1. The draft CAPR 1-2, Personally Identifiable Information, was posted on the NHQ website for comments from 20 Dec Jan 12.

Transcription

1 NATIONAL HEADQUARTERS CIVIL AIR PATROL UNITED STATES AIR FORCE AUXILIARY 105 SOUTH HANSELL STREET MAXWELL AIR FORCE BASE, ALABAMA March 2012 MEMORANDUM FOR NHQ/EX CAP/CC IN TURN FROM: EXS SUBJECT: CAPR 1-2, Personally Identifiable Information 1. The draft CAPR 1-2, Personally Identifiable Information, was posted on the NHQ website for comments from 20 Dec Jan 12. a. Comments received and incorporated in final draft: Paragraph 1. I think the word personnel in this line should be personal. RESPONSE. Incorporated. Paragraph 3b. There is a list of detailed directives regarding the handling of PII - I would propose to add: (7) If PII is to be transmitted via radio, only the absolute minimum amount of information essential to mission accomplishment should be transmitted using encrypted radio transmissions if possible. Communicators should ensure that all stations receiving the transmission are at a location where unauthorized or non-essential personnel will not overhear it. RESPONSE: Incorporated first sentence. There is no feasible way to enforce the second sentence. Paragraph 3b(3). Change to active voice. "Do not leave laptops, tablet PCs, smartphones, USB flash drives or personal digital assistants (PDA) containing PII unattended." RESPONSE: Incorporated. Paragraph 4b. If "deleting the file" is not adequate, I recommend stating that in this paragraph, otherwise many people will just delete a file and call it good. RESPONSE: Incorporated. Paragraph 5. Do you mean "practical" here? RESPONSE: Changed to read feasible.

2 Paragraph 5. This paragraph should also state specifically what information should and should not be included in a message to NHQ/GC and to the other commanders in the chain of command. For instance, the name and CAPID number of the people affected should be included, but specific, personally identifiable information about the PII that was compromised should NOT be included. RESPONSE: Incorporated. Added wording to paragraph 5. b. Comments received and not incorporated in final draft: Paragraph 1. NB MEMBER. I would recommend that directory information regarding CAP members (name, CAPID, CAP grade, CAP duty assignment(s), phone numbers, and physical addresses) should be excluded from the definition of personally identifiable information. As a membership organization, CAP wings (including MDWG) and squadrons frequently publish directory information to their members. This enables members and leadership to get in touch with one another, and serves a legitimate, useful purpose. Likewise, there are times when a member needs to know another member s CAPID, e.g., when entering flight crew information into WMIRS, and knowing an individual s grade and duty assignment is also of general utility. Internal dissemination of such information, with a FOUO marking, should not be restricted. RESPONSE: Not incorporated. CAPID, CAP grade, CAP duty assignment(s) are not listed in the draft regulation as being PII. The remaining items are PII by definition. The regulation states, Unauthorized access to the PII of members/employees must be prevented to the maximum extent possible which is appropriate to the distribution of directors/phone lists. Paragraph 1. I recommend adding "physical and/or mailing address" and " addresses" to your PII examples. You give examples, but the list is so long that folks will take that as the only PII even though that's not your intent. REPONSE: Not incorporated. It is not feasible to list every possible example of PII. The regulation states that, Examples of PII include, but are not limited to... Paragraph 1. I strongly oppose phone numbers being included as PII, and while not specifically noted in the draft, one could assume that addresses would also be considered PII. Our websites need to have contact information for the PUBLIC to be able to contact a Unit Commander or Recruiting Officer to inquire about joining and perhaps the meeting address of the Squadron. addresses are fairly easy to use to identify the owner. As for phones, cell phones can, like land lines, be easily looked up on the internet. However, both should be available for contact purposes. RESPONSE: Not incorporated. The definition of what is and is not PII comes from outside of CAP. The referenced paragraph states, PII shall...be provided for official CAP business only. The application described by the commenter is official CAP business. know another member s CAPID, e.g., when entering flight crew information into WMIRS, and knowing an individual s 2

3 grade and duty assignment is also of general utility. Internal dissemination of such information, with a FOUO marking, should not be restricted. Paragraph 3b(1). NB MEMBER. I am not sure if you want to say all Personal Information should be under " lock and key." I would leave out that requirement and have a statement that says something like "PI should not be left in the open but secured in a desk or fliling cabinet where it would not be exposed to public view". RESPONSE: Not incorporated. This concept is covered in paragraph 3b(2) of the draft. Paragraph 3b(2). The requirement for protecting PII when you leave your work area should be that the data must be secured, either in a locked cabinet/desk or the electronic file should be closed to the point where a password is needed in order to regain access to the material. Leaving this type of material lying out on a work station, even for the purpose of visiting a restroom or getting a drink of water is tantamount to leaving someone s wallet sit unprotected on a desk or table. RESPONSE: Not incorporated. The text of the draft paragraph is deemed sufficient. Paragraph 4a. Tearing or mutilation of paper documents is not an acceptable method of disposing of paper records as was evidenced during the Iranian Hostage Crisis. U.S. Embassy documents were shredded in a straight line, but were pieced back together by the Iranian government and resulted in the loss of sensitive diplomatic data. The only acceptable means of destroying paper documents that contain PII should be the use of a shredder that cuts the paper into pieces no larger than ¼ inch squares or burning. Mutilating a document by use of black magic marker or similar does not always render the underlying information un-readable. RESPONSE: Not incorporated. The requirements suggested are unnecessary. Paragraph 5. Lastly, I believe the regulation should provide for specific actions to be taken by NHQ/GC as well as commanders at all levels, because even the release of PII about just one member can result in serious legal and financial consequences for the corporation, if the corporation does not act in a timely manner to correct deficiencies that may be construed as showing a pattern of negligence in the handling of PII. RESPONSE: Not incorporated. The NHQ/GC s actions are governed by the provisions of CAP s PII insurance coverage. This does not fall under the scope of this directive. Add Paragraph 6. Social Rosters. For units that distribute social rosters to unit members, ensure that each person on the social roster has authorized their PII (phone #'s, address, etc) to be included on the social roster. Members that do not wish their information to be distributed shall be removed from the roster. Keep a written record of approval on file for members that authorize their PII to be shared. 3

