Cybersecurity

Feds Violate Data Breach Reporting Requirements They Would Impose on Private Companies

Office Personnel Management data breach perhaps 18 million - 4X larger than reported, says CNN

|

DataBreach
community2business

The federal government's Office of Personnel Management apparently discovered in April a massive security breach of its systems in which the personally identifiable information at least 4 million government employees was rifled through by Chinese government hackers. The OPM waited at least two months—that would be more than 60 days—to begin notifying current and former federal employees of the breach. Now, CNN is reporting that the hackers may have accessed personal information of 18 million current and former government employees.

Earlier this year the Obama Admininstration proposed the Personal Data Notification & Protection Act which, among other things, would require any business …

…that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.

Unless the business can demonstrate reasons for delay, they must inform customers about the security breach within 30 days of discovering the intrusion.

To be fair, the data protection act does allow for "reasonable" delays in notifying customers if a breached company can demonstrate to the Federal Trade Commission that …

…additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, and provide notice to an entity designated by the Secretary of Homeland Security to receive reports and information about information security incidents, threats, and vulnerabilities when required. If the Commission determines that additional delay is necessary the agency may extend the time period for notification for additional periods of up to 30 days each. Any such extension shall be provided in writing.

Interestingly, when hackers stole the credit information from millions of Target customers in 2013, the company began notifying customers three weeks after the breach was discovered. Neiman Marcus was informed by a payment processor in mid-December 2013 about some unauthorized charges. A cyber forensics firm confirmed that malware had been installed in its network that stole customer data on January 1, 2014. The company began notifying its affected customers on January 11. Some businesses may make the mistake of sacrificing customer trust by trying to hide or excessively delay notification of data breaches, but the profit motive provides a strong impetus to private companies to come clean with customers.

Government agencies like OPM do not have the spur of customer dissatisfaction to encourage transparency. Perhaps OPM may have deemed its delayed notifications as "reasonably necessary," but federal agency officials should nevertheless be held to at least the same data breach reporting standards that government wants to impose on private businesses.

The CNN report noted:

Katherine Archuleta, who leads OPM, is beginning to face heat for her agency's failure to protect key national security data—highly prized by foreign intelligence agencies—as well as for how slowly the agency has provided information.

Rep. Stephen Lynch, D-Mass., at a hearing last week told Archuleta: "I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress."

Amen.

Update: The Washington Post is reporting today that the computer system touted by OPM for finding the data breach, according to a just completed inspector general audit, "is itself at high risk of failure."

Not even good enough for government work.

Advertisement

NEXT: Think You've Seen Some Crazy Drug PSAs? Check Out These 5.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Those affected could include people who applied for government jobs, but never actually ended up working for the government.

    Not only Feds, but people who wanted to be Feds.

  2. Since when did government have to follow the rules it forces onto everyone else?

    1. Yeah. This does not exactly make me put on my shocked face.

      1. But I’m certain that those responsible have been fired, right? RIGHT?

  3. Surprise, surprise, surprise.

  4. 18 million. Staggering. And yet, how many millions think having the government run education, healthcare, and retirement savings (among a short list of things the government sucks at) is a great idea because the government is full of really smart people that just want to help people?

  5. federal agency officials should nevertheless be held to at least the same data breach reporting standards that government wants to impose on private businesses.

    Careful, Ron. There are those who might interpret that as a threat.

    1. *branch* chippers, anyone? Treading on shaky ground there ….

  6. I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress.

    I wish the legislatures who create these bureaucratic behemoths realized that this is what happens when they create them. Unaccountable bureaucracies exist for the bureaucrats. Not for ‘customers’ who are really tax payers.

  7. Katherine Archuleta… unfortunately, not a very wise latina.

    1. “If I had a wise latina daughter, she’d look just like Katherine.”

  8. I’d assume the Chinese have access to the private information of all Americans via other Fed data bases. When the EMP happens they’re going to steal all our stuff and we’re going to starve to death.

