Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
OPM Sued Again ... This Time by a Judge
Lawsuit Alleges Cybersecurity, Privacy, 'Einstein' FailuresThe U. S. Office of Personnel Management has been hit with yet another lawsuit related to its alleged cybersecurity and privacy failings, and the role they played in the massive breach that exposed background-check information that the agency was storing for 21.5 million people.
See Also: Gartner Market Guide for DFIR Retainer Services
But unlike the three other lawsuits already filed against OPM, this one differs in part because the plaintiff is a judge.
Teresa J. McGarry, who works as an administrative law judge for the Social Security Administration, filed her lawsuit earlier this month against OPM, the U.S. Department of Homeland Security, as well as KeyPoint Government Solutions, which is the largest provider of background-check services for the U.S. government.
McGarry's lawsuit, which seeks class-action status, alleges that OPM failed in its duty to maintain and safeguard the data that was in its care - including background-check forms containing extensive personal information from applicants, as well as copies of applicants' fingerprints - thus violating U.S. privacy laws, as well as government cybersecurity regulations. The suit seeks in part to make both OPM and KeyPoint take "reasonable steps" to implement and maintain a program to protect people's personally identifiable information. It also seeks unspecified damages.
Einstein Called Out
The lawsuit also takes aim at DHS and, in particular, its administration of the so-called Einstein intrusion detection system (see Senate Committee Passes Bill Requiring Einstein Use). "The system was created to detect and prevent intruders from compromising the cybersecurity of federal governmental databases, including those housed at OPM and other governmental agencies," the lawsuit says. "DHS failed as Einstein did not prevent intruders from breaching the OPM network and extracting sensitive files pertaining to millions of current, former and prospective federal employees and contractors."
Otherwise, the latest lawsuit against OPM largely recaps what is already known about the OPM breach. On June 4, the agency said that personal information for 4.2 million federal employees and retirees had been stolen. On June 12, the agency then disclosed that 21.5 million individuals' background-check records were also exposed. The breach led now-former OPM Director Katherine Archuleta to resign.
OPM investigators have told Congress that they found indications that hackers breached the agency using valid OPM credentials they'd already stolen from an employee of KeyPoint Government Solutions (see OPM Suspends Background Check System). But since KeyPoint suffered its own breach in December 2014, the lawsuit questions why, after that breach, OPM didn't immediately take its systems offline and lock them down, to prevent the exact type of breach it then suffered.
The lawsuit also cites OPM failing to remedy "material weakness[es]" in its cybersecurity program that were flagged by OPM's Office of Inspector General, dating from 2007, and which the OIG reported in 2014 were getting worse. The lawsuit also alleges that "OPM repeatedly failed to meet FISMA guidelines," in particular relating to "the areas of risk management, configuration management, incident response and reporting, continuous monitoring management, contractor systems, security capital planning, and contingency planning." It also cited a 2014 OIG audit, which noted that the agency lacked the centralized cybersecurity team it required.
Damages: Personal
Many OPM breach victims have questioned why the government was storing sensitive information about them in insecure systems, and have slammed officials for the slow speed of their response to the breach. Furthermore, it's not yet clear how much information about victims, as well as anyone named by victims in their background checks, may have been compromised (see Analysis: Why the OPM Breach Is So Bad).
Take McGarry, for example, who has logged more than 30 years of government service, including military service and time as a federal prosecutor, and who has had at least two background checks in the past - as required on condition of her employment - according to court documents. She was also interviewed for her spouse's background check in 2009, the suit says, and has served as a reference for multiple friends' background-check investigations.
McGarry's suit alleges that anyone named in those background-check investigation forms may now be at risk of fraud and identity theft, and notes that she has already "expended time and money to acquire credit monitoring and protection services to protect herself and her family from the effects of the OPM breach."
Accordingly, the lawsuit claims the breach resulted in actual damages as well as pecuniary losses, "including costs associated with mitigating the risk of identity theft, such as costs for credit monitoring services and identity theft insurance, and costs associated with freezing and unfreezing their accounts."
KeyPoint has until early September to respond to McGarry's lawsuit, while OPM and DHS - by virtue of being government agencies - have until early October.
But whether McGarry's lawsuit will avoid dismissal and potentially lead to a favorable ruling - or settlement - remains an open question. To date, legal experts say, many breach lawsuits get dismissed because judges rule that plaintiffs can't prove that they have suffered actual harm (see Why So Many Data Breach Lawsuits Fail).
The lawsuit does cite a press report - based on an interview with the CTO of security firm One World Labs - claiming that some stolen OPM data had been found being offered for sale on the Dark Web, in the days following the breach. But that report has been disputed, with some experts suggesting that while stolen data may have been stored online, there was no indication that it was being offered for sale.
Four Lawsuits - And Counting
So far, the OPM breach has resulted in lawsuits being filed against the agency by two unions - the American Federation of Government Employees and the National Treasury Employees Union - on behalf of their members, as well as a $5 million lawsuit filed by breach victim Marcy C. Woo. She worked for the federal government for 28 years, and her suit alleges that top officials at the OPM knew about cybersecurity deficiencies, but failed to fix them. Woo's lawsuit names OPM, as well as former director Archuleta, CIO Donna Seymour and KeyPoint.
OPM is currently offering 18 months of free identity theft monitoring to victims of the breach involving 4.2 million people. But some members of Congress have been pushing for free, lifetime monitoring for all victims. OPM has yet to issue breach notifications to background-check-record breach victims. The agency has also not yet said if it will offer identity theft monitoring for those victims, or for how long.