Reporting a Personally Identifiable Information (PII) Incident

All Army Commands (ACOM), Army Service Component Commands (ASCC), Direct Reporting Units (DRU), Army Staff, Program Executive Offices (PEO), and Army activities are required to ensure all suspected or actual loss, theft, or compromise of PII regardless of physical or electronic form is reported in accordance with the following procedures.

  1. Report the incident immediately to your first line supervisor, your Privacy Official, and if cyber-related to your Information Technology division as well.


    1. If the actual or suspected incident involves PII occurs as a result of a contractor’s actions, the contractor must also notify the Contracting Officer Representative immediately.

    2. If the incident involves a Government-authorized credit card, the issuing bank should be notified immediately.

  2. Report all cyber-related incidents involving the actual or suspected breach/compromise of PII within one hour of discovery to the United States Computer Emergency Readiness Team (US-CERT) by completing and submitting the US-CERT report at

    The notification to US-CERT regarding an electronic breach should include as much information as possible, however, reporting should not be delayed to gain additional information. See US-CERT Federal Incident Notification Guidelines for reporting requirements. The US-CERT report format provides the user with various drop-down answer options and the ability to skip sections to identify areas that do not apply to non-technical breaches.

    Note: Make sure you record the US-CERT number assigned to the breach. You will need this to complete section 1d of the Breach of Personally Identifiable Information (PII) Report via PATS.

  3. Report both electronic and physical related incidents to the Army Privacy Office (APO) within 24 hours of discovery by completing the Breach of Personally Identifiable Information (PII) Report via PATS.

    When completing the Breach of Personally Identifiable Information (PII) Report in PATS do not include any PII, such as names of individuals. Reportable information includes:

    • Date of breach, date discovered, and date reported to United States Computer Emergency Readiness Team (US-CERT)
    • US-CERT number and Component Internal Tracking Number (if applicable)
    • Component and Office Name
    • Point of contact information including name, duty phone, and office mailing address
    • Narrative description of breach (up to 150 words) including:
      • The parties involved in the breach (do not use names of individuals)
      • The media used such as email, info-sharing, paper records, or equipment
      • Type of breach: loss, theft, or compromise
      • Immediate steps taken to contain the breach
    • Mitigating actions taken (up to 150 words) including:
      • Whether the breach was intentional or inadvertent
      • Any lessons learned
    • Number of individuals affected (including numbers of Soldiers, civilians, and contractors involved)
    • The type of PII compromised such as SSN, PHI, and financial information
    • Any additional information as indicated on the form

    If computer access is not available, PII incidents can be reported to a 24/7 Army toll free number at 1-866-606-9580 or US-CERT at (888) 282-0870 which is also monitored 24/7.

  4. For additional reporting requirements, consult with your Privacy Official and follow your activity’s guidance for reporting PII incidents.

  5. Submit updates to APO through PATS. Also submit updates to US-CERT, your Privacy Official and appropriate individual(s) within your Activity as information becomes available. Note: US-CERT requires that any updates to the initial report are to be provided via email to and the assigned US-CERT number must be referenced in the subject line.

APO will report the incident to DPCLTD within 24 hours upon being notified that a loss, theft, or compromise has occurred. When an incident includes an actual or suspected compromise of Personal Health Information (PHI), APO will also report the incident to the Defense Health Agency (DHA) Privacy Office within 24 hours of discovery.


See Risk Determination