Is it Too Late to Safeguard Employee Data?

Question markThe short answer is no. Just because someone made off with data on millions of employees, retirees and others it does not give anyone a free pass on protecting employee data.

Like most people who pay attention to the goings on in government, I have been watching, reading and listening to the news about the OPM data breach. I have done a bit more than “pay attention” because I spent many years as a Federal employee. Last week I received my notice that my data had been compromised. For anyone who wonders what such a notice says, here it is:

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage.

You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.  To help ensure your privacy, upon your next login to OPM systems, you may be required to change your password.

OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.  All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.  Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

To access the trusted pages that will facilitate enrollment into this identity protection service, type or paste the following website into your browser:

You will need to use the PIN code at the top of this correspondence to enroll in these services. Individuals can also contact CSID with any questions about these free services by calling this toll free number, 844-777-2743 (International callers: call collect at 512-327-0705). 

Protector Plus coverage includes:

  • Credit Report and Monitoring: Includes a TransUnion® credit report and tri-bureau monitoring for credit inquiries, delinquencies, judgments and liens, bankruptcies, new loans and more
  • CyberAgent® Internet Surveillance: Monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information
  • Identity Theft Insurance: Reimburses you for certain expenses in the event that your identity is compromised with a $1,000,000 insurance policy
  • Court and Public Records Monitoring: Know if your name, date of birth and Social Security number appear in court records for an offense that you did not commit
  • Non-Credit Loan Monitoring: Know if your personal information becomes linked to short-term, high-interest payday loans that do not require credit inquiries
  • Change of Address Monitoring: Monitor to see if someone has redirected your mail
  • Social Security Number Trace: Know if your Social Security number becomes associated with another individual’s name or address
  • Sex Offender Monitoring: Know if sex offenders reside in your zip code, and ensure that your identity isn’t being used fraudulently in the sex offender registry
  • Full-Service Identity Restoration: Work with a certified identity theft restoration specialist to restore your ID if you experience any fraud associated with your personal information
These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification.
We regret this incident. Please be assured that OPM remains deeply committed to protecting the privacy and security of information and has taken appropriate steps to respond to this intrusion. The incident was uncovered as a result of OPM’s aggressive effort to update its cybersecurity posture over the past year, including the addition of numerous tools and capabilities to its networks that both help detect and deter a cyber-attack.
Please note that neither OPM nor any company acting on OPM’s behalf will contact you to confirm any personal information. If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it.
To learn more and enroll, visit CSID’s website at
Sincerely, Donna K. Seymour
Chief Information Officer
U.S. Office of Personnel Management

We still do not know everything we need to know about the breach. I am particularly concerned by news reports (not confirmed by OPM) that it may include both data and images from the Electronic OPF (EOPF). The many forms in the EOPF include some that are created as hard copy forms for a pen and ink signature, then scanned into EOPF. Among the most worrisome of those forms is the Federal Employees Group Life Insurance Designation of Beneficiary (SF-2823). That form not only has an employee or retiree’s personal information, it also includes the name, address and social security number of all of their beneficiaries. If EOPF is among the systems that were hacked, the problem becomes much messier. It is easy to identify the Personally Identifiable Information (PII) in most systems. It is simply a matter of looking at data elements to see which contain PII. For data stored as images, it is a bit more difficult to identify all of the PII they contain, but it is possible. The good news is that is also a bit harder for the people who stole the information to extract it.

Another bit of good news is that critical employee information is now being viewed differently. We must guard though against the bureaucratic tendency to pay attention to an issue only while the press, the White House and the Congress are asking questions. It is easy to slip back into complacency after the noise dies down. We cannot let that happen.

As bad as this breach is, it is far from the end of the story. Agencies continue to hire new employees whose data has not been stolen. The people who committed this breach will want to continue gathering information. There are still criminals who want employee PII for fraud and identity theft. The people who want to get this type of information will continue attempting to hack government systems every day, just as they have for many years.  Because they are not going to stop, agencies have to start treating HR systems as mission critical and safeguarding them as though their mission success depends on it – because it does.