The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers. OPM serves as the human resources department -and holds employee records - for the entire federal government, ranging from security clearances to the identities of covert CIA agents. Every federal agency is potentially affected by this breach. Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail. OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.
OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach. Early reports suggest that the breach originated in China.
Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website notice that the agency recently implemented an “aggressive effort” to update its network security. Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.
OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests. In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.
As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure. According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:
At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.
It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities. According to Kevin McGinty, Mintz Levin privacy class action litigator:
As day follows night, class actions typically follow data breaches. Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue. The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM. Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.
We will have more on this story as it evolves.