By Michaela Barry.
The still unfolding data breach at the United States Office of Personnel Management (“OPM”) has government employees and government contractors reeling. As of today, it is still unclear exactly what and how much data has been stolen, but even conservative estimates are staggering. For the millions of individuals with security clearances (or anyone who has been investigated for a clearance), you should know that thieves were able to access both Standard Form 85 and Standard Form 86, containing highly sensitive and personal information including possible criminal conduct, interviews with neighbors and friends that can be revealing and possibly even unknown to the clearance holder, mental health conditions, illegal drug use, police records, bankruptcy filings, and foreign travel and contacts.
Standard Form 86 is a 127-page form. It is a Pandora’s Box of data, useful for blackmail, extortion, or other nefarious purposes. The thieves can find information on where clearance holders’ children go to school, past residences, names of neighbors, college roommates, and vulnerable family members overseas, among other things. The records include the network of relationships of every one of the 4.9 million security clearance holders, 1.4 million of whom hold Top Secret clearance or above. These records also contain information related to those who have been denied security clearances, and the reasons given for denial are stored in those same records.
It is clear that this was a coordinated effort, beginning with a “test” breach of OPM in March 2014. Soon thereafter, the U.S. Investigation Services LLC (“USIS”), a background check provider for Homeland Security was attacked, affecting 27,000 DHS employees. In November 2014, OPM provided a semi-annual report to Congress indicating “significant” deficiencies in OPM’s IT security practices, including the lack of multi-factor authentication. No significant changes were made in OPM’s security as a result of these findings. Prior to the OPM attack, the health insurance company, Anthem, reported 80 million customers’ records breached, with trace domains and IP addresses attributed to Chinese hackers. Premera Blue Cross, a participating provider in the Federal Employees Health Benefits Program, reported becoming victim to the same type of attack with 11 million records breached. This time, actual clinical information was disclosed. Soon after Premera, Carefirst, the largest insurance provider for federal employees was breached, revealing 1.1 million records. All of these attacks used similar methodology and seem to have come from the same relative place.
So what should you do to protect yourself? Whether you are a federal employee, contractor, clearance holder, or individual who uses credit cards, online banking, or pays taxes, you have likely been breached to one extent or another (for example, 90 million records were exposed at Home Depot, 40 million through Target, and so on). As a result of the breaches, the record holders often provided free credit monitoring to the victims, but does that protect you adequately?
Credit monitoring gives you an alert when someone uses your personal information to open new accounts or otherwise access information. However, this approach merely patches holes – it does nothing to prevent them. In addition, credit monitoring does nothing for you if you are one of the millions of clearance holders whose highly sensitive personal information is no longer private.
If you are an individual who holds or has been investigated for a security clearance, it would be wise to file a Freedom of Information Act (FOIA) request and a request under the Privacy Act. If you know which agency conducted your investigation (usually Defense Security Service or the Officer of Personnel Management), submit the request to that agency’s FOIA office. At the very least, this will alert you to the information that may have been breached.
In addition, consider contacting the four major credit bureaus (Equifax, Experian, Innovis and Trans Union), and requesting a security freeze. You will receive a PIN that you can use to unfreeze the information if you wish to apply for new credit lines. There may be a fee involved, however, this fee can be waived in most states if you can provide a police report or other proof that you have been the victim of identity theft. Credit bureaus also offer fraud alerts that last for 90 days. You can extend them if you have an official record showing that you have been the victim of identity theft.
Lastly, become an encryption advocate. Encrypted data is much more difficult to effectively steal. None of the data stolen from the OPM, Target, Home Depot, Anthem, CareFirst, or Premera was encrypted. The combination of multi-factor authentication (for example, requiring use of a password, and a Common Access or “Smart” Card or a token such as the code banks send to your cell phone to make major changes during online banking) and encryption would have gone far in preventing each of the attacks leading up to the OPM breach, as well as the breach itself.
If you are a government contractor, expect new regulations to be issued regarding data security. Unfortunately, we are already seeing reactionary responses from regulators and Congress, many of which have not been well thought out, or weighted against the budgetary constraints imposed upon federal agencies. Some of these proposed regulations would shift much of the data security burden to contractors who are already feeling the squeeze.
 If your investigation was completed after February 20, 2005, send your request to OPM as the information was transferred there.
This bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.