Recent U.S. Government Data Breach is Like No Other
The scope of the recent hack of the Office of Personnel Management (OPM), in which the records of millions of current and former federal employees were breached, is exponentially greater than the many other recent headline-generating breaches in the private sector.
This breach not only impacts government employees but countless of their partners, associates, and confidantes, and the stolen information includes some of the most intimate personal details about the individuals affected. It also raises real questions about the government’s ability to safeguard the data in its possession, and makes somewhat disingenuous the government’s call to strengthen and enforce private-sector security systems.
U.S. federal agencies have had a long and troubling history of ignoring recommendations that come from within their own government with regard to privacy and security. The Inspector General warned OPM last year about serious security and privacy problems after it was hacked in a smaller-scale incident, yet the agency did not implement the recommended changes to its systems or practices. Among the problems cited in the Inspector General’s report? OPM didn’t have the most basic data map or a simple inventory list of its servers and databases, nor did it have an accounting of all the systems connecting to its network.
Despite this oversight finding, OPM did nothing. OPM Director Katherine Archuleta told a congressional panel that the agency did not implement the recommendations in part because overhauling their legacy security systems would have been expensive and disruptive to the functioning of the agency.
Common-sense privacy and security practices don’t need to be expensive or disruptive. Many of the most successful hacks, including Anthem’s, occur for one reason: human beings. Hackers often gain access not by circumventing encryption or through cleverly designed viruses—they gain access by stealing credentials, as in the OPM breach, via laptops, or bad passwords. As critical as encryption is to cybersecurity, it would not have stopped the OPM breach—but data-retention limits might have mitigated the extent of it. The agency reportedly was holding data on individuals from as far back as 1985.
Further, government agencies are not following the very same level of rigor of the security guidelines and practices often applied by other government agencies and commissions to the private sector. Both the private sector and government should equally consider data protection as a sacred element of trust with the citizen or consumer.
The OPM breach should call into question how we define harm and the types of remediation available to individuals.
The hack also highlights a larger problem with the legal protections for the individual when a data breach occurs. Some of the data implicated in the OPM breaches are so personal and intimate, and the harm of its revelation is far longer lasting than any current legal process covers. Currently, individuals whose data was breached have little to no recourse. Most data breach laws, including the Privacy Act, require clear evidence of “harm” in order to assess liability and this is typically characterized as a negative financial impact. Not only is financial harm not always clear right away, it can be exceedingly hard for individuals to tie harm to a specific data breach, certainly as they become a daily occurrence.
Beyond this, a breach of this magnitude should call into question how we define harm and the types of remediation available to individuals. Credit monitoring and identity-theft resources may have little utility for those whose data was breached, especially when the information that was taken goes beyond credit card numbers and into detailed dossiers of about individuals. How does one put the cat back in the bag when the records breached contain information such as past drug use, lie-detector tests you failed, or extramarital affairs? This is information routinely collected about candidates for top-secret clearance and it includes information about friends, relatives, and former employers connected to the individuals that were affected. Those individuals aren’t given any recourse whatsoever. Current structures just do not give adequate recourse in relation to the real harm and impact on lives.
Sadly, congressional energy in response to the OPM breach has so far been misplaced. It has largely focused on information sharing legislation, with Senate Majority Leader McConnell responding by rushing the Cybersecurity Information Sharing Act (CISA) to a floor vote in a problematic manner, refusing to allow debate or amendments. Ignoring critical changes that need to be made to CISA is especially ironic in the wake of the OPM hack, because the bill would actually funnel more private information to government in an unprotected manner. This expanded sharing is especially worrisome for data security because the bill permits unprepared agencies to receive data (rather than direct all sharing at a secure entity such as the DHS National Cybersecurity and Communications Integration Center), and contains only a weak requirement to strip personal information prior to sharing. Yes, in response to the breach of mass amounts of government data, the government is actually asking for even more data. How can we trust them with more when they can’t even manage what they already have?
Information sharing is not the silver bullet of cybersecurity for commercial entities nor for the government, but common-sense security measures can make a difference: Imposing data-retention limits, regularly reviewing and updating systems, using two-factor authentication, and providing added security for IT staff can all mitigate data breaches. We also have to recognize we have entered a new era—the most sensitive information about all of us is held in a computer somewhere. The federal government and everyone holding this type of data has to dedicate the time and money necessary to safeguarding it at the level it deserves.
The multiple mass hacks of OPM are an unparalleled breach of sensitive government-held data that will likely have long-term repercussions for cyber security. This is the time for diligent and thoughtful review of effective policy solutions, a chance to implement key common-sense privacy and security practices across federal agencies, and a way for the government to practice what it preaches by becoming a model for data protection.
This piece first appeared on blog for the Center for Democracy & Technology.