
Marine Corps Times Staff writer
More than three months after a Marine major at the Naval Postgraduate School in Monterey, Calif., lost a thumb drive containing the Social Security numbers of more than 200,000 Marines, the device remains missing.
Although there is no evidence that the information on the thumb drive — a removable device that stores data — has been compromised, Marine Corps headquarters’ manpower information systems branch is working on recommendations to the commandant about how the service can better safeguard personal information protected by the Privacy Act.
At the time of the thumb drive incident, the major was a student at the Monterey school and was doing a thesis project on retention. The data he was crunching included personal information on Marines who began or ended an active-duty contract between January 2001 and December 2005. Officials said the information likely wouldn’t fall into the wrong hands, since the drive was lost on a government installation.
But the loss began a string of incidents in the following weeks involving the loss of service members’ personal information.
In May, the home of a Department of Veterans Affairs employee was burglarized and a government laptop computer containing the Social Security numbers of 28.7 million active-duty service members and veterans, including National Guard and reserve members, was stolen. The computer was later recovered, and the FBI concluded the missing data were neither accessed nor compromised, according to a government investigation report released July 11.
On July 6, Navy officials discovered that personal information on more than 100,000 aviation sailors and Marines was available on the Naval Safety Center’s Web site. The discovery followed a recent incident in which Privacy Act information on more than 30,000 sailors was available on a civilian Web site that listed military members affected by Hurricane Katrina in 2005.
Cumulatively, these events have created a “political window” for the Marine Corps to examine new approaches to handling Privacy Act information in ways that would keep the data from falling into the wrong hands, according to Lt. Col. Mike Perry, head of the manpower information systems technology branch.
“We were aware of this a year and a half ago, but it’s amazing how it is now the topic du jour,” he said.
Standard practice
Perry said the Marine Corps’ use of Social Security numbers on just about every document, roster and list has been standard business practice for the Corps.
He said he recently looked back at the letters he received while in Officer Candidates School. His full Social Security number was on all the envelopes because, at the time, it had been part of his address, he said.
He also has awards certificates from the Marine Corps that include his Social Security number right under his name, which is why he can’t hang them up in the office, he said.
“People didn’t think twice about putting your SSN on a piece of paper routed through 15 layers of [Marine Corps] headquarters,” he said. “We’re a small organization, so I’d like to think we can be more nimble at being responsive to technological threats.”
Perry said the Corps is considering moving away from using Social Security numbers to identify Marines. Instead, the service may go back to the Vietnam-era use of service numbers or develop hybrid identification numbers that use the last four digits of a Social Security number, the Marine’s name and his military occupational specialty.
Bob Brown, head of manpower information systems, said going back to service numbers has been examined, but that it is ultimately not feasible because the Corps does not have the authority to issue its own unique military identification cards, which currently include a service member’s SSN. Until the Defense Department decides to adopt service numbers for all branches of the military, the ID cards will continue to identify military members by SSN.
In the meantime, Brown said, the Corps is creating a working group that will include all elements of Marine Corps headquarters. The group would forward recommendations on how the service can cut down on its internal use of Social Security numbers by modifying the software of the Corps’ information systems.
“Here’s the concept: If you’re a database user and you need to sort hundreds of thousands of people, the SSN allows you to rapidly sort,” Brown said. “But if I would simply mask that field, the system would be able find and sort by SSN, but the user wouldn’t see it.”
Brown said every idea is on the table and that the Corps is also looking at encrypting SSNs so that “the user thinks it looks like a ‘Social,’” but only the computer knows what number the digits truly represent.
Perry said the Corps is taking a comprehensive look at its widespread use of full SSNs on printed personnel reports, rosters, awards certificates, e-mail correspondence and other documents, to see whether this is necessary.
“Eight out of 10 times, it isn’t,” he said.
Now a priority
Both Brown and Perry say the push toward a more frugal use of Privacy Act information in the way the Corps does business is a priority for many of the service’s top officers, including Lt. Gen. H.P. Osman, deputy commandant for Manpower and Reserve Affairs, who insisted that his Marines scour their units’ Web sites for Privacy Act information, following the Naval Safety Center incident.
Brown said he wants to spread the word about the individual responsibility of Marines to safeguard Privacy Act information by password-protecting it when storing it on shared drives and encrypting it when storing it on removable hard drives.
“We’re trying to tell folks that a ‘Social’ is the same as a loaded weapon, and we teach Marines how to handle loaded weapons. So we’re trying to teach people the proper care and handling of Privacy Act data.”
Brown said Marines may soon see a Corpswide message that spells out exactly how they are expected to handle sensitive personal information.
The Privacy Act mandates “no disclosure without consent of the record subject,” and Marines who handle personal information face possible disciplinary action if the information is misused or misplaced.
To avoid getting into trouble accidentally, Brown advises Marines to visit www.privacy.navy.mil and study the procedures for handling and storing sensitive data.