Cybersecurity reform in the wake of the OPM breach.

AuthorVail, Hannah
PositionOffice of Personnel Management

"We already know many of the steps necessary to reduce the likelihood of a cyber 9/11, yet many of these actions have not yet been taken in either the government or in the private sector." (1)


    In 2015, the Office of Personnel Management's (OPM) computer systems suffered a series of devastating cyber attacks that uncovered roughly 21.5 million federal employees' personal information. (2) The breaches--attributed to Chinese hackers--resulted in the exposure of federal employees' extremely sensitive information, including Social Security numbers. (3) Over the past decade, similar cyber attacks on consumers' personal information have occurred within the private sector with alarming frequency. (4) The OPM breaches highlight a disturbing trend concerning the federal government's ill-preparedness in dealing with cybersecurity incidents in the public sector. (5)

    An OPM computer systems audit occurring prior to the OPM breach unveiled alarming security failings. (6) The audit exposed OPM's decentralized information security, and that many employees tasked with managing the information security system were not information technology professionals. (7) Many systems were operating without valid authorization, including two support systems that placed over sixty-five percent of OPM's systems at risk. (8) OPM's knowledge of these cybersecurity deficiencies over a period of several years demonstrates that the federal government should make changes to its information security initiatives. (9)

    Cybersecurity is a dynamic and highly technical field, and the government has historically been reluctant to wade into the fray. (10) Presently, a hodgepodge of laws, regulations, and an executive order govern how the federal government protects its information. (11) These varied and confusing standards also provide little recourse for the victims of cyber breaches seeking damages through civil suits. (12) While Congress has proposed legislation to address the issue of cybersecurity, inexplicably, this legislation often focuses heavily on responding to cyber attacks rather than preventing them. (13)

    This Note will confront the question of whether the Cybersecurity Act of 2015 (14) Cybersecurity Act)--stemming from the proposed Cybersecurity Information Sharing Act (15) (CISA) and Federal Cybersecurity Enhancement Act of 2015 (16) FCEA collectively referred to as S.754)--can adequately address the security and civil liability inadequacies that exist under the current legislative framework. (17) Part II.A will explore the existing patchwork of statutes, executive orders, and administrative entities that currently control state protection of personal information and state responses to cyber attacks. (18) Part II.B will examine civil liability issues in both the private and public sectors under the current legislative framework. (19) Part II.C will detail the provisions of S.754 and the Cybersecurity Act. (20) Following an analysis of the Cybersecurity Act's strengths and weaknesses, Part III of this Note will provide proposed changes particularly in the areas of cyber attack protection and liability concerns. (21) Ultimately this Note argues that the Cybersecurity Act is inadequate to address the issues of protection and redress that currently exist. (22)


    1. Existing Cybersecurity Legislation and Regulation

      The Federal Information Security Management Act of 2002 (23) (FISMA) gives the Director of the Office of Management and Budget (OMB) the power to issue security standards for federal systems. (24) These standards are based on mandatory minimum requirements designed by the National Institute of Standards and Technology (NIST). (25) The standards issued are mandatory for all federal systems, although the head of a federal agency may elect to implement more rigorous standards than those the NIST recommends. (26) Commentators critique FISMA as an ineffective tool to ensure information security within the federal government. (27)

      In 2014, Congress amended FISMA to provide a more comprehensive legislative framework for federal information security. (28) The amended FISMA leaves the power to oversee the federal information security scheme with the Director of OMB, but indicates that the Director must work in conjunction with the Secretary of Homeland Security. (29) The amended FISMA also details the responsibilities assigned to the heads of federal agencies to prevent information security breaches. (30) Additionally, it establishes extensive reporting requirements for federal agencies in the information security realm. (31) To further enhance cybersecurity measures, the amended FISMA established a federal information security incident center to coordinate and assist information security efforts. (32)

