PII violations on the rise

By Nathan Pfau, Army Flier Staff WriterApril 18, 2012

PII violations on the rise
Ralph Hawn, security division security specialist, stands with the new high-volume shredder that is being assembled. Future plans for the shredder include a CD and DVD destroyer and a degausser, which eliminates unwanted magnetic fields and also has ... (Photo Credit: U.S. Army) VIEW ORIGINAL

FORT RUCKER, Ala. (April 19, 2012) -- Ignorance may be the primary culprit behind personally identifiable information violations being on the rise at Fort Rucker, but that's no excuse if that sensitive information falls into the wrong hands.

PII is any combination of information that can be used to identify a person, according to Deborah Seimer, Fort Rucker director of Human Resources.

"What everybody is really familiar with about PII is identity theft," she said, "and the biggest thing is Social Security numbers with a name and date of birth."

A person with any combination of that information has the potential to violate another's PII, said Seimer, but most times, the person careless with their own information is the one to blame.

"One of the things that we've noticed [on Fort Rucker] is people seem to be under the misunderstanding that the green recycling bins are safe for PII to be put into," she said. "Those bins are not to be used for putting any type of PII in because what is in those bins doesn't go from their office to a shredder. It's very important to protect [PII]. Once it goes into a recycling bin, that information is no longer protected."

Any type of information that is disposed of in the recycling bins has the potential to be viewed by anyone with access to those bins, said Seimer. From the office, that information can travel miles to the recycling center where it is picked up by an organization outside Fort Rucker.

"People are cleaning out their files and not thinking about what could happen putting that information into the recycle bin," she said.

Seimer said that many people mistakenly believe that if the files they are throwing out are old, then they have no pertinent information on them. Regardless of how old they are, if the files or documents have any type of PII on them, they need to be destroyed properly by shredding, she added.

"People think that by recycling they are doing some good, which is fine," said the director, "but if they aren't disposing of PII properly, they could be jeopardizing more than just themselves.

"If [people] are throwing away things like manuals that are limited distribution or maps, any type of information like that can give information to our adversaries about what we're doing on Fort Rucker," said Seimer. "That kind of information is commonly found in combination with PII, and when that happens, the security office has to get involved and assess the situation."

Most of the organizations and offices on post have shredding machines and the installation has a high-volume shredding machine run by the security office that is available to use, she said, so people have no excuse not to properly destroy PII documents.

"All people have to do is contact the security office and take a class that will authorize them to sign out the key for the shredder," said Seimer.

Other ways that people can violate and mishandle PII is by maintaining a system of records without public notice, requesting or obtaining records under false pretenses or disclosing PII to any person that isn't entitled to access it, said Philip T. Anderson, attorney for the administrative and civil law division of the Office of the Staff Judge Advocate.

There have been four violations regarding PII since December, according Seimer, and she said it's because people don't understand the consequences that could come from improperly disposing of that material.

"It compromises the mission, puts individuals in jeopardy and puts lives at risk -- it's not just paper they are [mishandling]," she said.

Anderson said that people found in violation of mishandling PII have the potential to be hit with civil penalties that range from payment of damages and attorney fees to personnel action that can include termination of employment and possible prosecution. He added that criminal penalties can also be handed down, from a $5,000 fine to misdemeanor criminal charges, if the violation is severe enough.

"[PII violations] can be a pretty big deal," said Seimer. "The operational security manager has to get involved as well as the security office to assess the situation, and that can all take a lot of time."

Mishandling of PII is not only a problem when it comes to disposal of physical documents, she said, it also applies to electronic data, adding that there have also been incidents where people on the installation are mishandling PII electronically through emails that haven't been properly encrypted.

"We're all familiar with the case where an individual with a laptop containing millions of peoples personal information was stolen because someone was careless with that information," said Seimer. "Once that information is [compromised], it's a lot of work to try and get it back, and the stress and cost that is involved with that is avoidable if people are just a little more careful with that information."