While data breaches have become a common occurrence, the epic breach of the Office of Personal Management (“OPM”) records stands out for many reasons. The hackers obtained PII on at least 21.5 million people and accessed highly confidential background check and security clearance information, including personal details such as fingerprint data and financial history. But what is most shocking is that the federal government was aware of security flaws within OPM’s computer system for years before the breach, yet never addressed those vulnerabilities.
Reports from the Office of Inspector General (“OIG”), which audits OPM, show OPM had been on notice of material weaknesses in its information system security program going back to 2007. In its most recent report, the OIG declared the state of OPM’s security program was “alarming and represents a systemic issue of inadequate planning by OPM program offices.” Among other glaring issues, the OIG reported that OPM had:
- incomplete security authorization packages,
- weaknesses in testing security controls,
- failed to conduct an agency-wide risk assessment,
- no comprehensive inventory of servers, databases, and network devices, and
- previously experienced hacking attempts.
The OIG issued strong warnings for the OPM to adequately secure the highly sensitive data in the agency’s possession. Following the breach, Sen. Jerry Moran (R-Kan.) concluded that all the warning signs for the agency were there and the breach was not a resource or a money issue, but “a management issue.”
This unprecedented breach reinforces what corporate America should know and what apparently the federal government forgot: companies must promptly respond to the results of their IT security program audits to fix identified flaws. It is meaningless for policies and procedures to state a company will conduct “periodic audits” of its cybersecurity systems if the results are not analyzed and a plan to resolve known issues is not implemented. And regulators are likely to be less sympathetic after a security breach if a company knew of a security problem in advance but failed to address it. Corporate management must lead this effort and encourage the company to evolve its security systems to protect against weaknesses.
Moreover, the FTC emphasized that not only will it take action against companies that fail to address known security weaknesses, but it is also prepared to take action against companies that know, or should know, of their vendors’ security vulnerabilities. In other words, if a vendor puts consumer information at risk, the company may ultimately be held responsible for a security breach of the vendor. Therefore, not only should vendor contracts specify how the vendor will secure data, but the company should review the vendor’s capacity to meet such requirements.
It will take the federal government years to recover from this cybersecurity failure. If OPM was a private or public company, rather than a government agency, a breach of this scale would likely spell the end for the corporation. To avoid such a situation, companies should start by (1) reviewing policies and procedures to ensure they include a detailed plan for responding to audit results, including timelines, and identify the individuals responsible for implementing and testing solutions; and (2) reviewing vendor contracts and the strength of vendor security programs.