On this year’s on National Data Privacy Day, Jan. 28, VA’s Privacy Service hosted a Privacy In Action speaker series event entitled “Incident Management: How to Handle a Privacy Incident.” This series allows VA’s Privacy Service to define issues, identify best practices and share information across agencies to better protect Veteran information.
The expert panel consisted of Marc Groman, the senior advisor for privacy at the U.S. Office of Management and Budget; Lyn Rahilly, the assistant director for privacy and records at the U.S. Immigration and Customs Enforcement (ICE); and Steve Muck, the director of privacy and information sharing at the U.S. Department of the Navy. VA Privacy Service director LaShaunné David moderated the event.
The mission of VA’s Privacy Service is to preserve and protect the personally identifiable information (PII) of Veterans, their beneficiaries and VA employees by promoting a culture of privacy awareness and maintaining trust. The Privacy Service oversees and directs the development of VA’s privacy programs based on the Privacy Act of 1974 and makes recommendations to senior officials on privacy priorities. As the impact of privacy issues increase, VA’s Privacy Service implements strategies to meet those needs to ensure compliance with federal and VA-specific requirements.
The event began with Marc Groman’s presentation describing different types of incidents and assessing which parties within an agency should be involved in each incident response. He noted that while all incidents are different, it is essential that the incident response team engage only the relevant subject matter experts and manage messaging and outreach throughout the process.
Lyn Rahilly described her ICE’s response to a recent privacy incident involving the PII of various contractors. Her department had to decide the best course of action for notification and remediation given that the Social Security numbers (SSNs) were not clearly identified as PII. ICE decided on email notifications for contractors who were still with the agency and mail notifications through an outside vendor to notify others. She discussed lessons learned, such as making direct contact with those affected and applying a quality assurance check to email messaging.
Steve Muck discussed top areas of concern for the Navy in safeguarding PII, including unencrypted email, class rosters containing SSNs, unprotected PII on shared drives and PII being stored to personal devices. He went into detail about insider threats and unauthorized employees accessing PII. Muck shared his agency’s response and ongoing investigation into a Navy privacy incident. He noted that closely monitoring employees who have access to PII and keeping thorough records of access to PII are critical to mitigating insider threats.
Following the presentations, the panelists took questions from the moderator and the audience. Rahilly and Muck discussed what their agencies did to support employees in the wake of the Office of Personnel Management data breaches. All three panelists shared best practices in safeguarding PII. Groman warned employees to beware of potential phishing attacks, especially in the wake of privacy incidents, and to make strong, unique passwords for each account and change them regularly. Muck cautioned against faxing any document containing PII unless absolutely necessary, due to a lack of security in fax systems. Rahilly noted that training regarding proper handling of PII needed to be taken seriously by employees, not just clicked through in online modules, and that agencies need to make employees feel comfortable about reporting mistakes that could lead to privacy incidents.
For VA employees, the next Privacy In Action Speaker Series event will be a webinar on Thursday, Apr. 21, focusing on “Exploring new technologies: How safe is the cloud?”
About the author: Kimberly M. Hollingsworth is with the VA Privacy Service.