PII Breach Reporting
A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. This includes, but is not limited to, posting PII on public-facing websites; sending via e-mail to unauthorized recipients; providing hard copies to individuals without a need to know; loss of electronic devices or media storing PII (for example, laptops, thumb drives, compact discs, etc.); use by employees for unofficial business; and all other unauthorized access to PII.
Actions When a PII Breach Occurs:
- Upon discovery, take immediate actions to prevent further disclosure of PII and immediately report the breach using the Defense Privacy Information Management System (DPIMS) portal at https://dpims.disa.mil/
eCasePortal. First time users will have to self register their CAC, which only takes a couple minutes, before submitting the breach report. Note: If you are having trouble navigating to the portal website, log into the USNA DREN VPN and try navigating to the portal again. If you still cannot navigate to the portal utilizing the DREN VPN, report the breach to the USNA Privacy Coordinator (email@example.com, 3-1550) using DD Form 2959.
- Do not include any PII on the breach report when sending it to the Privacy Coordinator. The Privacy Coordinator will contact you if additional details are needed such as the name and contact information of the member causing the breach.
- The disclosure of non-sensitive PII (name, official phone number, official email address, DoD ID number, pay grade, rank...) or a member's own PII is not considered a breach per the Navy's Breach Response Plan, and it should not be reported.
- The Privacy Coordinator will review the breach in DPIMS and take the required actions to report the incident to the Senior Component Official for Privacy (SCOP).
- If notifications are required, the department responsible for the breach is responsible for generating the notification letters for the Chief of Staff’s signature within 5 days of receiving notice that notifications were required. The letters have to be generated, signed, and mailed within 10 days. The department responsible for the breach must ensure the letters are mailed within the 10 day window. (View sample breach notification letter)
- When a breach is ready to be closed out, the supervisors of the parties responsible for the breach will provide the Privacy Coordinator with what disciplinary and/or administrative actions were taken as a result of the breach, lessons learned, what actions were taken to prevent recurrence, and a report that all information needing to be deleted was completed. At a minimum, members responsible for a breach are required to retake the annual PII training. (View Consequences for Mishandling PII)
Privacy Act Complaints:
- All Privacy Act complaints should be sent to the Privacy Coordinator (firstname.lastname@example.org, 3-1550) for processing.