Personally Identifiable Information (PII): Post-Incident Activity

RISK MITIGATION

After a breach has occurred, remediation actions to be employed need to be identified. For example:

  • When a breach involves personal credit cards, Army activities have the discretion to offer some assistance, such as credit monitoring. However, individuals can also self-monitor and obtain free credit reports from the credit monitoring agencies, as well as have a fraud alert posted on their credit file. The Federal Trade Commission (FTC) provides credit guidance on its Website at https://www.consumer.ftc.gov/topics/identity-theft.
  • Other measures to mitigate the potential harm should be employed. Consult with your Privacy Officer and follow your activities guidance.

AFTER ACTION REVIEW TEAM

For all breaches Army activities should assemble an After Action Review Team to assess the severity of each incident and extract lessons learned to minimize the reoccurrence of similar breaches. The Team should consider the following activities:

  • Assess the breach data to determine the probable cause(s) and investigate measures that can be taken to prevent/minimize the risk of future occurrence.
  • Solicit feedback from the responders and any affected entities as necessary and collect and review any breach response documentation and analyses reports.
  • Review breach response activities and feedback from involved parties to determine response effectiveness.
  • Make necessary modifications to breach response strategies to improve the response process.
  • Enhance and modify information security and training programs, which includes developing countermeasures to mitigate and remediate previous breaches while incorporating lessons learned so that past breaches do not reoccur.
  • Document lessons learned from the compromise incident.
  • Share lessons learned with staff as appropriate.
  • Identify and review systematic vulnerabilities or weaknesses and preventive measures.

ADMINISTRATIVE / DISCIPLINARY ACTION

Army activities should determine whether administrative or disciplinary action is warranted and appropriate for those individuals determined to be responsible for the loss, theft, or compromise.

Consequences should be commensurate with level of responsibility and type of personally identifiable information involved. As with any disciplinary action, the particular facts and circumstances, including whether the breach was intentional, must be considered in taking appropriate action. Applicable consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and agency policy.

Responsible parties also must be reminded of their responsibility to instruct, train and supervise employees on safeguarding personally identifiable information.