It has been nearly three years since a massive data breach compromised the security clearance information of more than 20 million current and former federal employees and their families.
Aftershocks continue to be felt today in the form of lawsuits and an unfavorable report from a congressional watchdog group.
On Sept. 19, U.S. District Judge Amy Jackson threw out lawsuits filed by federal unions and employees against the Office of Personnel Management, according to Federal News Radio. She cited the government’s immunity from lawsuits, as well as the difficulty of legally proving harm as the result of having personally identifiable information stolen in her decision.
The National Treasury Employees Union and the American Federation of Government Employees each filed separate suits. The NTEU suit claimed the Office of Personnel Management violated its members’ constitutional rights by exposing their personal information to hackers, Federal News Radio reported. The AFGE suit sought class-action status to represent all current and former employees whose information was stored in the databases that were compromised.
The NTEU has appealed Jackson’s decision.
Failure to Protect After the Breach
In August, the Government Accountability Office released a report that found the Office of Personnel Management still fails to properly protect its computer networks, NextGov reports.
OPM has implemented or made progress on 19 recommendations made by the U.S. Computer Emergency Readiness Team to improve information security practices and controls, the GAO report states. Four additional recommendations still must be implemented.
Items remaining to be addressed include encrypting data stored in one of OPM’s high-value systems that would be most attractive to hackers, and encrypting data as it passed in and out of another high-value system, according to NextGov.
OPM also still needs to implement a system of computer systems access so only those who need access to them can gain it by providing two identifying methods to log in. The agency also needs to develop proper security controls for contractors, NextGov reports.
Another area of concern expressed by some federal elected officials in August is whether the offer of credit monitoring following the breach goes far enough to protect the victims, according to NextGov.
House Energy and Finance Committee Reps. Frank Pallone, Jr., D-N.J., Diana DeGette, D-Colo., and Jan Schakowsky, D-Ill., asked the Government Accountability Office to look into the effectiveness of current strategies that are in place following breaches, “the extent of the protection each one offers, and the factors agencies weigh in choosing a response to a breach,” the NextGov article states. “Lawmakers also would like GAO to see if there are better solutions not currently being offered.”
The Office of Personnel Management reported on June 4, 2015 that a breach happened in December 2014 that exposed the personal information of about 4 million people who were current and former federal employees, Federal News Radio reported. On June 12, 2015, the organization released information on a second breach that had exposed the information of current and former employees who had sought security clearances.