Personally Identifiable Information (PII) Breach: Notifications

THE DECISION TO NOTIFY

After assessing the likely risk of harm and potential level of impact of an actual or suspected breach, a decision must be made whether to notify potentially affected individuals.

The Army activity responsible for safeguarding the PII at the time of the incident must notify the affected individuals after an assessment has been made as to the risk of harm and the level of risk that results from the loss, theft, or compromise of the data. The decision to provide notification rests with the head of the Army activity where the breach occurred after the impact level has been reassessed. Leaders should be mindful that notification when there is little or no risk of harm might create unnecessary concern and alarm.

If the actual Army activity where the incident occurred is unknown, by default the responsibility for notifying affected individuals lies with the originator of the compromise document or information.

Where a breach occurs as a result of a contractor’s actions, the army Activity should coordinate with the contractor to ensure that all notification requirements are followed.

WHO TO NOTIFY

Individuals affected by the breach, should receive notification when a decision has been made to notify.

In exceptional situations where it is absolutely necessary to notify the public media and/or other third parties such as public and private sector agencies, approved public outreach procedures must be followed and coordinated with the Department of Defense.

WHEN TO NOTIFY

Potentially affected individuals should be notified as soon as possible, but not later than 10 working days after a breach has been discovered. If all of the individuals are not identified within the 10 working days, notifications should be sent to those who have been identified with follow-up notifications to those to be subsequently identified.

In some circumstances, law enforcement or national security considerations may require a delay if notification would seriously impede an investigation of the breach or harm the affected individual. However, any delay should not increase the likelihood of harm to any affected individual. Decisions to delay notification should be made by the Agency Head or a senior-level individual he/she may designate in writing.

NOTIFICATION CONTENT

The notification to affected individuals should be in writing and in a format that is clear and easy for the recipient to understand.

MEANS OF PROVIDING NOTIFICATION

First-Class mail notification should be the primary means by which notification is provided. Where addresses may not be current, every reasonable attempt should be made to obtain updated information.

Telephone notification may be appropriate in cases where urgency may dictate immediate and personalized notification and/or when a limited number of individuals are affected. A written notification by first-class mail should immediately follow the telephone notification.

Email notification may also be employed in conjunction with postal mail if the circumstances of the breach warrant this approach. Notification by email may be appropriate where an individual email address is the primary means of communication, and no known mailing address is available. Be mindful however, that email addresses change frequently and may therefore be an unreliable means of communication.

Other means of providing and/or supplementing notification, depending on circumstance, may be available. Consult with the Army Privacy Office.