Skip to main content

We Told You So: OPM Data Breach Reveals Not Only Lame Security But Weak Legal Protections—And It’s Time To Revisit Both

DEEPLINKS BLOG
July 16, 2015

We Told You So: OPM Data Breach Reveals Not Only Lame Security But Weak Legal Protections—And It’s Time To Revisit Both

Over 21 million Americans have just had a taste of the federal government's weak computer security.  The recent U.S. Office of Personnel Management (OPM) data breach exposed an estimated 21.5 million records, including the highly invasive SF-85, SF-85P, and SF-86 questionnaires used for background checks, through which the government collected sensitive, personal information about mental and emotional health, illegal drug use, alcohol abuse, personal finances, police records, involvement in non-criminal court actions, divorces and association with organizations advocating violence. The records include not only information about actual and prospective government employees, but also contractors, consultants, and others.

 In 2010, EFF recognized the risk of data breaches and warned the U.S. Supreme Court of the possible weaknesses in the legal regime protecting this information. The case was NASA v. Nelson, brought by several NASA contract employees opposing the agency’s institution of invasive background checks for “low-risk” positions in 2007. Our amicus brief warned of “NASA’s collection and inadequate protection of vast amounts of personal information,” and pointed out that the Privacy Act gave no recourse for those whose data is released due to governmental negligence.

Nevertheless, the U.S. Supreme Court upheld NASA’s intrusive screening requirement. It brushed off our concerns about the possibility of injury from a data breach by stating that the “mere possibility” that security measures will fail did not provide grounds to challenge the government collection of information for background checks.

Ironically, the unnecessary background checks in Nelson were justified by the need to meet the Personal Identity Verification (PIV) authentication standard—but lack of user authentication was arguably the worst security fail at OPM. “[N]one of the agency’s 47 major applications require PIV authentication,” the OPM's Office of the Inspector General reported.

Now that this gigantic data breach has occurred, including of course the exposure of much sensitive information about members of the judiciary, we wonder if the Supreme Court still feels the same way, and whether it would be so dismissive of our concerns. It’s clear that this leak wasn’t just a one-off: since 2010, government agencies have experienced more than 300 breaches, resulting in the exposure of around 45 million records. In 2012, NASA itself suffered a breach exposing sensitive personal data for thousands of employees. This year, OPM’s data breach is not only the largest breach in the federal government, but the largest nationwide. Breaches at government agencies have become so frequent that the question is not whether an employee’s data will be exposed but when.

Of course security concerns aren’t the only problem with the now-widespread use of invasive governmental background checks.  As we call for better security over what the government must collect, we also think it’s time to revisit what information the government is gathering, about whom and how long it is being kept—issues we also addressed in the Nelson case. 

Then, as now, we argued that employee screening procedures may violate employees’ privacy in two ways. First, government employees have a right to informational privacy. According to the Supreme Court’s decision in Whalen v. Roe, this constitutional right upholds an individual’s interest in avoiding disclosure of personal matters. Second, in NAACP v. Patterson, the Supreme Court upheld citizens’ rights to associational privacy—the right of an individual to have privacy in their groups, memberships, and political affiliations. The Supreme Court further held in Shelton v. Tucker that mandating teachers to list their affiliated organizations violated this right because it permitted the school to probe “every conceivable kind of associational tie.” Those arguments weren’t accepted by the Nelson Court, but they may have more resonance today. 

Recently, two unions representing federal employees—the National Treasury Employees Union (NTEU) and the American Federation of Government Employees (AFGE)—have filed suit against OPM for failing to protect employee information. NTEU alleges that OPM’s collection violates a constitutional right of privacy and seeks to enjoin OPM from collecting further employee information until appropriate safeguards are implemented. The AFGE filed a class action lawsuit on behalf of all breach victims asserting OPM’s failure to comply with federal security requirements.

We hope that the courts in these cases will be receptive to plaintiffs’ concerns about the government’s abject failure to secure their data. Once exposed, personal data can be used to harm victims for decades and, as one victim observed,"to know that sensitive personal issues were treated so casually by my government is painful in its own right."  Individuals should be able to assert their constitutional right of privacy against unnecessary, overbroad, and privacy-invasive data collection.  If the data’s not collected and stored, it can’t be exposed or attacked.  Equally important, courts must recognize that the words of the Privacy Act or other statutes are just that—words.  It takes facts to assess whether agencies are safeguarding our privacy and security.  

Post co-authored by EFF Legal Intern David Krone.



JavaScript license information