Federal Response to the OPM Data Breach

The following is a guest post from a very hard working, dedicated, and friendly man in uniform that I am honored to know and work with: Joe Schweickert As a veteran myself serving from 1985-1993 this is a deeply disturbing HR issue that the military personnel records have been exposed.

www.federalnewsradio.com

By now, most of us have heard about the OPM (Office of Personnel Management) data breach, in which hackers (allegedly sponsored by China) gained access to personnel records of current and former federal employees. A recent interview with Jason Miller, Executive Editor at Federal News Radio, discussed the two different breaches, and the federal response to improve security for information systems.

www.opm.gov

First, it is important to understand that there have been two separate breaches at OPM. The first, and more widely reported, involves personnel records on up to 14 million current and former federal employees, dating back to the 1980s. The second involved background investigations on employees, military members, and contractors who possess security clearances. These investigations (using the SF86 questionnaire that can exceed 100 pages) includes sensitive information such as criminal records, bankruptcies, and substance abuse history, as well as information on relatives. For a foreign intelligence operation, this presents an enormous opportunity to identify potential targets for blackmail.

The federal response, as outlined by Federal CIO Tony Scott of the Office of Management and Budget (OMB) involves four steps:

Fix all Critical vulnerabilities within 30 days – part of the federal ‘Cybersecurity Sprint’.
Tighten policies on ‘privileged users’ – requiring administrators to use 2-factor authentication for access to systems, making it harder to steal passwords.
Accelerate use of ‘smart cards’ for system access for all users – Government wide use is only about 42%, but agencies (such as Defense) that have adopted smart cards have seen a significant decrease in hacks. (See example smart card – access to the computer requires both inserting the physical card, as well as a PIN).
Deploy ‘indicators’ to scan systems/logs and detect breaches.

Federal ID

Additionally, OPM has initiated a massive notification campaign to explain the breach to all affected employees, and has contracted for credit monitoring services for 18 months. Part of the interview focused on concerns about the bidding process for that contract, but that is of more interest to acquisition experts than HR professionals.

While this breach is unprecedented in scope, it highlights a vulnerability common to all HR functions, whether you manage payroll for a local diner or have millions of employees. From the first day the employee turns in an application or fills out their W-4, they are entrusting us with their personal information. This information is critical to ensuring we provide them the pay and benefits they earn, but it is also a potential target for identity theft, harassment, or exploitation.

As HR professionals, we must ensure personal data is protected. For the federal government, this is mandated by the Privacy Act of 1974, but private sector employers are also bound by laws such as the Health Insurance Portability and Accountability Act (HIPAA). Protection includes strong technical safeguards, such as Smart Cards or complex passwords and robust firewalls. But it also includes physical security measures – keeping paperwork locked when not in use, and ensuring portable devices are secured.

We have had incidents in our organization of individuals emailing personal information, covered by the Privacy Act, to a home email to ‘work from home’, which exposes it to hacking. We have also had information exposed when an employee left their laptop in their car and it was stolen. In both cases, we had to take steps to mitigate the damage, by identifying whose information was vulnerable and notifying the employees. This affects employee morale and trust in the organization.

Remember, taking care of people includes taking care of their information – information security is our responsibility.

55 Active Job Search Sites (Updated 7/19)

I had a company encouraging me to update this list over the last couple of months. Since they focus on veteran hiring and I am a veteran supporting other veterans I am happy to add the following to this original posting from 2017. Silent Professionals is a free veteran recruitment service. Their differentiating factor is that they focus on a very specific subset of veteran employment which is the combat arms veteran. Their site is much more than just a job board because they actually provide a service behind it which is all free to the veteran. As combat veterans themselves, with a vast amount of experience in the private security sector, they are able to use that experience and influence within the industry to act as trusted advocates for the veteran candidate. They boast an incredible 84% job placement success rate for candidates that they recommend to employers. One of the reasons they're able to do that is because of their focus on jobs for combat veterans who are seek...

MORE Consolidated List of SHRM Certification Announcement Posts with LINKS (Updated)

UPDATE 5/21: Added one more post and link below from Workforce.com not found last night when I originally wrote this post. On the eve of my attempt to help our local CIC-SHRM members make sense of the news of last week at our bi-monthly meeting tomorrow, I did another search. Again, I will wait to comment fully about my own understanding and opinions until after I get a response from SHRM regarding a question I have that has yet to be addressed and I hear again from our regional MAC rep on a call I am scheduled to participate in on Thursday. However, I do want to rescind and revise a comment I made in my earlier post. Last week I stated the following which is not entirely true: “The fact that the HRCI Executive Director did not receive advance notification leaves me a bit disappointed for a variety of reasons.” The HRCI Executive Director did know about SHRMs plans because she is part of the board where the topic was discussed. However, she did not know the communication would go...

Transgender Drug Testing

Recently, a client asked me if they needed to adjust their drug testing policy so a transgender employee could choose the gender of the person observing them urinate for a test. Obviously, the person wanted the employee to feel comfortable with who was in the room with them. First of all, having another employee watch you urinate can be uncomfortable for anyone, for any reason, but it is a requirement for some drug tests in order to ensure that the testee doesn’t bring in a bag of someone else’s urine to exchange as their own. If the reason is not obvious, it is so they do not test positive when they know they have been under the influence of drugs or alcohol. So, I did some research and thought it would be good to share this information for other employers, managers, small business owners and HR managers who may have similar questions. What are the requirements to be an observer for a direct observed collection? According to the Mandatory Guidelines for Federal Workplace Drug Testing ...

Another Day in the HR Field

Search This Blog