OPM Hack: Overview of the Long Term Implications

The Office of Personel Management announced last week that it had been hacked -- hard. The OPM is essentially the human resources department for the entire federal government, which just happens to be the largest employer in the nation. The personal information of over 22 million people, or almost seven percent of the entire U.S. population, was stolen.

The information stolen included almost 20 million background investigation forms, over 1 million fingerprint records, and thousands of confidential security clearance dossiers. The fallout from the OPM hack promises to last for years, threatening the federal government, individuals, and even national security.

"There's No Fixing It."

The hack is made worse by the sensitivity of the information stolen, presumably by the Chinese government. Personal information such as names, addresses, birthdates, and social security numbers, was taken. this put millions at risk of fraud and identity theft. The loss of security clearance dossiers could be even more damaging. Those documents include information on drug abuse, alcohol use, affairs and the like -- everything you need to blackmail a federal employee.

And then there are the fingerprints. The loss of fingerprint information is potentially the most threatening consequence of the hack, largely because the government and cybersecurity experts just aren't sure how that information could be exploited. That uncertainty makes the risks harder to protect against. As the former Direct of the CIA, Michael Hayden, said to FedScoop:

"I don't think there is recovery from what was lost. It remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There's no fixing it."

OPM's Response and Liability Issues

Publically, the OPM is contacting those whose private information was compromised. The government is offering victims credit monitoring and identify theft protections for 18 months -- just enough time to get another social security number and a new set of fingerprints. Their letter to hacking victims disclaims all responsibility and liability, however. The services are "offered as a convenience."

Of course, plenty of commentators are willing to blame OPM. The Hill, for example, notes that federal employees may be liable under the Federal Tort Claims Act, which waives sovereign immunity for lawsuits over federal employees' negligence. Similarly, the Privacy Act of 1974 requires that the government protect the personal information it collects, potentially opening another path to litigation. Two federal employee unions have already sued, demanding that the OPM provide lifetime monitoring and greater security for its data in the future.

Issues of liability and redress will continue to play out over the upcoming months and years. The risks of fraud, identity theft and to national security won't be going away soon, either.

Related Resources:

• Caught up in the OPM Hack? You Might Be Able to Sue the Government. (The Washington Post)
• China Moves to Increase Cybersecurity, Adding Internet Restrictions (FindLaw's Technologist)
• Hacking Continues: European Central Bank Is the Latest Victim (FindLaw's Technologist)
• No Smartphone is Sacred: NSA Hacks All Major Platforms (FindLaw's Technologist)