Federal officials have no yardstick for determining when to tell government employees their personal data may have been compromised -- a likely reason potential victims of a March breach of personnel databases still have not been notified.
In April, federal auditors criticized agencies for poor breach notification, partly because there is no detailed policy on making disclosure decisions.
There is speculation that a confirmed compromise of Office of Personnel Management systems was executed by Chinese hackers. The attackers apparently wanted files on employees who have applied for top-secret security clearances. The New York Times broke the story Wednesday.
Federal officials say they have no proof personal data was exposed. It's possible there are no victims. It's also possible victims will be notified in several weeks or months, if the government’s track record on disclosure is any indication.
A month after the breach, a Government Accountability Office review found there are no specific requirements for agencies on how to determine whether the risk of data loss is great enough to warrant notification.
GAO auditors recommended the Office of Management and Budget lay out steps agencies should take to gauge the possibility there are victims, by developing "guidance on notifying affected individuals based on a determination of the level of risk."
OMB as of late Thursday had not given OPM and other agencies the recommended guidelines, because it was still evaluating whether to move forward on the recommendation, OMB officials told Nextgov.
“It’s going to be up to each agency to make that call until the guidance comes out, so you could have OPM make one judgment call and DOD make a different judgment call,” said Cheri Cannon, a partner at Tully Rinckey PLLC who specializes in federal labor and employment law.
“You are going to have some people who err on the side of being conservative” and others will be “more likely to tell people because, for whatever reason, they feel it is necessary,” she added. Cannon, a 20-year veteran of the federal government, retired from the Senior Executive Service in January.
She said it would be wise for OMB to issue a new policy on breach notification because otherwise, there will be inconsistent results after each incident.
"Agencies should be held to the same standards as companies," said Jim Lewis, a former U.S. Foreign Service senior official who now advises the government on cyber as a fellow at the Center for Strategic and International Studies. "Four months is way too long."
Current legislation gives most healthcare-related organizations up to 60 days to alert victims of a personal information breach. A measure long promoted by the White House would apply the 60-day rule to all businesses.
Currently, agencies use a 2007 memo to guide decision making. The memo lists five factors agencies should consider before opting to notify potential victims: the likelihood the breach may lead to potential harm, the ability to limit the risk of harm, the nature of the content compromised, the number of individuals affected, and the likelihood the information is usable.
The Department of Homeland Security -- the agency that oversees government cybersecurity -- told Nextgov there is no evidence of any loss of personally identifiable information right now. OPM officials also said they have yet to identify any ID compromises.
Both agencies declined to discuss how they determined the risk of data loss wasn't enough to notify potential victims.
The hacked systems contained background history records on clearance applicants the applicants themselves entered. The names and locations of relatives in foreign countries, their mother’s maiden name, and any drug or alcohol treatment would be listed, according to individuals who have filled out such forms.
The incident was discovered when security equipment at DHS and OPM warned of a potential intrusion in mid-March, OPM officials said.
Administration officials said they do not believe all intrusions, in corporate or government spheres, should be made public.
"We have advocated that businesses that have suffered an intrusion notify consumers if the intruder had access to consumers’ personal information," National Security Council spokeswoman Caitlin Hayden said in a statement. "The federal government did exactly what we would encourage a private entity to do in a case such as this, where an intrusion did not lead to the exfiltration of personally identifiable information, intellectual property, or other information of any value."
A thorough investigation is ongoing, DHS and OPM officials said.
Historically, agencies have been slow to notify victimized employees about major, confirmed breaches.
Hackers who breached an Energy Department personnel database a year ago extracted more sensitive data than first disclosed, including some banking information and password security questions.
Five months after the breach, when an inspector general probe into the agency's response was concluding, Energy was still notifying the more than 104,000 individuals affected. Names, dates of birth and Social Security numbers were compromised, among other sensitive information.
In late May 2012, 123,000 federal employee retirement plan participants were notified that attackers accessed their Social Security numbers and other personal data. The Thrift Savings Plan had first learned of a system compromise more than a month earlier.
The motive for both the OPM and TSP intrusions might have been to develop a Rolodex of personal information on high-ranking officials, national security experts say.
"It's pretty standard stuff in espionage," Lewis said. "Think about all the data you could get off someone's SF-86," he said, referring to a form used to apply for security clearances. "I'm surprised they hadn't already done it."