A PII breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. This includes, but is not limited to, posting PII on public-facing websites; sending PII via e-mail to unauthorized recipients; providing hard copies of PII to individuals without a need to know; loss of electronic devices or media on which PII is stored; use of PII by employees for unofficial business; and all other unauthorized access to and use of PII.
Immediate Actions to be Taken if a PII Breach Occurs
The most important thing to do if you discover that a breach of PII has occurred or is ongoing is to STOP IT as soon as possible.
- If a PII breach is discovered, immediately take action to stop and prevent further disclosure of PII, and immediately report the breach to your supervisor or college/program Dean of Administration and to the IT Service Desk.
- NDU supervisors and Deans should confirm the report has been made to the IT Service Desk, and report the breach to the NDU Senior Component Official for Privacy (SCOP) or NDU Privacy Officer as soon as possible after mitigating the breach, but no longer than one hour after the discovery of the breach.
- The ITD Help Desk, NDU SCOP and/or NDU Privacy Officer will then take further required actions to report the breach incident.
Repercussions for NDU Personnel Who Breach PII Security
NDU faculty, staff or students found responsible for a PII breach will be required, at minimum, to complete a PII refresher training course and submit their certificate of completion to their supervisor. NDU supervisors must report to the NDU SCOP within 15 days of the breach what disciplinary and/or administrative actions were assessed against those personnel responsible for a breach.
Notification of Affected Parties
- If notification is required, the NDU department responsible for the breach is responsible for generating the notification letters for the Chief of Staff's signature within 5 days after receiving notice that notifications are required.
- The letters have to be generated, signed, and mailed within 10 days.
- The department responsible for the breach will ensure the letters are mailed within 10 days. (View sample breach notification letter)
NDU Breach Response Plan
Internal Communications and Reporting
The NDU "Incident Response Plan (IR-8)," dated 12 June 2018, applies to all military, civilian and contracted NDU personnel, and is to be used when there is a known or suspected loss of NDU personally identifiable information (PII). All NDU personnel are required to immediately report to the IT Service Desk any confirmed or suspected security incidents below, for recording in the IT Service Management Application (ITSMA).
- Inappropriate Usage
- Malicious Code
- Unauthorized Access
- Denial of Service
- Compromise or breach of PII
The Service Desk ensures the Incident Response Team Manager (IRTM) has acknowledged security incidents reported in the ITSMA within one hour. If the IRTM does not acknowledge the incident, the incident report is escalated to the Chief Information Security Officer (CISO).
The IRTM initiates and manages all IR reporting activities. If an incident occurs outside normal business hours, reporting may be completed the next business day. The IRTM records all incident activities in the “Incident Response Reporting Form” for the purposes of documentation, evidence preservation, and to address liability issues, including but not limited to:
- Events, precursors and indications leading up to the incident declaration
- All actions taken by the IRT to detect, analyze, contain, eradicate and recover from the incident from the moment the incident was detected to final resolution (including timestamps)
- All communications that transpire between the IRT members and any other NDU offices/personnel, including but not limited to HR, Personnel, the Service Desk and IT staff
- All communications that transpire between the IRT and any external organizations
External Communications and Reporting
The CISO serves a as primary POC, and the CIO serves as secondary POC, for external communication of IR and IR reporting, to include:
- Reporting confirmed PII-related incidents within one hour to the US-CERT and the DoD CIO; and,
- Reporting incidents to US-CERT within one hour of discovery/detection, based on the reporting requirements in DODM 5200.01, Volume 3, "DoD Information Security Program: Protection of Classified Information," (Feb 2012).
Breach Reporting Resources
- US-CERT Federal Incident Notification Guidelines: This document provides guidance to federal agencies for submitting incident notifications to the National Cybersecurity and Communications Integration Center (NCCIC)/United States Computer Emergency Readiness Team (US-CERT).
- US-CERT Incident Reporting System: The US-CERT Incident Reporting System provides a secure web-enabled means of reporting computer security incidents to US-CERT.