September 25, 2020

Volume X, Number 269

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

OPM Data Breach (cont’d): What We Know Now and What Questions Remain

On July 10, 2015, U.S. Office of Personnel Management Director Katherine Archuleta resigned her post. Her departure was rather abrupt, coming just hours after her statements indicating that she would not resign. Her departure also came just hours after the true scope of the OPM data breach emerged. This is a good time for government contractors to review what we know about the OPM data breach and what questions remain.

What Was the Scope of the Data Breach?

Original estimates from OPM pegged the scope at 3 or 4 million. Upon further review, it appears that records of more than 21.5 million federal employees and contractors were stolen. It has been said that every background investigation form completed by OPM since 2000 was taken. By any measure, this OPM cyber intrusion was massive.

What Happened?

Archuleta testified that the data breach resulted from theft of a background check contractor’s credentials. Sounds familiar, right? So far, no one is saying that contractor did anything wrong.

It also appears that the OPM breach was actually multiple data breaches. According to Congressional testimony from Dr. Andy Ozment, DHS Assistant Secretary for Cybersecurity and Communications, a Department of Interior data center that housed OPM records was the subject of one cyberattack that ran from October 2014 until March 2015. That hack involved approximately 4.2 million federal personnel records. A separate data breach on OPM’s network involved several OPM applications related to background investigations and ran from June 2014 until January 2015. That data breach involved more than 21.5 million individuals’ records.

Who’s to Blame?

Certainly, OPM chief Archuleta bears some responsibility for the attacks. OPM had been warned repeatedly that its systems were outdated and vulnerable. But that’s an old story that is all too common throughout the federal government. In fact, according to a Government Accountability Office (GAO) report, 19 of 24 federal agencies have declared cybersecurity as a “significant deficiency or material weakness.” Ironically, without Director Archuleta’s efforts, OPM may not have discovered the breach (at least according to her July 4, 2015 message).

Although there has been no official announcement, unofficial sources have pointed to Chinese hackers as the likely culprits.

What’s Next?

Victims of the cyber-attack will receive credit monitoring and identity theft protection. There is even talk that those benefits will be extended to all federal workers.

OPM announced that its on-line background investigation system, E-QIP will be shut down while security upgrades are installed. The system is expected to be down for 4 to 6 weeks. OPM uses that system to process background checks on contractors. If that system is shut down, there will be delays in contractors’ security clearances. Those delays could impact contract performance.

OPM’s interim director, Beth Cobert is left to clean up this mess for now while the Obama administration searches for a permanent director. Given the current status—and with proper funding—we are confident that OPM’s systems will be improved.

Is the OPM data breach just the tip of the iceberg? Congress has already asked that question. Only time will tell.

GAO and others have called for improved security for government IT systems for some time. That clarion call has included a recommendation for implementing two-factor authentication. In fact, OPM’s Inspector General recommended two-factor authentication in his FY 2014 audit report. But would those measures have made a difference here? At a minimum, two-factor authentication would have made it harder for the hackers to obtain the credentials in the first instance. And maybe that would have been the end of the matter. The federal government and its contractors have numerous other security protocols at their disposal. Those should be implemented rapidly to protect the country’s sensitive data. Otherwise, more data breaches like the OPM data breach are inevitable.

Copyright Holland & Hart LLP 1995-2020.National Law Review, Volume V, Number 201


About this Author

michael maloney, holland hart, bid protest lawyer, government contracts attorney
Of Counsel

Michael D. Maloney is Of Counsel in the Washington, D.C. office representing clients in all phases of government contracts and disputes in a wide array of industries. A seasoned litigator with over 25 years in private practice, Mr. Maloney strategically advises clients how and where to pursue complex bid protest matters before the Government Accountability Office, the Court of Federal Claims and other federal courts, or directly to the administering federal agency. He also counsels clients on federal, state, and local procurement compliance, guiding clients through the...

Charles R. Lucy, Federal Regulatory Litigator, Holland Hart, law firm
Of Counsel

Mr. Lucy brings more than 30 years of experience in federal regulatory, business, and litigation experience, as well as technical experience in federal/state procurement and acquisition matters, bid protests, contract disputes act appeals, government contract audits and fiscal law issues, commercial space law, university/government technology transfer programs, homeland defense, and small business government contracting.

Mr. Lucy has lectured at numerous conferences and seminars in Europe, the Pacific, and the United States. Topics have included “Shutter Control,” at the U.S. Space Foundation International Space Symposium; “Commercial Space Law,” at the U.S. Air Force Academy; “Technology Transfer and Higher Education,” at Boulder, Denver and Salt Lake City; and “Government and Public-Private Partnering,” at the DefenseExec Technology and Homeland Security Summit; “Public Contracts and Procurement Regulations in Colorado” at Denver and Colorado Springs, and numerous presentations at the Southern Colorado Government Contract Forum, as well as private client presentations.