PII Breach Reporting
A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. This includes, but it not limited to, posting PII on public-facing websites; sending via e-mail to unauthorized recipients; providing hard copies to individuals without a need to know; loss of electronic devices or media storing PII (for example, laptops, thumb drives, compact discs, etc.); use by employees for unofficial business; and all other unauthorized access to PII.
Actions When a PII Breach Occurs:
- Upon discovery, take immediate actions to prevent further disclosure of PII and immediately report the breach to your supervisor. (Note: Do not report the disclosure of non-sensitive PII.)
- Supervisors should report the breach to the Privacy Coordinator (3-1550) as soon as possible after mitigating the effects of the disclosure, but no longer than one hour after discovery.
- The Privacy Coordinator will take the required actions to report the incident.
- Supervisors and employees discovering the breach should report the following information to the Privacy Coordinator (3-1550 or firstname.lastname@example.org);
- Date of incident.
- Number of individuals impacted and whether they are government civilians, military, contractors, or private citizens.
- Description of the incident to include the cause or suspected cause of the breach, what PII elements where involved in the breach, was the PII encrypted or password protected, did the individuals seeing the data have a need to know, and did the email (if email related) stay within the USNA network domain.
- If notification is required, the department responsible for the breach is responsible for generating the notification letters for the Chief of Staff’s signature within 5 days after receiving notice that notifications are required. The letters have to be generated, signed, and mailed within 10 days. The department responsible for the breach will ensure the letters are mailed within 10 days. (View sample breach notification letter)
- Supervisors of the parties responsible for the breach will provide what disciplinary and/or administrative actions were taken. Parties responsible, at a minimum, are required to retake PII refresher training. Report what actions are have been taken within 15 days to the Privacy Coordinator. (View Consequences for Mishandling PII)
Privacy Act Complaints:
- All Privacy Act complaints should be sent to the Privacy Coordinator for processing.