A second federal employee union is suing the Office of Personnel Management over the two recent cybersecurity breaches.
The National Treasury Employees Union announced Wednesday it was suing OPM, saying the agency violated the constitutional rights of union members by exposing their private information to hackers. The suit was filed in the U.S. District Court for the Northern District of California.
“Federal employees entrust highly personal information to OPM with the expectation that it will be kept confidential and safe from unauthorized access. OPM’s failure to do so violated our members’ constitutional right to informational privacy,” said Colleen M. Kelley, NTEU national president, in a release. “We believe that a lawsuit is the best way to force OPM to take immediate steps to safeguard personnel data, prevent such attacks in the future and help our members protect themselves against the fallout.”
NTEU’s lawsuit differs from the one filed last month by the American Federation of Government Employees, which seeks compensation for federal employees harmed by the recent attacks on the agency’s personnel databases based on protections under the Privacy Act.
“We too considered the viability of a case that was brought under the Privacy Act, and our conclusion was that while not impossible, it would be very difficult to prevail under the Privacy Act,” said Greg O’Duden, NTEU’s attorney. “Our conclusion was that a cause of action based on a constitutional right to informational privacy was very solid and would allow us to get a meaningful remedy.”
The union is hoping the court will issue an injunction against OPM, compelling the agency to honor the union’s list of demands.
“NTEU is asking the court to order OPM to immediately correct its security deficiencies, to stop OPM from collecting NTEU members’ personal information electronically until the court is satisfied that all necessary steps to safeguard NTEU members’ personal information have been taken,” Kelley said
In addition, OPM should provide lifetime credit monitoring and identity theft to union members at no cost.
“There are many questions about the data breaches that OPM has still not answered, including whether it has been able to identify all of the individuals who are affected and when they will all be notified,” Kelley said. “But what is known is that OPM failed to take adequate measures to protect this very private information that it was obligated to protect.”
The scope of NTEU’s lawsuit only applies to the union’s 85,000 members.
“We believe that if we’re successful in this suit, there is a legal path that can be followed for other impacted individuals, including family members,” Kelley said.
On June 4, OPM first reported a December 2014 cyber breach had affected the personally identifiable information of 4 million current and former federal employees. OPM began notifying those impacted by email and traditional mail, contracting out the duties to Winvale and CSID.
News of a second data breach at OPM came on June 12. This time, the breach impacted systems containing background information of current and former federal employees seeking security clearances.
On June 15, Federal Chief Technology Officer Tony Scott issued a 30-day cyber sprint, ordering agencies to take immediate and specific actions over the next month to further improve the security of their systems and data.
In addition, OPM Director Katherine Archuleta made multiple appearances on Capitol Hill, answering lawmakers’ questions about the state of her agency’s cybersecurity, its response to the breaches and the effectiveness of the contractors it chose to notify impacted individuals.
The agency also released a 15-step cyber improvement plan, detailing how it would manage its ongoing response going forward and mitigate future incidents.
OPM has yet to release information on how many people were affected by the second breach, although it is expect to do so some time this week. Initial reports from the Federal Bureau of Investigation, which is leading up the investigation, suggest that sensitive and personal information of as many as 18 million people could have been affected by the breaches.
Is OPM breach just the tip of the iceberg?
Today on Capitol Hill, the House Subcommittee on Research and Technology and Subcommittee on Oversight hosted a hearing entitled “Is the OPM Data Breach the Tip of the Iceberg?” Witnesses testified about OPM’s ongoing cybersecurity challenges.
“Despite explicit warnings by inspectors general since 1997, OPM continually failed to put in place adequate safeguards for both its aged and newer computer systems,” said David Snell, federal benefits service director National Active and Retired Federal Employees Association, in his written testimony. “Through acts of omission and commission, the agency permitted the theft of massive amounts of personally identifiable information. Even now, as OPM works to remedy the situation, the current OPM inspector general issued a flash audit of OPM’s plans to improve its data security and found them to have a ‘very high risk of project failure.'”
Michael Esser, assistant inspector general for audits at OPM, outlined a number of areas of concern the Office of the Inspector General has reported on since 2007. Examples included poor information security governance; security assessment and authorization; and technical security controls.
Esser testified OPM faces the difficult task of modernizing IT environment and also struggles to meet requirements under the Federal Information Security Management Act.
“Although some areas have improved, such as the centralization of IT security responsibility within the [Office of the CIO], other problems persist,” Esser wrote. “Until OPM’s security weaknesses are resolved, OPM systems will continue to be an inviting target for attackers.”