Feds Violate Data Breach Reporting Requirements They Would Impose on Private Companies

Office Personnel Management data breach perhaps 18 million - 4X larger than reported, says CNN



The federal government's Office of Personnel Management apparently discovered in April a massive security breach of its systems in which the personally identifiable information at least 4 million government employees was rifled through by Chinese government hackers. The OPM waited at least two months—that would be more than 60 days—to begin notifying current and former federal employees of the breach. Now, CNN is reporting that the hackers may have accessed personal information of 18 million current and former government employees.

Earlier this year the Obama Admininstration proposed the Personal Data Notification & Protection Act which, among other things, would require any business …

…that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.

Unless the business can demonstrate reasons for delay, they must inform customers about the security breach within 30 days of discovering the intrusion.

To be fair, the data protection act does allow for "reasonable" delays in notifying customers if a breached company can demonstrate to the Federal Trade Commission that …

…additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, and provide notice to an entity designated by the Secretary of Homeland Security to receive reports and information about information security incidents, threats, and vulnerabilities when required. If the Commission determines that additional delay is necessary the agency may extend the time period for notification for additional periods of up to 30 days each. Any such extension shall be provided in writing.

Interestingly, when hackers stole the credit information from millions of Target customers in 2013, the company began notifying customers three weeks after the breach was discovered. Neiman Marcus was informed by a payment processor in mid-December 2013 about some unauthorized charges. A cyber forensics firm confirmed that malware had been installed in its network that stole customer data on January 1, 2014. The company began notifying its affected customers on January 11. Some businesses may make the mistake of sacrificing customer trust by trying to hide or excessively delay notification of data breaches, but the profit motive provides a strong impetus to private companies to come clean with customers.

Government agencies like OPM do not have the spur of customer dissatisfaction to encourage transparency. Perhaps OPM may have deemed its delayed notifications as "reasonably necessary," but federal agency officials should nevertheless be held to at least the same data breach reporting standards that government wants to impose on private businesses.

The CNN report noted:

Katherine Archuleta, who leads OPM, is beginning to face heat for her agency's failure to protect key national security data—highly prized by foreign intelligence agencies—as well as for how slowly the agency has provided information.

Rep. Stephen Lynch, D-Mass., at a hearing last week told Archuleta: "I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress."


Update: The Washington Post is reporting today that the computer system touted by OPM for finding the data breach, according to a just completed inspector general audit, "is itself at high risk of failure."

Not even good enough for government work.