Navy took more than a year to announce personal data breach

By Federal Diary
Friday, April 2, 2010

In case of danger or a natural disaster, the U.S. Navy can rapidly dispatch troops, fighter jets or relief supplies to troubled areas around the world.

So why did it take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released?

The information was sent in May 2008 to three other employees whose security access had been suspended for reasons unrelated to the information breach.

E-mails obtained by The Washington Post indicate that Navy officials quickly realized employees should be informed. But that was not done until October 2009. The names of those sending and receiving the messages were blocked out, but their offices, and in some cases their positions, were not.

An e-mail dated June 6, 2008, to the chief of naval operations and the Navy's chief information officer, among others, cites a report from a month earlier on personally identifiable information and reads, "A list of employees was generated (128) that reflected the names, social security numbers and perceived security clearance issues relating to each of named employees."

The June 6 e-mail says there was no criminal activity involved, though the Navy's general counsel was notified. It also says that the personal data are confidential and that their use is restricted. A June 9 e-mail from a Navy "privacy team leader" says the employees "must be issued letters stating that they are at increased risk for identity theft due to the high risk nature of PII [personally identifiable information] that was compromised." This note even indicates where a sample letter can be found on the Navy's Web site.

But the 244 employees -- subsequently increased from 128 -- were not notified until much later.

On Oct. 9, 2009, Capt. P.B. Gomez, commanding officer of the engineering service center, sent a letter to employees calling the breach "a potential compromise of your Personally Identifiable Information (PII) that was recently brought to my attention although it occurred over a year ago."

Gomez added: "The Command is not aware of any evidence to suggest that your PII has been misused or further distributed. . . . We regret this unfortunate development and any inconvenience or undue concerns this may cause."

Employee organizations have pressed the Navy for identity-theft insurance, so far with no luck. "They have not negotiated with us at all," said Rodney Raether, president of the National Association of Government Employees. "They just held us off."

In a letter to Navy officials, Raether said the harm to employees could go beyond identity theft, because that can lead to a poor credit rating, which could affect an employee's security clearance. "Employees are at risk and face loss of reputation and then face the loss of their security clearance for the failure of the Command to act to protect them and to ensure that procedures are followed to make it harder for it to happen again," Raether wrote.

Officials at the engineering service center declined to answer several specific questions submitted by Federal Diary. As "our command's official response," the public affairs office did provide a copy of a letter from Gomez -- who was not in charge at the time of the breach -- to the editor of the Ventura County Star, which broke the story.

The letter says the information was sent to three employees who "already had access to this personal information in the performance of their normal duties." The employees, however, had their security access privileges suspended at the time and expected to get information only related to their cases.

"When it came to my attention that there was a release of personal information," Gomez continued, "I decided to notify the more than 200 affected employees that a non-government entity may have seen their personal information." The "non-government entity" was lawyers for two of the three workers who fought their security access suspension.

The Navy did provide employee organizations a limited amount of information in reply to questions they submitted. The answers, however, were not very informative and in some cases directly contradict what was in the e-mails.

In answer to a question about why it took so long for employees to be notified, the Navy told the Federal Union of Scientists and Engineers that "in June 2008 the command believed there was no compromise of PII as the information was provided only to members of the command who already had access to this information in the performance of their duties."

The notion that officials didn't believe there was a compromise of personal information is challenged not only by the June 9, 2008, e-mail from the privacy team leader, but also by a June 6 e-mail from "NAVFAC Wash," Naval Facilities Washington, which says, "NFESC needs to make a notification of the PII breach today."

Today didn't come until more than a year later.

© 2010 The Washington Post Company