Rep. Gerry Connolly (D-Va.) said the Office of Personnel Management needs to do more to restore federal employees and congressional members’ confidence in its ability to get the job done.
But, he said, a recent personal experience didn’t help OPM’s cause.
“In my case, we approached OPM saying I’m probably part of the compromised information because I had a break in service and I had a security clearance. Initially, they said ‘No.’ And then it turns out they had misspelled my name, so I am part of the 4.2 million, but they got it wrong,” he said. “That is not a confidence inducing measure. I’m hearing anecdotally from constituents sometimes they get a letter and sometimes they don’t. If there is a lack of confidence, then you’re not even confident when they give you an assurance or even if they tell you, you’ve been compromised.”
Connolly said OPM spelled his name with an “e” instead of a second “o.”
While this one hiccup was relatively minor, Connolly said it goes to the broader issue with which OPM continues to struggle.
“They have to move swiftly to make sure that they’re communicating with federal employees and retirees that upper most in their mind is their privacy,” Connolly said, after he spoke at a conference on the Federal IT Acquisition Reform Act sponsored by the Association for Enterprise Information. “None of this is reassuring, obviously. I think it’s really important that OPM get the bad news out as soon as possible rather than have this drip, drip, drip of bad news that really erodes confidence in their ability to manage this situation.”
Connolly said he expects OPM to release specifics about the second breach next week, including how many people are impacted.
“I haven’t learned anything in private sessions, either classified briefing or in my private meeting with Director Archuleta that frankly we don’t already know in the private sector,” he said. “What we did know was the initial number thrown out there by some was not accurate, and probably not prudent because it really doesn’t help us understand the true nature of what happened and how many of us are at risk.”
So far, OPM only can say that 4.2 million current and former federal employees were impacted by the first breach. The second breach, which included security clearance data found in the SF86 forms, could range anywhere from 14 million to 18 million to 32 million or even more.
The frustration over how long it has taken OPM to come up with a second number is growing. The American Federation of Government Employees filed a class-action lawsuit on Monday as part of its effort to find out how many current and former federal employees are impacted, to get longer-term credit monitoring and for damages.
Connolly said he understands the balance OPM is trying to achieve by not putting out numbers that change every other day or every week. But, he said, OPM should release publicly all the data they can so employees, retirees and others can manage the bad news appropriately.
Unlike 18 of his Oversight and Government Reform Committee colleagues and other members who called for Archuleta and CIO Donna Seymour to resign, Connolly is undecided about whether the two executives should continue to do their jobs.
“I believe it’s too early. I want to give Director Archuleta and Ms. Seymour an opportunity to show what they’ve got in terms of responding to this crisis. I don’t know that the hearing we had was a reassuring one in terms of how they came across, and she and I talked about that,” he said. “The big thing for me is making sure you are tending to those who have had their personal information compromised. Initially, frankly, some of the responses come across as awfully bureaucratic and not empathetic in what obviously could be a devastating event in one’s life. I want to see more proactive empathy and assistance provided to those who, after all, are victims.”
Connolly said he wants to know more about what happened and how it happened, and he doesn’t think it’s Archuleta’s fault that the breach happened.
“I will hold her accountable for how she manages what happened in the aftermath, but hold her to account for what happened is a much bigger issue,” he said. “For some who have called for her head, it is a convenient way of avoiding the issue of the fact they didn’t vote to make the resources necessary to invest in the upgrading of our IT assets that might have prevented this kind of breach.”