The 2014 breach of the Office of Personnel Management’s (OPM) databases affected over 20 million people who had background investigations conducted for government positions. Though the breach was initially discovered in 2015, details and impacts of the incident are still being uncovered today. As with other breaches, it has proven to be extremely difficult for those impacted to hold the government accountable for the compromise. In fact, about a year ago, the civil claims of some of the breach’s victims were dismissed.
It is unclear whether the United States Government even owes their employees a duty to protect their personally identifiable information. Recently, in a class action lawsuit by employees against their employer for failing to protect computers containing personally identifiable information, the Pennsylvania Superior Court in Dittman v. Univ. of Pittsburgh Med. Ctr., 154 A.3d 318 (Pa. Super. Ct. 2017) held that a medical center owed no duty to its employees to safeguard their personal information from theft by third parties, though those affected have filed an appeal. However, other courts have found that employers owe their employees a common law duty of reasonable care in protecting their personally identifiable information. Sackin v. TransPerfect Global, Inc. (S.D.N.Y. 10/4/17); Hapka v. CareCentrix, Inc. (D. Kan. 12/19/16).
The standard for what is considered reasonable in protecting employee information should be more stringent for covert employees than other government and civilian employees. The compromise of a covert employee’s information is very distinct from that of a person working for a private company. In most cases, the compromise of information opens the employee up to the possibility of financial harm. However, when a foreign actor is able to obtain the information of a covert employee, the stakes become much higher. Data breaches such as the OPM breach allow hackers to target covert employees to exploit their financial situations, romantic lives, and other embarrassing missteps which could in turn open them up to blackmail. This jeopardizes not only the safety of the government’s employees, but the safety of the nation’s intelligence.
Regardless of the duty owed, many courts have turned down class action cases in response to consumer and employment data breaches, citing a lack of Article III standing because of an absence of actual or imminent harm. The U.S. District Court for D.C.’s decision in matters concerning the OPM breach was no different. The court dismissed two lawsuits filed by government employees and unions over the data breaches in September 2017, citing a lack of standing. While it is critical for those who have suffered monetary damages to receive some form of relief, it is even more crucial for those who work in covert positions for the United States Government to have civil and other remedies to them.
Without a legal financial obligation for the government as an employer to its employees, it disincentivizes the government from taking action and becomes unacceptably difficult to protect covert employees and therefore national security. The ability to hold the government liable is critical to making changes to prevent these occurrences in the future. Civil lawsuits will not resolve the issues. Policies to cope with these threats are imperative for protecting the intelligence community in the future.
To prevent these harms in the future, the government should take extra precautions to safeguard the information of covert operatives. One option could be to store covert employees’ information in a segregated system that is monitored with more veracity and frequency. However, even this poses a large risk. Isolating this information could allow for easier identification of the clandestine community, allowing for a compromise of all operatives in one fell swoop.
With the increasing reliance on technology, there is no way to completely eliminate the risks associated with data storage. The cat and mouse game that has always existed in the intelligence community will not end. For this reason, remedies need to be available to covert employees following a data breach of this significance. One possible remedy would be to relocate covert employees immediately after a breach or reassign them to other non-covert positions for which they are qualified. Though this tactic would be very expensive, it may be one of the most critical steps that the government can take to protect its intelligence.