  9. Amazingly, I’ve read that this wasn’t some sort of clever hacker breach. No, a Chinese subcontractor (in China) was given root access. Leave it to the Obama administration to screw up outsourcing.

    1. To err is human… to really foul up requires the root password.

    2. People are the weakest point in any security system.

  10. This is why these data breach regulations are more important than ever.

    1. All but three states already have breach notification laws. California and Massachusetts require notification to all residents wherever the breach occurred. Pretty much all of them have a 30 day requirement. So even though there isn’t a single federal breach notification requirement there are forty-seven state ones, almost all of which probably apply, since this data was probably stored over a rather wide range of geographic locations.
      If you want the details, here’s a good summary.

  11. I am not convinced that the Chinese gov’t having some of my sensitive, personal data is a whole lot more dangerous than bureaucrats in DC having it.

    1. It’s less dangerous. (Fewer dangerous?) The Chinese don’t have a police force and SWAT teams roaming the land, looking for people and dogs to shoot.

    2. More dangerous: the federal government is not going to blackmail or recruit its own employees to work for a foreign government.

      1. Far as I’m concerned, Washington DC IS a foreign government.

      2. The Chinese government can’t use my information to lock me in a cage or kill me.

        1. They can try, but nominally, it would be an act of war.

          If the Feds do it, it’s enlightened policy.

  12. Why should the government care if people’s info gets stolen? The government doesn’t give a fuck about people. Even the people that work for it. They should have realized that a long time ago, but they thought they were “in”. Nope.

    1. They care when it’s their people.

    2. I think the reason this is a big deal is because it is information regarding applications for security clearances. That information likely includes potential weaknesses that could possibly be exploited, as well as enough PII to do some spear phishing.

      1. Not “likely.” Definitely. They make it their business to find out anything that could ever be used to blackmail anyone–and that’s exactly what was stolen.

        1. So do they have to let go everyone who was exposed who has a security clearance? If not, why not?

          1. I believe that’s covered under a provision of the federal code entitled “FYTW”.

          2. If not, why not?

            Because they’d have to fire every single one of them? And couldn’t replace them with anyone who’d ever previous applied or worked there?

            I mean, that’s fine with me, of course.

            1. But I thought national security was so important that it trumped all other concerns, including even the Constitution?

          3. So do they have to let go everyone who was exposed who has a security clearance? If not, why not?

            No, because if there was anything in their background that would be grounds for terminating their clearance, they most likely wouldn’t have one.

            1. I suppose, though what was once secret now isn’t.

  13. Government agencies like OPM do not have the spur of customer dissatisfaction to encourage transparency.

    To be fair, people could start deciding not to work for the government.

    1. That would be a nice bonus.

    2. Honestly, think about this: who does breaches like this cause to become more likely to work for the government? More competent, honest people, or people who don’t give a shit about their info as long as they get a guaranteed paycheck and union protection?

      The incentives involved in government are always incredibly perverse.

      1. I can’t begin to understand the psychology of volunteering for the federal government to interview your unconsenting friends and neighbors to begin with.

        1. Neither can I, but there are plenty of people out there who are plenty willing.

  14. Rules are for little people.

  15. the federal government is not going to blackmail or recruit its own employees to work for a foreign government.

    Those people have already voluntarily agreed to work diligently to destroy my freedom.
    They are the enemy.

    1. (Adds TLPB to the “list.”)

  16. I read an article earlier that the impacted employees were bitching about long hold times with the company that was hired to field questions about the breach. Pretty rich coming from government employees.

  17. I wonder if the data breach includes whatever leverage they have on John Boehner to make him into the #1 player for the Democrats?

  18. Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do…… ?????? http://www.Wage-Report.com

  19. Perhaps the Chinese can tell us who hired Craig Livingstone to give Hillary Clinton access to 800 of these files in the 1990s

Please to post comments

Comments are closed.