OPM letter distances agency from legal liability over hack

The government is distancing itself from legal culpability in a letter being sent to the millions of people affected by a massive government data breach.

When initially revealing the hack earlier this month, the Office of Personnel Management (OPM) said it would offer 18 months of free identity theft monitoring services.

{mosads}But in its letter to federal workers whose data is considered at risk, the OPM included some clarifying sentences.

“These services are offered as a convenience to you,” said the letter, signed by OPM Chief Information Officer Donna Seymour. “However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.”

This type of language echoes recent breach-notification letters sent out by most major private sector companies that have been hacked over the last year, said Adam Levin, chairman of identity security firm IDT911.

“More and more,” he said, “it’s becoming standard.”

However, the government’s wording does stand out, Levin added. “I’ve never heard that one before.”

On its face, the statements appear to be protection from employee lawsuits, experts said.

In the wake of major data breaches on companies like Target and Sony, firms have had to weather numerous class-action lawsuits that cost the companies tens of millions of dollars in legal fees and payouts.

But legal specialists point out that it’s not as easy to bring a case against the government.

In many instances, the government enjoys “sovereign immunity,” meaning it cannot face civil suits or prosecution over most subjects, several people said. Essentially, you cannot sue the government unless it says you can.

However, there are consumer protections written into law that enable individuals to file suit against the government for neglect.

The Federal Tort Claims Act allows people to sue federal employees for negligence within the scope of their jobs.

According to the Justice Department, people can sue for “property damage, personal injury, or death allegedly caused by a federal employee’s negligence or wrongful act.”

That could apply to the OPM breach, Levin said.

“They have your information. They have a fiduciary responsibility to protect that information,” he explained.

But as has been the case in past data-breach civil suits, it can be difficult to prove victims have suffered damage, Levin added. And in the case of the OPM breach, the pilfered data hasn’t yet shown up on dark Web forums, significantly reducing the risk of quantifiable fraud.

Chinese hackers are believed to have taken the data for intelligence purposes.

Others have pointed to The Privacy Act of 1974, which requires the federal government to protect information it collects, providing some path for litigation if an agency fails to do so. The law doesn’t specifically address cyberattacks, though.

Still, the OPM has been lambasted for failing to heed the warnings of its inspector general that its systems were not secure and needed to be shut down, which some might consider a violation of the Privacy Act.

The agency has defended itself, saying it was worried that shutting down those systems would mean a lapse in retirement benefits, employee benefits and worker paychecks.

“The intrusions into OPM’s systems were criminal acts committed by unknown adversaries for criminal purposes,” OPM spokesman Samuel Schumach said in a statement. “As a result, we have done and continue to do everything possible to protect the security of OPM systems and the records contained in those systems. We will also continue to contact those who may have been affected, and to offer credit monitoring.”