Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII)


image From: HQ-NASA INC [mailto:hq-nasa-inc@nasa.gov]
Sent: Tuesday, November 13, 2012 2:30 PM
Subject: Breach of Personally Identifiable Information (PII)

AGENCYWIDE MESSAGE TO ALL NASA EMPLOYEES

Point of Contact: Kelly M. Carter, Information Technology and Communications Division, NASA Headquarters, kelly.carter@nasa.gov

Message from the Associate Deputy Administrator:

Breach of Personally Identifiable Information (PII)

On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee's locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.

NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach. This notification also will provide them information on how to protect their identity using the fully managed services of ID Experts at no cost to the individual. These services will include a call center and website, credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives. If you receive a notification letter in the mail, follow the directions to activate your services as soon as possible.

All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information.

Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted.

The Administrator is extremely concerned about this incident and has directed that all IT security issues be given the highest priority. NASA is taking immediate steps to prevent future occurrences of PII data loss. The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data. Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by November 21, 2012. NASA plans to complete the laptop encryption effort by December 21, 2012, after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities. Progress will be monitored weekly by the Office of the Administrator. In the meantime, employees who are teleworking or travelling should use loaner laptops if their NASA-issued laptop contains unencrypted sensitive information. In addition, sensitive files no longer required for immediate work needs shall be purged from laptop devices but maintained on the shared drive if necessary for records retention purposes. Finally, sensitive data shall not be stored on smart phones or other mobile devices.

These changes and clarifications in NASA policy are effective immediately. The Office of the Chief Information Officer will implement them through appropriate revisions in NASA's applicable policy documents using our established process. Additionally, the CIO will identify any other changes in policy and/or procedures that are necessary to prevent a recurrence of this type of breach in the future.

To learn more about protecting your identity, visit the Federal Trade Commission's website, Facts for Consumers, Identity Theft: What to Know, What to Do, at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm If you have further questions about this incident, you may contact the NASA Shared Services Center at 1-877-677-2123.

NASA regrets this incident and the inconvenience it has caused for those whose personal information may have been exposed.

Richard J. Keegan Jr.
Associate Deputy Administrator

This notice is being sent agencywide to all employees by NASA INC in the Office of Communications at NASA Headquarters.

Please follow SpaceRef on Twitter and Like us on Facebook.