Largest Breach in U.S. Government History Is a Wake-Up Call on Need for Encryption

Linn Freedman
JD Supra Perspectives
Contact
LinkedIn
Facebook
X
Send
Embed

...maintain appropriate encryption technology. Simply put: encryption, encryption, encryption! Encryption in transit and at rest.

The United States Office of Personnel Management (“OPM”) has disclosed that it was the target of what has been described as the largest breach in U.S. government history, affecting the personal information of up to 14 million current and former federal employees, not 4 million as initially disclosed. The government employees’  stolen information includes Social Security numbers; military records and veterans’ status information; addresses; birthdates; job and pay histories; health insurance, life insurance, and pension information; sensitive health information; and age, gender, and race data. On top of that, it is reported that the personal information of individuals who provided the federal government with information related to applications for security clearances, including family and friends of the government workers, was also exposed.

Officials also disclosed an intrusion into the security clearance database that was separate from the breach of federal personnel data announced last week and that it was unclear whether the security database breach happened when OPM’s computer networks were breached in 2013, an attack that was discovered in July 2014.

...the government and private employers are not properly protecting highly sensitive personal information from exposure and risk.

All of this has happened just after OPM’s Office of the Inspector General harshly criticized OPM for its lax security in a November 2014 report on the agency’s compliance with the Federal Information Management Act.  The report found “significant” deficiencies in OPM’s IT security program. Specifically, it noted OPM’s lack of encryption and the agency’s failure to track its equipment. It also found that OPM failed to maintain an inventory list of its servers and databases and did not even know all the systems that were connected to its networks. OPM also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road. So the government requested the most sensitive information of its employees and other citizens, and based upon the OIG report, failed to secure it properly.

Employees are required to provide their most sensitive data to their employers. Most employers now do background checks, which require providing a full Social Security number. Employers also need a Social Security number and other personal information to verify citizenship, to fill out I-9 forms, for payroll, benefits and tax information, and in this instance, highly personal information from  family and friends who are involved in ensuring that federal government employees are qualified for a government position or a high security clearance. Nonetheless, as was seen with another federal agency, the Internal Revenue Service, the government and private employers are not properly protecting highly sensitive personal information from exposure and risk.

There is presently no evidence that the information breached by OPM has been misused. But certainly there is plenty of evidence that taxpayers whose information was hacked through the IRS in order to file fraudulent tax returns have been harmed. What recourse do employees have when their data is compromised from the employer's database (whether the employer is the federal government or a private employer)? And how are companies supposed to protect our data if the federal government can’t?

The federal government obviously needs to invest additional resources into its IT systems to enhance security, including employing encryption technology.

It is becoming more and more difficult to combat the black hats, who spend every day trying to hack into U.S. government and companies’ systems. The federal government obviously needs to invest additional resources into its IT systems to enhance security, including employing encryption technology. Private companies are also broadening the use of encryption technology.  IT security should be a top budget priority for every company to protect their employees’ and customers’ data. Employees are reasonable in assuming that their employer is protecting their personal information from compromise. The obvious way to do that is to maintain appropriate encryption technology. Simply put: encryption, encryption, encryption! Encryption in transit and at rest.

...employees—stop complaining about using encryption when your employer offers it. Stop whining about it and ignoring it when you should and are required to use it. It is not going away...

Privacy and security professionals have been saying this for years, but now that we are experiencing widespread and devastating data breaches, it should be obvious that it is no longer sufficient to just encrypt laptops and removable media (even though we still see breaches with unencrypted laptops and flash drives), mobile devices, using a VPN connection and having a BYOD policy. The hackers are way more sophisticated now than ever before. Although employees complain about what a pain it is to use encryption, its widespread use must be implemented both in the private and public sectors. Consider implementing encryption technology in transit and at rest, and employees should welcome the technology to protect their own data that is in the company’s possession.

So employees—stop complaining about using encryption when your employer offers it. Stop whining about it and ignoring it when you should and are required to use it. It is not going away, and it is the only way to basically protect data (yes, that is debatable too). But most importantly, it is the only way to protect YOUR DATA as an employee. Help your employer protect all of its high-risk data—including your own—by embracing encryption and other IT security measures implemented by your employer. Companies are increasingly aware that it is not a matter of if, it is a matter of when there will be a breach of hacking incident. More and more sophisticated measures are being taken by the smallest of companies to protect data. Employees are a vital link in implementing the security measures, and are part of the solution. Be a good corporate citizen and assist your employer in protecting itself, and in the process, you will be protecting yourself.

*

[Linn Foster Freedman is chair of law firm Robinson+Cole’s Data Privacy + Security practice, and lead author of their Data Privacy + Security Insider blog. Follow Ms. Freedman's additional writings here.]

Written by:

JD Supra Perspectives
JD Supra Perspectives
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

JD Supra Perspectives on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide