Notices Being Sent on Breach of Personal Information

OPM has started notifying—most commonly to work email accounts, in some case by mail—employees and former employees whose personal information was compromised by a cyberattack on one of its databases that occurred in December and that was discovered in April. That involves some four million individuals including names, Social Security numbers, date and place of birth, current and former addresses, and potentially more. The notices, to be sent by June 19, will state which of an individual ‘s information may have been compromised. The investigation is ongoing, however, and the number of affected persons may rise and the type of information disclosed may prove to be broader. Security clearance information and payroll information do not appear to be at stake, since they are kept on systems other than the database that was hacked. Nor does the database include records on retirees, but since the covered employment records go back some 30 years, many people who have since retired would be affected. The attack—widely reported to have originated in China—followed a smaller one against OPM a year ago. A similar attack last year against the USPS compromised the personal information of virtually all employees there, and an earlier one against the TSP involved more than 100,000 account holders. As in those cases, questions are being raised on Capitol Hill and by employee organizations regarding how long it took to discover the attack and the delay between the discovery and its disclosure. Congressional hearings may be in the offing, and unions could seek to bargain over the response to the attack—for example, seeking a longer period of credit report monitoring—citing a recent NLRB ruling that USPS should have bargained following the attack there.