By now, you have heard about, or been impacted by, the unauthorized release of Personally Identifiable Information, also known as PII, at the USDA Forest Service. I understand that you are justifiably upset by this news, as am I. During our Stand Up for Each Other and Listen and Learn Sessions we clearly heard about the lack of trust in senior leadership that many employees feel. We place trust in the agency when we provide our PII and with that we expect the agency will take the utmost care to safeguard it. To turn around from those sessions and inform you that your PII was released outside the agency is a difficult leadership moment for me.
I acknowledge some time has elapsed between when we became aware of a possible incident and when we notified you. We wanted to be certain that accurate information could be provided to you. Our specialists needed sufficient time to conduct a thorough investigation, to ensure that all important information regarding this incident was identified and to ensure that investigators had a clear picture of the incident.
But if there is anything I am committed to, it is assuring that the Forest Service is a learning organization.
An aggressive investigation is underway, and we have already learned a lot to inform immediate changes in how we handle PII. This learning will continue to inform further changes to reduce the possibility of something like this happening again. Currently, we are revising our processes and making changes to improve our security procedures. I understand that simply saying to all of you “we are revising our processes” sounds like a platitude. I want to assure you it is not. Right now, we are evaluating all our processes in and around the handling of and accessibility to PII in the agency and looking for ways to improve and minimize risks in the future. Once we have fully identified new processes and security measures, I am committed to sharing those findings with all of you.
With all that in mind, I want to tell you what happened, what you can do to protect yourself, what we’re doing to prevent future instances and where to go for more information.
On May 29, we initially confirmed that some Forest Service employees’ Personally Identifiable Information was emailed outside of our network. The email contained a report with full names, social security numbers, and personal email addresses of current and former Forest Service employees. Although we were not yet aware of the full scope of employees impacted, we immediately reported the incident to the Chief Information Officer, Computer Incident Response Team and the Human Resources Management Privacy Office for action. As investigation into the incident continued, we realized that the scope of PII disclosure was much higher than initially known, and the majority of our employees may have had their information compromised.
If you were employed (current or former Federal employee) with the Forest Service from April 2017 to May 2018 it is highly likely that elements of your PII may have been compromised as a result. Current Forest Service employees were notified via internal email. Former Forest Service employees are being notified via U.S. mail. If you have received notification via email or letter from the Forest Service, your PII was part of this unauthorized disclosure.
To assist in protecting the PII of employees both current and former, we are offering free credit monitoring service through Experian for one year to all those affected. This will provide a central source for you to check your credit report and provide assistance with filing any reports or claims. This service will provide alerts if any suspicious activities appear on your accounts for a year. Please refer to an email message you received from Human Resources with instructions on how to register for the credit monitoring service. You will receive this email, if you haven’t already, if your information was released.
You naturally may have more questions. For additional information and resources, please visit the Protecting your Privacy intranet website. For more information on getting a credit report visit the Consumer Financial Protection Bureau website. Additionally, the Human Resources Management office has prepared a list of “Frequently Asked Questions” which provides additional information about this incident and addresses general questions and concerns you may have. They also include more detailed instructions for enrolling in the credit monitoring service and methods to further protect your personal information. Former employees will receive a copy of this FAQ via mail. For current employees who have access to the Forest Service network, the FAQs are also posted to the HRM website and will be updated regularly with the latest information.
We continue to aggressively investigate this incident, working closely with other federal authorities to ensure it is properly addressed. We also began implementing additional security measures designed to prevent a recurrence of such an incident, as well as to protect the privacy of our valued employees.
As one of the employees whose information was compromised, I understand how personal and unsettling this whole situation is. I want to restate and reassure you that we are doing all we can, not only to thoroughly investigate this incident and understand what exactly transpired, but also to make every effort to put measures in place to help prevent further incidents like this from happening.