Smart Business: Protect Personal Information

  • Published
  • By Airman 1st Class Eboni Reece
  • 27th Special Operations Wing Public Affairs
(Editor's note: This story has been localized by the Moody Air Force Base Privacy Act manager. The original story can be found here: http://www.cannon.af.mil/news/story.asp?id=123358574)

Everyone is required to safeguard and protect personal information. From social security and telephone numbers to e-mail addresses, each and every Flying Tiger at Moody Air Force Base, Ga., handles Personally Identifiable Information (PII). PII is any information about an individual that can be used to distinguish their identity. Failure to handle PII properly could result in a vulnerability known as a PII breach.

Six PII breaches have been attributed to Moody since October 2013. The breaches revealed personal information of 3,400 personnel. This loss of control of PII could result in identity theft, fraud or unauthorized access to Air Force networks.

A PII breach is defined as a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access or any similar term referring to situations where persons other than authorized users and for other than authorized purpose have access or potential access to PII, whether physical or electronic.

The abuse of such information can not only affect separate individuals, but ultimately poses a threat to the entire Air Force. In many cases in which PII has been compromised, information is released that can be used to steal someone's identity. It is vital for every individual to understand how to properly safeguard their personal information and the information of others.
As the world moves steadfastly into the digital age, more and more information is being stored and transmitted via email and by other electronic means. Whether it is an effort to work smarter and not harder or simply an attempt at saving mass quantities of paper, e-mails are often sent to distribution lists containing PII, such as alpha, recall and unit personnel management rosters, for mission essential purposes. To protect the sensitivity of this information, it is important to adhere to the guidance provided within Air Force Instruction 33-332: The Air Force Privacy and Civil Liberties Program.

According to AFI 33-332, sending unencrypted e-mails containing Privacy Act information to distribution, group or non ".mil" email addresses is strictly prohibited. This is how a majority of PII breaches are caused.

If one needs to send an email containing Privacy Act/PII, it must be encrypted, have the acronym that stands for 'For Official Use Only' at the beginning of the subject line and include the official Privacy Act statement at the beginning of the email. In addition to that, the Privacy Act statement cannot be indiscriminately applied to all e-mails. It must only be included when transmitting PII, which is required to be protected For Official Use Only purposes.

Most breaches are not caused deliberately or with malicious intent. However, the act of simply forwarding an email containing PII to one's personal email address is a violation of the aforementioned AFI. An action that one may complete for convenience purposes could potentially leave bits of PII open to being compromised.

PII breaches do not solely occur at the fingertips of lackadaisical email composers, however. The protection of tangible PII is equally important. High sensitive items such as performance reports, recall rosters and any document containing an individual's social security number left in a common area could result in loss or theft. It may seem harmless, but leaving personal information in unsecured vehicles and file drawers, unattended workplaces, in checked baggage during travel or the storage/use of such sensitive information in personal media can also make PII vulnerable to getting in the wrong hands.

These are all acts that can unknowingly be done on a daily basis by Airmen Air Force wide. As the number of PII breaches rises, it is imperative that each Airman understands what constitutes PII, how it should be handled and that it is everyone's responsibility to abide by the regulations and report any inappropriate disclosures.

If any Moody Airman discovers any unauthorized disclosures of PII data, report it immediately through the chain of command to the base Privacy Act manager, Nelda McDonough.

Lost, stolen or possibly compromised PII must be reported to US CERT (http://www.us-cert.gov/) within one hour of the discovery. An investigation will be initiated and personnel who fail to adhere to guidelines outlined in AFI 33-332 may be susceptible to punishment under the Uniformed Code of Military Justice Article 92 or civil equivalent.

No one is immune to identity theft. The financial and psychological price tag associated with repairing an individual's identity can be costly and may require numerous years to accomplish. Each Airman must be vigilant in preserving their personal Privacy Act rights as well as the PII of their wingman.