Search This Blog

Tuesday, June 23, 2015

Federal Response to the OPM Data Breach

The following is a guest post from a very hard working, dedicated, and friendly man in uniform that I am honored to know and work with: Joe Schweickert As a veteran myself serving from 1985-1993 this is a deeply disturbing HR issue that the military personnel records have been exposed.

By now, most of us have heard about the OPM (Office of Personnel Management) data breach, in which hackers (allegedly sponsored by China) gained access to personnel records of current and former federal employees. A recent interview with Jason Miller, Executive Editor at Federal News Radio, discussed the two different breaches, and the federal response to improve security for information systems. 

First, it is important to understand that there have been two separate breaches at OPM. The first, and more widely reported, involves personnel records on up to 14 million current and former federal employees, dating back to the 1980s. The second involved background investigations on employees, military members, and contractors who possess security clearances. These investigations (using the SF86 questionnaire that can exceed 100 pages) includes sensitive information such as criminal records, bankruptcies, and substance abuse history, as well as information on relatives. For a foreign intelligence operation, this presents an enormous opportunity to identify potential targets for blackmail.

The federal response, as outlined by Federal CIO Tony Scott of the Office of Management and Budget (OMB) involves four steps:

  1. Fix all Critical vulnerabilities within 30 days – part of the federal Cybersecurity Sprint’.
  2. Tighten policies on ‘privileged users’ – requiring administrators to use 2-factor authentication for access to systems, making it harder to steal passwords.
  3. Accelerate use of ‘smart cards’ for system access for all users – Government wide use is only about 42%, but agencies (such as Defense) that have adopted smart cards have seen a significant decrease in hacks. (See example smart card – access to the computer requires both inserting the physical card, as well as a PIN).
  4. Deploy ‘indicators’ to scan systems/logs and detect breaches.

Federal ID
Additionally, OPM has initiated a massive notification campaign to explain the breach to all affected employees, and has contracted for credit monitoring services for 18 months. Part of the interview focused on concerns about the bidding process for that contract, but that is of more interest to acquisition experts than HR professionals.

While this breach is unprecedented in scope, it highlights a vulnerability common to all HR functions, whether you manage payroll for a local diner or have millions of employees. From the first day the employee turns in an application or fills out their W-4, they are entrusting us with their personal information. This information is critical to ensuring we provide them the pay and benefits they earn, but it is also a potential target for identity theft, harassment, or exploitation. 

As HR professionals, we must ensure personal data is protected. For the federal government, this is mandated by the Privacy Act of 1974, but private sector employers are also bound by laws such as the Health Insurance Portability and Accountability Act (HIPAA). Protection includes strong technical safeguards, such as Smart Cards or complex passwords and robust firewalls. But it also includes physical security measures – keeping paperwork locked when not in use, and ensuring portable devices are secured. 

We have had incidents in our organization of individuals emailing personal information, covered by the Privacy Act, to a home email to ‘work from home’, which exposes it to hacking. We have also had information exposed when an employee left their laptop in their car and it was stolen. In both cases, we had to take steps to mitigate the damage, by identifying whose information was vulnerable and notifying the employees. This affects employee morale and trust in the organization. 

Remember, taking care of people includes taking care of their information – information security is our responsibility.