In 2015, the Office of Personnel Management (OPM) was the victim of one of the largest cyber intrusions in U.S. federal government history. Hackers accessed the personal information of more than 22 million people, including federal employees and their families. The clear and present danger of a foreign adversary being able to access information that could be used to compromise or target individual government workers shined a harsh light on the need for greater protection of personal data.
Not long after the OPM breach, the Council of the European Union introduced the General Data Protection Regulation (GDPR), which regulates the way companies control and manage their customers’ personal data. Not limited to companies based in Europe, the GDPR applies to any company worldwide that does business with organizations or individuals in Europe, including U.S. organizations. Companies that do not comply could be subject to hefty fines.
While the GDPR is not directly influenced by the OPM breach, one can easily correlate the E.U. legislation with the importance of protecting U.S. government workers’ personal data. The GDPR’s definition of personal data includes names, addresses, and social security numbers, as well as individuals’ ethnicities, political opinions, health status, and other characteristics. A hacker could possibly use this information to coerce or influence individuals, or for other nefarious purposes.
With the introduction of the GDPR, it is worth exploring whether or not the U.S. federal government should consider taking similar action, primarily for the purposes of protecting their workers’ information. Right now, individual agencies have their own guidelines for protecting personal data. For example, the General Services Administration, which handles procurement for the entire federal government, has “rules of behavior” related to the handling of personal data. There is also the Health Insurance Portability and Accountability Act (HIPAA), which safeguards medical information, and the Federal Information Security Management Act (FISMA), which was designed to protect government information and assets. These are steps in the right direction, but they do not specifically address the challenge of protecting federal workers’ personal data.
Even if legislation is not related directly to the handling of government workers’ personal data, federal network administrators can—and should—take matters into their own hands. Fortunately, they can turn to the GDPR for guidance. Article 32 calls for organisations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
“Organisational measures” refers to potential hierarchical or cultural changes within agencies. Measures may include carving out roles for individuals who focus exclusively on the protection of personal data. The equivalent of this would be a data protection officer (DPO), a role that has been mandated by the GDPR. DPOs will specifically handle all activities around data protection, including staff training, audits and compliance, and more. They will take these responsibilities from the shoulders of general IT and security managers, who have broad responsibilities that go beyond securing personal data.
“Technical measures” account for the tools and solutions that organisations deploy to help ensure that their employees’ data remains secure. Fortunately, many agency network administrators are already enacting the fundamentals in this area. For instance, they may be using patch management systems to routinely and automatically check to make sure that their software is up to date.
But, there is always more that can be done to protect personal data of federal employees. Administrators should perform proactive scans of their networks to detect and assess all personal data to make sure it is being stored securely. They should monitor for potential vulnerabilities and signs of breaches, including suspicious file activity or unauthorized devices hitting their networks.
Whatever the U.S. government as a whole ends up doing, it is clear that something must be done to better protect government employees’ personal data sooner rather than later. Hackers are becoming ever more determined and creative, and threats continue to become more sophisticated.
Until formal federal legislation, such as the kind being mandated in Europe, is crafted and passed, agency network administrators may need to take it upon themselves to be the gatekeepers of their fellow employees’ information. At the very least, they must be prepared to follow some baseline security practices. Their efforts can go a long way toward preventing another OPM-style hack and create a solid line of defense to protect federal workers’ personal data.