      On February 12, 2013, President Obama signed an executive order titled "Improving Critical Infrastructure Cybersecurity" (EO). (33) To achieve its stated purpose, the EO allows the federal government to convey information about cyber threats to targeted private organizations in order to protect critical infrastructure. (34) The EO also creates the Cybersecurity Framework--a set of voluntary security standards to provide cybersecurity guidance. (35)

      The National Cybersecurity Protection Act of 2014 (The Act) (36) created the National Cybersecurity and Communications Integration Center (NCCIC). (37) The NCCIC's objective is to coordinate information shared about cybersecurity risks between federal and private entities, and to act as an informational resource. (38) The Act mandates federal agencies to coordinate and implement critical infrastructure attack response plans. (39)

    2. Civil Liability Under the Current Framework

      1. Standing

        Under the current legislative and regulatory framework for information security, civil suits against the federal government for breaches or violations of privacy often raise standing issues. (40) In Clapper v. Amnesty International USA, (41) the plaintiffs hoped to establish injury in fact, and therefore standing, on the theory that the necessary measures to protect their confidential communications from government surveillance placed a procedural and financial burden upon them. (42) The Court held that this harm was self-inflicted and not the result of impending external harm, and therefore decided that the plaintiffs had no standing. (43)

        Clapper set the stage for standing issues surrounding information security breaches. (44) Like in Clapper, security breaches often result in exposure to possible future harms that have not come to fruition at the time of litigation: In the OPM case, the potential future harm at stake is identity theft stemming from stolen personal information. (45) Cyber-breach victims are first faced with the difficult task of demonstrating a harm that has not yet occurred, and then later proving any harm they do incur resulted from that specific breach. (46)

        Courts have varying interpretations of what constitutes injury in fact in data breach cases. (47) A recent Supreme Court case clarified that even statutory causes of action require demonstrations of actual harm. (48) Some courts find that when actual identity theft or fraudulent charges result from a data breach, injury in fact is satisfied. (49) Courts disagree, however, on whether increased risk of identity theft alone can satisfy the injury in fact requirement. (50)

        In response to the OPM data hack, a class action suit was filed in the D.C. Circuit Court of Appeals alleging violations of the Privacy Act of 1974. (51) The Privacy Act requires that the federal government protect records to ensure confidentiality of information, "which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained." (52) Notably, the Privacy Act goes beyond a simple showing of standing and requires demonstration of actual monetary damages in order to recover. (53) Several commentators anticipate difficulty in demonstrating monetary damages to establish injury in fact in the OPM case. (54) Whether injury in fact exists depends largely on whether a court takes a narrow or broad view of injury in fact, and if the broader view prevails, the scope of liability in the suit is potentially massive considering the millions of people impacted by the breach. (55)

      2. Confusing Standards

        Civil liability for cyber attacks is often complicated by the numerous government agencies that may claim purview over the matter, as well as uncertainty surrounding which standards must be adhered to in order to prevent liability. (56) This ambiguity played out in FTC v. Wyndham Worldwide Corp., (57) in which the FTC brought an enforcement action against Wyndham for failure to prevent cyber breaches of consumer information due to practices that the FTC argued constituted unfair and deceptive business practices. (58) On interlocutory appeal, the Third Circuit ruled for the first time that the FTC possessed the authority to enforce private companies' data security through the Federal Trade Commission Act's (59) unfair practices clause. (60) Furthermore, the Third Circuit held that Wyndham was entitled only to a "relatively low level of statutory notice" and therefore, had sufficient notice that it risked incurring liability through its abysmal cybersecurity measures. (61) Wyndham illustrates that inadequate cybersecurity risks incur private sector liability, and warns that federal regulatory agencies are willing to pursue these claims even through unwieldy avenues such as the unfair practices clause. (62)

    3. S.754 and the Cybersecurity Act

      On October 27, 2015, the Senate passed S.754, a bill that aims to utilize information sharing to enhance cybersecurity throughout the country. (63) Title I of S.754, CISA, directs federal agencies to develop procedures to share information about cyber threats with affected private organizations. (64) The law also allows private sector entities to...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT