IT lawmaker: ‘Outrageous’ that OPM hasn’t apologized

It’s “outrageous” that the Office of Personnel Management has yet to say “my bad” for the massive breach that exposed the private data for over 21 million federal employees and others, Rep. Will Hurd (R-Texas) said in an interview with Passcode.

“One of the things that was so egregious to me is that OPM never said, ‘I’m sorry,’ ” the chairman of the new House Oversight Subcommittee on Information Technology said in a Passcode podcast episode. “That is what’s outrageous.”

{mosads}Hurd’s comments come just days after OPM admitted that it underestimated by approximately 4 million the number of individuals whose fingerprints were stolen in the breach.

The agency revised its original estimate of 1.1 million to 5.6 million after it discovered archived records not previously analyzed. It has faced vitriolic criticism from lawmakers — including the Oversight Committee — for the mistake.

“OPM keeps getting it wrong,” Oversight Committee Chairman Jason Chaffetz (R-Utah) said. “This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM’s [information technology] management team is not up to the task. They have bungled this every step of the way.”

Other lawmakers have also demanded a formal apology from the agency.

During June Oversight hearings in which many called for the resignation of then-director Katherine Archuleta, Rep. Ted Lieu (D-Calif.) expressed frustration that officials hadn’t issued an apology.

“When is OPM going to apologize to federal employees that had personally devastating information released through their SF-86 forms?” Lieu asked. 

Archuleta, who resigned in June, told members that “if there is anyone to blame, it is the perpetrators.” 

“I don’t believe anyone [at OPM] is personally responsible,” Archuleta said.

Acting director Beth Cobert has emphasized that the agency is working to assist victims and prevent further breaches, stopping short of issuing an apology.

“Millions of individuals, through no fault of their own, had their personal information stolen, and we’re committed to standing by them, supporting them and protecting them against further victimization,” Cobert said in September. “And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

The agency explicitly distanced itself from liability in its notification letters for the first, less extensive breach, which exposed around 4 million records.  

“Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose,” the letter read.

The OPM is currently facing a series of class-action lawsuits over the hack that claim Privacy Act violations, likely one of the key reasons behind the agency’s staunch refusal to accept responsibility.

Experts suggest that the lawsuits pose a limited threat to the agency, however. 

For one thing, the government often enjoys “sovereign immunity,” meaning it cannot face civil suits or prosecution over most subjects, experts say.

In addition, plaintiffs in data breach cases can struggle to establish legal standing. In other words, if the data hasn’t shown up on the dark Web yet — which the OPM data appears not to have — victims of the data breach may have trouble demonstrating they’ve actually been harmed. 

Hurd also criticized the agency for its failure to be transparent about notifying victims of the breach.

Earlier this month, the OPM together with the Department of Defense announced a $133 million contract that would alert victims that their data was compromised, in addition to providing three years of identity protect services.

“We still don’t know: Has everybody who has been potentially implicated been notified?” Hurd said.

The agency said that it would begin sending notifications this month, a process that will take several weeks.

Because the contract was not awarded until two months after the breach was revealed, some victims may not find out their data was taken until November.

“One of the forms you use in the background investigations is 100 or so pages. If you had a security clearance and your neighbors were interviewed, your neighbors’ Social Security Numbers and details were included. If you were married and let’s say you got divorced, was that divorced spouse notified?” Hurd asked.

He indicated that the Oversight Committee will be holding another hearing on the notification process.

Chaffetz last week demanded that the DOD turn over a copy of the contract as well as information detailing the notification process.

Hurd has been explicit in warning that the Oversight Committee will continue to level scrutiny on federal cybersecurity practices.

He told a D.C. cybersecurity conference in early September that ensuring a robust federal IT infrastructure is an area where he has “a lot of latitude” — and that he expects to be exercising that authority in the coming months.