4 RESPONSE: Not incorporated. Social rosters should only list unit member names and telephone numbers for activity contact purposes. Release of this limited information would not constitute a PII breach. General. NB MEMBER. There is a whole body of law associated with privacy, and this regulation falls short of covering even the basics. First, each state has varying statutory constructs of defining what PII is, of regulating the collection, maintenance, use, and destruction of PII, and breach notice requirements. Additionally, the penalties for non-compliance will also vary. At the national level, there are a number of regulatory bodies that have different requirements, and some have criminal penalties -- the one that comes to mind that specifically impacts CAP is under the Children's On-line Privacy Protection Act (COPPA) that criminalizes, under certain predatory circumstances, those persons/organizations that create on-line sites that target minors (12 and under). Penalties and damages will depend upon the breach/violations and the jurisdictions. So, for the CC, at a very minimum Paragraph 5 should be strengthened to engage the Wing Legal Officer for all breaches. But for a larger stage, the National structure, we need a National, Regional, and Wing level Privacy Officers. The Chief Privacy Officer is a best practice among organizations of CAP's size. This is something I can definitely contribute to -- I hold a Certification as an Information Privacy Professional (CIPP) from the International Association of Privacy Professionals. RESPONSE: Not incorporated (except for adding requirement that wings assure compliance with state standards, if any). This regulation complies with CAP s PII insurance coverage requirements and is designed to be a minimum standard. Individual wings need to consult with their legal officers to assure compliance with state standards, if any. COPPA does not apply to CAP. This federal act specifically excludes non-profit activities and regulates websites for online services operated for commercial purposes. 2. No further comments were received. 1 Attachment: Addition Comments Received //Signed// GERALD M. ROSENZWEIG Executive Support Manager 4

5 Additional comments received and not incorporated in final draft: COMMENTS ON DRAFT CAPR 1-2 PERSONNALLY IDENTIFIABLE INFORMATION (PII) 1. Comment: There is very little information provided in this regulation to tell members how to protect PII, other than to limit the use and access of the information. Recommendation: Add a section to show them how to go about protecting PII, such as: The best way to do that is to develop a risk-based approach. These are the steps: Identify all PII residing in your environment Categorize your PII by the confidentiality impact level Apply the appropriate safeguards based on that level Minimize the collection and retention of PII 2. Comment: PII is not just a yes/no item. There are different types of PII, which may impact the people who have access to it and/or the methods employed to protect it. Recommendation: Expand the definition of PII provided in Paragraph 1 (General) to explain the different types of PII, such as: There are three impact levels of SENSITIVE PII: LOW, MODERATE and HIGH. The levels are indicative of the risk of harm that could come to an individual and/or the organization if the PII were to be inappropriately accessed, used, or disclosed. SENSITIVE PII that has been inappropriately accessed, used or disclosed is said to have been breached. Harm includes any adverse effects that would be experienced by an individual whose PII was the subject of a loss of confidentiality, as well as any adverse effects experienced by the organization. Examples of types of harm to individuals include the potential for blackmail, identity theft, physical harm, discrimination or emotional distress. Organizations may also experience harm including an administrative burden, financial losses, loss of public reputation and public confidence, and civil liability. The potential impact is LOW if the loss could be expected to have a minimal adverse effect, often equivalent to inconvenience. An example of LOW impact PII would be a home telephone number. The potential impact is MODERATE if the loss could be expected to have a serious adverse effect, such as financial loss due to identity theft or denial of benefits, public humiliation, discrimination, and the potential for blackmail. Examples would include SSN, mother s maiden name, credit card numbers. The potential impact is HIGH if the loss could be expected to result in personal injury, loss of life, or incarceration. An example would include PII about an informant or undercover agent.» Source: FIPS 199 and NIST Special Publication

6 3. Comment: This regulation addresses the loss of PII and the harm that can come to an individual. Loss of PII may also cause a degradation in or loss of mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced, damage to organizational assets and/or result in financial loss Recommendation: Expand the definition in Paragraph 1 (General) to more fully discuss the potential impact if there is a loss of PII. 4. Comment: There is no explanation in this regulation that there is a potential for penalties, should PII be released, especially if the PII is also covered under the Privacy Act. Recommendation: Add a section to this regulation to explain potential penalties, should PII be released. It should make a distinction between purposefully and inadvertent release of this information, such as: The Privacy Act dictates that willful mishandling of Privacy Act material can lead to civil charges against the corporation and criminal charges against the individual. That s WILLFUL mishandling, not accidental mishandling. There are no civil and criminal penalties for mishandling non-pa PII. Command-administered sanctioning is possible for ANY mishandling of ANY PII. RESPONSE: Not incorporated. The proposed regulation is in compliance of our insurance requirements. 6