In the aftermath of the data breaches at the Office of Personnel Management (OPM) in June, there have been two class action suits filed against OPM. The most recent of these, filed earlier this week, was started by Teresa J. Mcgarry, an administrative law judge with the Social Security Administration. Mcgarry says in the lawsuit that her personally identifiable information was potentially compromised because she underwent two separate background checks to gain employment as a federal judge.
In two breaches of OPM’s servers, 22.1 million people had their personnel information stolen by hackers suspected of being part of the Chinese government. The severity of this theft of data cannot be overemphasized. The cyber-attack, which was originally said to have compromised the data of “possibly millions,” was later reported to have involved over four million people. In July U.S. officials raised that number again. According to a report by the Washington Post, the data breaches “exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends.” Since OPM serves as the “department of human resources” for the federal government, this information is particularly sensitive and would be useful intelligence for a foreign power — such as China — to acquire.
Even FBI Director James Comey called the theft of this data “a very big deal from a national security perspective and from a counterintelligence perspective.” He also said, “It’s a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government.” That would certainly include Judge Mcgarry.
OPM Director Katherine Archuleta resigned after members of the House Oversight and Government Reform Committee called for her to do so, in the wake of her inability to adequately explain why OPM had not taken appropriate measures to protect such sensitive data. The Office of Inspector General for OPM had warned the agency as early as 2007 of serious holes in the cybersecurity of its servers. Back in November 2014, Michael Esser, OPM’s assistant inspector general for audit, even recommended that the OPM shut down some networks due to security risks. OPM’s refusal to heed those warnings resulted in the largest data breaches in U.S. history and handed China a treasure trove of sensitive information.
In late June, the American Federation of Government Employees (AFGE) filed the first class action suit against OPM in the U.S. District Court for the District of Columbia. That suit alleges that OPM, its director, Katherine Archuleta; its chief information officer, Donna Seymour; and KeyPoint Government Solutions, a contractor hired to provide investigative and risk mitigation services to the OPM failed to take the correct measures to protect the sensitive and personally identifiable information on OPM’s servers, even though they were aware of the security risks.
This new class action suit was filed in the U.S. District Court of Colorado. It is notable because — besides being filed by a federal judge — it names as defendants not only OPM, but also the Department of Homeland Security (DHS). The suit alleges that OPM failed to meet the standards of the Federal Information Security Management Act (FISMA) and that both OPM and DHS violated the Privacy Act of 1974 and the Administrative Procedure Act.
It will be interesting to see how these suits proceed. The incompetency of government officials in ignoring standard security protocols and allowing these data breaches has already had a tremendous impact on 22.1 million Americans. Now, maybe it will have a negative impact on those responsible.