Tuesday, September 8, 2015

OPM’s Measures to Remedy Data Breach of More Than 20 Million Are Not Enough, says Labaton Sucharow

Law firm files second complaint outlining measures’ shortcomings

NEW YORK (September 8, 2015) — Labaton Sucharow LLP recently filed a second complaint on behalf of the class and additional class representatives with claims against the United States Office of Personnel Management (OPM) and Keypoint Government Solutions. As previously alleged, annual audits routinely noted deficiencies that OPM consistently failed to address, leading directly to the unprecedented theft of highly sensitive information.

Last week, OPM announced it would provide credit monitoring and related services from the data protection company ID Experts to victims of the data breach announced July 9, 2015, affecting more than 19 million federal employees and contractors that submitted background checks. These services are separate from those offered to victims of the personnel record breach that OPM announced on June 4, 2015. Those services are being provided by the company CSIdentity (CSID). Despite the longer duration of the ID Experts coverage (three years, compared to 18 months for the CSID services), neither of the packages provided by OPM provides the comprehensive coverage necessary to protect the victims of these unprecedented data breaches.   

For example, the package OPM arranged through ID Experts does not include regular, ongoing, free access to credit reports from any of the three credit bureaus, which victims need as part of any identity theft and credit monitoring effort that provides real protection. Additionally, coverage is not provided for family members over the age of 18, leaving tens of millions of individuals still at risk.

Moreover, credit monitoring covers only a small part of the risk that these victims have been subjected to as a result of the breach. Other substantial risks to victims of the breach are not addressed. For example, stolen information can lead to tax identity theft, medical identity theft, theft of professional credentials, and other difficult to detect forms of identity crime such as synthetic identity theft. None of these common forms of identity theft are addressed by OPM in the packages purchased from ID Experts or CSID. Breach victims may also be targeted with malware, phishing attacks, and other cyber attacks that can be defended by security software—none of which is provided for by OPM.

OPM’s remedies also fail to address the significant risk of reputational harm victims are exposed to in online media. Modern remediation of severe breaches includes monitoring for reputational mentions across tens of thousands of social media and other websites to ensure victims are not being impersonated in social media or elsewhere online. This is an important safety precaution for those individuals who have had their information breached, particularly those with high-security clearances or who work in sensitive positions.

According to Labaton Sucharow partner Joel H. Bernstein, “The services currently offered by OPM for the breach victims fall short on several levels. Stolen data is often allowed to age for five or more years before being used by criminals and extended, and in some cases, a lifetime of protection is necessary but is not being provided.”