From: HQ-NASA INC [mailto:firstname.lastname@example.org]
Sent: Tuesday, November 13, 2012 2:30 PM
Subject: Breach of Personally Identifiable Information (PII)
AGENCYWIDE MESSAGE TO ALL NASA EMPLOYEES
Point of Contact: Kelly M. Carter, Information Technology and Communications Division, NASA Headquarters, email@example.com
Message from the Associate Deputy Administrator:
Breach of Personally Identifiable Information (PII)
On October 31, 2012, a NASA laptop and official NASA documents issued to
a Headquarters employee were stolen from the employee's locked vehicle.
The laptop contained records of sensitive personally identifiable
information (PII) for a large number of NASA employees, contractors, and
others. Although the laptop was password protected, it did not have
whole disk encryption software, which means the information on the
laptop could be accessible to unauthorized individuals. We are
thoroughly assessing and investigating the incident, and taking every
possible action to mitigate the risk of harm or inconvenience to
NASA has contracted with a data breach specialist, ID Experts, who will
be sending letters to affected individuals, informing them that their
sensitive PII was stored on the stolen laptop and they could be impacted
by the breach. This notification also will provide them information on
how to protect their identity using the fully managed services of ID
Experts at no cost to the individual. These services will include a
call center and website, credit and identity monitoring, recovery
services in cases of identity compromise, an insurance reimbursement
policy, educational materials, and access to fraud resolution
representatives. If you receive a notification letter in the mail,
follow the directions to activate your services as soon as possible.
All employees should be aware of any phone calls, emails, and other
communications from individuals claiming to be from NASA or other
official sources that ask for personal information or verification of
it. NASA and ID Experts will not be contacting employees to ask for or
confirm personal information. If you receive such a communication,
please do not provide any personal information.
Because of the amount of information that must be reviewed and validated
electronically and manually, it may take up to 60 days for all
individuals impacted by this breach to be identified and contacted.
The Administrator is extremely concerned about this incident and has
directed that all IT security issues be given the highest priority.
NASA is taking immediate steps to prevent future occurrences of PII data
loss. The Administrator and the Chief Information Officer (CIO) have
directed that, effective immediately, no NASA-issued laptops containing
sensitive information can be removed from a NASA facility unless whole
disk encryption software is enabled or the sensitive files are
individually encrypted. This applies to laptops containing PII,
International Traffic in Arms Regulations (ITAR) and Export
Administration Regulations (EAR) data, procurement and human resources
information, and other sensitive but unclassified (SBU) data. Center
CIOs have been directed to complete the whole disk encryption of the
maximum possible number of laptops by November 21, 2012. NASA plans to
complete the laptop encryption effort by December 21, 2012, after which
time no NASA-issued laptops without whole disk encryption software,
whether or not they contain sensitive information, shall be removed from
NASA facilities. Progress will be monitored weekly by the Office of
the Administrator. In the meantime, employees who are teleworking or
travelling should use loaner laptops if their NASA-issued laptop
contains unencrypted sensitive information. In addition, sensitive
files no longer required for immediate work needs shall be purged from
laptop devices but maintained on the shared drive if necessary for
records retention purposes. Finally, sensitive data shall not be stored
on smart phones or other mobile devices.
These changes and clarifications in NASA policy are effective
immediately. The Office of the Chief Information Officer will implement
them through appropriate revisions in NASA's applicable policy
documents using our established process. Additionally, the CIO will
identify any other changes in policy and/or procedures that are
necessary to prevent a recurrence of this type of breach in the future.
To learn more about protecting your identity, visit the Federal Trade
Commission's website, Facts for Consumers, Identity Theft: What to Know,
What to Do, at
http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm If you have further questions about this incident, you may contact the NASA Shared Services Center at 1-877-677-2123.
NASA regrets this incident and the inconvenience it has caused for those whose personal information may have been exposed.
Richard J. Keegan Jr.
Associate Deputy Administrator
This notice is being sent agencywide to all employees by NASA INC in the Office of Communications at NASA Headquarters.