OPM’s $63 million breach settlement offer: Is it enough?

If one was to look into the Federal Court’s Public Access to Court Electronic Records (PACER) one would see that more than 130 separate lawsuits have been filed against the U.S. Government’s Office of Personnel Management (OPM), all of which are associated with the 2014 and 2015 data breaches that affected millions.

On June 3, 2022, in the U.S. District Court of the District of Columbia, Judge Amy Berman Jackson will hold a video hearing on the proposed settlement of $63 million between the U.S. Government’s OPM, its security contractor Peraton (then KeyPoint), and the victims of the OPM data breaches.

Interestingly the proposed settlement assigns a minimum payment for valid claims of $700 to a maximum of $10,000. While more than 22 million individuals had their information stolen in the 2015 breach, which has been attributed to China’s intelligence apparatus, only those individuals “who experienced economic loss” are eligible to receive any of the settlement dollars. The rationale is that these individuals fall within the umbrella of the “Privacy Act.”

OPM data breach settlement likely low for many

While the period May 7, 2014, through January 31, 2022, is broad, at least one of three conditions must be met to be part of a class and involve out-of-pocket expense:

1. To purchase a credit monitoring product, credit or identity theft protection product, or other product or service designed to identify or remediate the data breaches
2. To access, freeze or unfreeze a credit report with a credit reporting agency
3. As a result of an identity theft incident or to mitigate an identity theft incident

If the number of claimants is large, the distribution will be “reduced in equal proportion before claimants are paid if the total value of all valid claims plus any incentive award payments awarded by the Court to named plaintiffs exceeds the $63,000,000 settlement fund.”  One can easily do the math and understand that the settlement payment amount paid to affected individuals may be remarkably low.

It should also be noted that OPM in its notification process to affected individuals provided them a pathway to garnering “identity theft restoration and credit monitoring services” and “identity theft insurance” to reimburse expenses should the individual or their family member be stolen. All this is at no cost to the individuals. Availing of these services by OPM early on may reduce the number of eligible class claimants. 

Effects of OPM data breach long lasting

That is unless we factor into the mix the magnitude of the OPM breaches associated with background checks for national security clearances. In 2016, then FBI Director Comey said it succinctly, “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So, it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

The OPM SF-86 (Standard Form-86) is the Questionnaire for National Security Positions. Candidates fill out 136 pages of personal, sometimes deeply personal information as their first step in their application for a U.S. national security clearance. If granted the trust of the nation, every five years the individual is subjected to a reinvestigation and asked to re-submit the form. Those who have never had a national security clearance many times flinch when they see the depth of intrusion the SF-86 entails and then truly raise their eyebrows when they learn falsifying information on the SF-86 is a felony. Many have found themselves caught up in the gears of justice for doing just that.

These background checks included all the key pieces of an individual’s identity including:

• Social Security numbers
• Residency and educational history
• Employment history
• Information about immediate family and personal and business acquaintances
• Health, criminal and financial history
• Findings from interviews conducted by background investigators
• Fingerprints
• Usernames and passwords used to fill out your forms

This means that while the time covered in the proposed settlement, up through January 31, 2022, covers almost eight years of exposure, those who had an entire ball of wax compromised will be addressing the threat of their identity being misused, or exploited for the remainder of their days.  

This isn’t just a question of an adversary nation merely knowing the deep-dark secrets of individuals. Every individual whose background investigation file, including former FBI Director Comey, must maintain an ever-vigilant counterintelligence watch on how an adversary to the United States may use the compromised information in a manner deleterious to the individual or country. In a worst-case scenario, some individuals’ files contain information/vulnerabilities which are fully exploitable and thus assuring a perennial presence on China’s targeting matrix.

The 2016 Congressional staff report “The OPM Data Breach: How the Government Jeopardized our National Security for More than a Generation” eviscerated the OPM for their lax information security posture. Since that time great strides have been made in securing government information, yet as the Cybersecurity and Infrastructure Security Agency (CISA) director regularly reminds us all, there is much to be done and all entities must have their “Shields Up”.