Air Force to crack down on privacy violations

  • Published
  • By Don Branum
  • Academy Spirit staff writer
U.S. AIR FORCE ACADEMY, Colo. --  Before you send that email with the office recall roster, stop to ask yourself: Is it secret? Is it safe?

To be fair, a recall roster is not the One Ring, but Sauron -- a villain from J.R.R. Tolkien's "The Lord of the Rings" -- never had to worry about losing network access if he used the Ring carelessly.

Air Force personnel, on the other hand, will lose network access if their actions result in disclosure of personally identifying information, or PII, according to an Air Force Space Command guidance memorandum that took effect Oct. 24.

The memo, signed by AFSPC Commander Gen. William Shelton, advises that anyone associated with a suspected breach will be locked out of his or her account "until the first (colonel) or above in the individual's chain of command certifies that they should regain (Air Force Network) access" and until an investigation into the breach has been completed.
PII most notably includes Social Security numbers and financial account numbers, according to Air Force Instruction 33-332, "The Air Force Privacy and Civil Liberties Program." But it also includes individuals' home addresses, full dates of birth and information that a third party could use to gain access to their financial accounts, said Charles Springs, the Air Force Academy's Privacy Act officer.

Inside the AFI, updated in June, the Air Force has taken a more punitive stance regarding PII breaches because of the rise in incidents of identity theft in the U.S., Springs said.

"They want people to know this is serious," he said. "Identities need to be protected."

The majority of breaches result from unencrypted emails, Springs said. Emails containing PII must be digitally signed and encrypted, and the subject line will read "For Official Use Only (FOUO)." The first paragraph of the email should read: "This email contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Freedom of Information Act (5 U.S.C. 552) and/or the Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or misuse of this PERSONAL INFORMATION may result in disciplinary action, criminal and/or civil penalties. Further distribution is prohibited without the approval of the author of this message unless the recipient has a need to know in the performance of official duties. If you have received this message in error, please notify the sender and delete all copies of this message."

That wall of text isn't something people should just copy and paste into their signature block, however. The AFI restricts use of the statement only for "situations when you are actually transmitting personal information required to be protected For Official Use Only purposes."

Users must also restrict access to documents with PII stored on shared drives, either with a password or by limiting who has read access to a given folder, said Gayle Blue-Keyes, the Academy's Information Protection director. Examples may include recall rosters, enlisted or officer performance reports and civilian performance appraisals.

"When that's not done, individuals who don't have authorized access could stumble onto something they don't need to see," Blue-Keyes said. "When we have information like that transmitted or taken out of the workplace, that's really where the risk lies."

Users who want to set up access-restricted folders may consult with client service technicians or the 10th Communications Squadron Help Desk, Blue-Keyes said.
Springs said his office is taking steps to make sure Airmen understand how serious breaches of PII can be, such as providing extra training to unit Privacy Act monitors and publishing preventive tips.