recommended reading

Should Feds Have Been Told About the OPM Hack?

Sergey Nivens/Shutterstock.com

Federal officials have no yardstick for determining when to tell government employees their personal data may have been compromised -- a likely reason potential victims of a March breach of personnel databases still have not been notified.

In April, federal auditors criticized agencies for poor breach notification, partly because there is no detailed policy on making disclosure decisions.

There is speculation that a confirmed compromise of Office of Personnel Management systems was executed by Chinese hackers. The attackers apparently wanted files on employees who have applied for top-secret security clearances. The New York Times broke the story Wednesday.

Federal officials say they have no proof personal data was exposed. It's possible there are no victims. It's also possible victims will be notified in several weeks or months, if the government’s track record on disclosure is any indication. 

A month after the breach, a Government Accountability Office review found there are no specific requirements for agencies on how to determine whether the risk of data loss is great enough to warrant notification.

GAO auditors recommended the Office of Management and Budget lay out steps agencies should take to gauge the possibility there are victims, by developing "guidance on notifying affected individuals based on a determination of the level of risk."

OMB as of late Thursday had not given OPM and other agencies the recommended guidelines, because it was still evaluating whether to move forward on the recommendation, OMB officials told Nextgov.  

“It’s going to be up to each agency to make that call until the guidance comes out, so you could have OPM make one judgment call and DOD make a different judgment call,” said Cheri Cannon, a partner at Tully Rinckey PLLC who specializes in federal labor and employment law.

“You are going to have some people who err on the side of being conservative” and others will be “more likely to tell people because, for whatever reason, they feel it is necessary,” she added. Cannon, a 20-year veteran of the federal government, retired from the Senior Executive Service in January.

She said it would be wise for OMB to issue a new policy on breach notification because otherwise, there will be inconsistent results after each incident.

"Agencies should be held to the same standards as companies," said Jim Lewis, a former U.S. Foreign Service senior official who now advises the government on cyber as a fellow at the Center for Strategic and International Studies. "Four months is way too long."

Current legislation gives most healthcare-related organizations up to 60 days to alert victims of a personal information breach. A measure long promoted by the White House would apply the 60-day rule to all businesses.

The Deliberation

Currently, agencies use a 2007 memo to guide decision making. The memo lists five factors agencies should consider before opting to notify potential victims: the likelihood the breach may lead to potential harm, the ability to limit the risk of harm, the nature of the content compromised, the number of individuals affected, and the likelihood the information is usable.

The Department of Homeland Security -- the agency that oversees government cybersecurity -- told Nextgov there is no evidence of any loss of personally identifiable information right now. OPM officials also said they have yet to identify any ID compromises. 

Both agencies declined to discuss how they determined the risk of data loss wasn't enough to notify potential victims.

The hacked systems contained background history records on clearance applicants the applicants themselves entered. The names and locations of relatives in foreign countries, their mother’s maiden name, and any drug or alcohol treatment would be listed, according to individuals who have filled out such forms.

The incident was discovered when security equipment at DHS and OPM warned of a potential intrusion in mid-March, OPM officials said.

Administration officials said they do not believe all intrusions, in corporate or government spheres, should be made public.

"We have advocated that businesses that have suffered an intrusion notify consumers if the intruder had access to consumers’ personal information," National Security Council spokeswoman Caitlin Hayden said in a statement. "The federal government did exactly what we would encourage a private entity to do in a case such as this, where an intrusion did not lead to the exfiltration of personally identifiable information, intellectual property, or other information of any value."

A thorough investigation is ongoing, DHS and OPM officials said.  

Historically, agencies have been slow to notify victimized employees about major, confirmed breaches.

Hackers who breached an Energy Department personnel database a year ago extracted more sensitive data than first disclosed, including some banking information and password security questions.

Five months after the breach, when an inspector general probe into the agency's response was concluding, Energy was still notifying the more than 104,000 individuals affected. Names, dates of birth and Social Security numbers were compromised, among other sensitive information.

In late May 2012, 123,000 federal employee retirement plan participants were notified that attackers accessed their Social Security numbers and other personal data. The Thrift Savings Plan had first learned of a system compromise more than a month earlier.

The motive for both the OPM and TSP intrusions might have been to develop a Rolodex of personal information on high-ranking officials, national security experts say.

"It's pretty standard stuff in espionage," Lewis said. "Think about all the data you could get off someone's SF-86," he said, referring to a form used to apply for security clearances. "I'm surprised they hadn't already done it."


 

(Image via Sergey Nivens/Shutterstock.com)

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.