When it comes to losing data to hackers, the federal government appears to have much more leeway than private corporations in deciding what to disclose—and when.
That point has been driven home by developments in the breach of Uncle Sam’s human resources agency, the Office of Personnel Management.
On Friday, as major news outlets wound down for the weekend, an unnamed U.S. official disclosed to The Associated Press that data thieves took records for up to 14 million past and present federal employees and contractors.
That’s more than three times the initially disclosed 4 million victims. The timing of the “news leak” was tactical. Had it come on any other weekday, it would have commanded much more intense media attention.
According to The Associated Press, there appears to have been two breaches. And the stolen data, indeed, included 30 years of details kept in the government’s Standard Form 86, a 127-page questionnaire that anyone seeking national security clearance is required to fill out.
Gula said he hopes security officials at OPM were tactical-minded enough to mix fake accounts into the database storing SF86 dossiers. That’s a proven way to entrap recruiters looking for counterspy prospects.“The ironic thing about the SF86 is that it’s supposed to keep you from being blackmailed,” observes Ron Gula, CEO of network security monitoring firm Tenable. “This personal data is invaluable to other nation-states, competing government contractors, to the media and organizations wanting to commit identity fraud.”
Government can keep mum
So far, OPM has publicly disclosed a bare-bones statement. Meanwhile, J. David Cox, president of the American Federation of Government Employees, the labor union representing current and past federal employees, continues to clamor for more details about which of his union members face what levels of exposures.
In advocating for union members, Cox also is driving home the point that when it comes to losing personal data, the federal government appears to have much more leeway than private corporations in deciding what to disclose—and when.
This remains so even as public demand for more transparency about data breaches—in particular, data theft that involves their personal information—continues to mount.
In April, President Obama issued an executive order in support of a package of cybersecurity and privacy initiatives, including a call for a federal data loss disclosure law to replace the patchwork of rules enacted and enforced in 47 states.
States start to take action
Meanwhile, states attorneys general and privacy-minded state legislators aren’t standing pat, waiting for gridlock to ease in the nation’s capital. In recent months, several states have moved to close loopholes and generally toughen state data-loss disclosure regulations.
The most recent is the state of Connecticut where the Legislature on June 2 passed an amendment requiring businesses to provide at least one year of identity theft protection to Connecticut residents affected by a data breach, and also to report all data breaches to the state attorney general within 90 days of discovery. The bill, set to take effect Oct. 1, currently is sitting on Connecticut Gov. Dannel P. Malloy’s desk.
Additionally, discussions are heating up in several states to formulate proactive privacy protection rules for the digital age. If and when such laws materialize, we could see control of an individual’s digital footprint—personal contacts, preferences and even location data conveyed on the Internet—shift back to the individual.
Such privacy laws are well-established in Canada and Europe, but nonexistent in the United States. However, a working blueprint exists. It is outlined in the Privacy Bill of Rights issued by the White House back in February 2012.
As fallout from the OPM data breach unfolds, the need for a baseline level of regulations and privacy protections for the individual may hit closer to home for people in positions of power, namely federal officials and contractors who hold security clearances—who are now profoundly exposed.
Perhaps this is a tipping point.
This article originally appeared on ThirdCertainty.com and was written by Byron Acohido.