OPM’s $63 Million Breach Settlement Offer: Is It Enough?

If one were to look at the Federal Court’s Public Access to Electronic Court Records (PACER), one would see that more than 130 separate lawsuits have been filed against the US government’s Office of Personnel Management (OPM), which are all associated with the 2014 and 2015 data breaches that affected millions of people.

On June 3, 2022, in the U.S. District Court for the District of Columbia, Judge Amy Berman Jackson will hold a video hearing into the proposed $63 million settlement between the U.S. government’s OPM, its security contractor Peraton (then KeyPoint ) and OPM data breach victims.

Interestingly, the proposed settlement assigns a minimum payout for valid claims of $700 to a maximum of $10,000. While more than 22 million people had their information stolen in the 2015 breach, which was attributed to China’s intelligence apparatus, only people “who suffered economic loss” are eligible to receive the one of the settlement dollars. The reason is that these people fall under the “Privacy Law”.

OPM data breach resolution likely weak for many

Although the period from May 7, 2014 to January 31, 2022 is broad, at least one of three conditions must be met to be part of a class and involve personal expenses:

  1. To purchase a credit monitoring product, credit or identity theft protection product, or any other product or service designed to identify or remedy data breaches
  2. To access, block or unblock a credit file with a credit reporting agency
  3. As a result of identity theft or to mitigate identity theft

If the number of claimants is large, the distribution will be “reduced in equal proportions before claimants are paid if the total value of all valid claims plus inducement payments awarded by the Court to named claimants exceeds the fund of settlement of $63,000,000″. One can easily do the math and understand that the amount of settlement payment made to affected individuals can be remarkably low.

It should also be noted that the OPM, in its process of notifying affected individuals, provided them with a pathway to obtain “identity theft restoration and credit monitoring services” and “identity theft insurance.” ‘identity’ to reimburse expenses in the event of theft of the person or a member of their family. All of this is free of charge for individuals. Early use of these services by the OPM may reduce the number of eligible applicants.

The Effects of OPM Data Breach Are Long Lasting

That is unless we factor into the mix the magnitude of OPM violations associated with background checks for national security clearances. In 2016, then-FBI director Comey put it succinctly: “My SF-86 lists every place I’ve lived since I was 18, every foreign trip I’ve taken , all my family, their addresses,” he said. “So it’s not just my identity that’s affected. I have brothers and sisters. I have five children. It’s all in there.

OPM SF-86 (Standard Form-86) is the Questionnaire for National Security Positions. Candidates fill out 136 pages of personal information, sometimes deeply personal, as the first step in their application for a US national security clearance. If granted the nation’s trust, every five years the individual is re-surveyed and asked to re-submit the form. Those who have never had a national security clearance wince many times when they see the depth of intrusion that the SF-86 entails and really raise their eyebrows when they learn that the falsification of information about the SF -86 is a felony. Many have found themselves caught in the spirals of justice for doing just that.

These background checks included all key elements of an individual’s identity, including:

  • Social security numbers
  • Residence and education history
  • Employment history
  • Information about immediate family and personal and professional acquaintances
  • Medical, criminal and financial history
  • Results of interviews conducted by background investigators
  • Fingerprints
  • Usernames and passwords used to complete your forms

This means that if the period covered by the proposed regulations, until January 31, 2022, covers nearly eight years of exposure, those who have had an entire ball of wax compromised will face the threat of their identity being misused. knowingly or exploited for the rest of their lives.

It is not just about an adversarial nation merely knowing the darkest secrets of individuals. Every individual with a background investigation record, including former FBI Director Comey, must maintain an ever-vigilant counterintelligence watch over how an adversary of the United States may use a company’s compromised information. detrimental to the individual or the country. In the worst case, the files of some individuals contain fully exploitable information/vulnerabilities and thus ensure a permanent presence on the targeting matrix of China.

The 2016 Congressional Staff ReportThe OPM Data Breach: How the Government Jeopardized Our National Security for More Than a Generationeviscerated the OPM for its lax stance on information security. Since then, great progress has been made in securing government information, but as the director of the Cybersecurity and Infrastructure Security Agency (CISA) regularly reminds us, there is still much to do and all entities must have their “Shields up”.

Copyright © 2022 IDG Communications, Inc.

Comments are closed.