Leadership Corner

The PII incident: An update

August 3rd, 2018 at 12:00PM

Robert Velasco, Acting Deputy Chief for Business Operations. Forest Service photo.

As previously promised, I want to update everyone on the unauthorized release of personally identifiable information, also known as PII, at the USDA Forest Service.

First, I want to let you know we have been able to extend the period to apply for credit monitoring through Friday, August 31. Everything you need to know about applying for credit monitoring can be found here. My commitment remains the same as before, to keep you all informed on the status of what has been done and what continues to be done in this matter. You can find a summary of all actions taken so far here.

I know the biggest questions you have are about what we are doing to prevent this from happening again. What follows is a summary of measures designed to reduce the possibility of another such incident, while improving the protections around the privacy of our valued employees. Currently, the two staffs most heavily focused on this effort are the offices of the Chief Information Officer and Human Resources Management.

To support these increased security measures, HRM initiated a “PII Mitigation Plan.” The overall objective of the plan is to, where possible, eliminate PII on reports generated by HRM. A significant component of the plan relies on utilizing Pinyon (Box) as a repository for all reports and eliminating the use of email for documents containing PII. Doing this allows us to have tighter control over who has access to PII and under which circumstances. HRM will have conference calls/Adobe connect sessions with all HR employees Aug. 21 and 23 to discuss the changes, followed by a Sept. 11 stand-down to review PII processes and handling.

The CIO is currently reviewing the systems and applications that operate on the Forest Service network that process or collect sensitive information. Concurrently, the CIO has identified employees who have access to sensitive information and whose roles require continued access to this data and information. These employees will receive additional security training to ensure they understand their roles and responsibilities, as well as their importance in maintaining safe and secure data on behalf of the Forest Service. Additionally, in coordination with the Department’s Privacy Office, the CIO will test the resiliency and strength of the security boundaries for our most critical human resource and financial data systems.

Finally, the CIO cyber security team held a webinar for the proper handling of PII for all agency employees on July 19. Anyone in the agency can view the webinar by clicking this link. Also, the cyber security team will publish additional training materials and continue to train employees who handle PII using real, incident-related scenarios to make our training true to the seriousness of their day-to-day responsibilities. 

Please visit the Protecting your Privacy intranet website for additional information and resources. If you haven’t done so already, visit the Consumer Financial Protection Bureau website for information on getting a credit report.

We continue to aggressively investigate this incident, working closely with other federal authorities to ensure it is properly addressed. This is only the start, as more actions will follow on those taken so far. I ask all our employees to remain vigilant about your accounts and our security. As we move forward and have more information to provide and improvements to our processes, I will continue to update you on the specifics.

As before, I want to reassure you that we continue to do all we can, not only to thoroughly investigate this incident, but also to make every effort to put measures in place to help prevent it from happening again.