WASHINGTON –  Today U.S. Sens. Mark R. Warner (D-VA), Barbara Mikulski (D-MD), Tim Kaine (D-VA) and Ben Cardin (D-MD) called on the Office of Personnel Management (OPM) to do more to protect federal employees  whose personal information was compromised as a result of the massive data breach affecting OPM’s personnel records.

“Sensitive information belonging to members of our nation’s federal workforce deserves the highest level of protection. Unfortunately, there has been a lack of clarity around the extent of the December 2014 breach and what information was accessed or acquired by the perpetrators of this cyber attack,” the members wrote in a letter to OPM Director Katherine Archuleta. “We find it unacceptable that over two months lapsed between the discovery of the breach and OPM’s public disclosure of the breach.  What is even more troubling is the fact that this is the second major breach that OPM has suffered in a year. Our federal employees deserve more timely and helpful information about this breach and the potential for significant disruptive impacts on their lives.”

Last Thursday, federal officials revealed that a security database breach in December 2014 had compromised the personal information – including Social Security numbers, birthdates, and addresses – of millions of current and former federal employees. In the wake of that announcement, OPM has announced that it will offer 18 months of credit monitoring service and identity theft protection to victims of the data breach.

In today’s letter, the Senators from Virginia and Maryland asked that OPM provide “a significantly longer period of credit monitoring than the current proposed 18 months” for those affected by the hack, noting that, “Should the data be used for damaging purposes after the credit monitoring term has ended, federal workers must be assured that the appropriate safeguards will be in place to alert and protect them from financial harm.”

The members also asked OPM to explain why the Social Security numbers of federal employees were not encrypted, a common practice that provides an additional layer of protection for workers’ personal information.

The full text of today’s letter to OPM is below.

Dear Director Archuleta:

We write today regarding the Office of Personnel Management’s (OPM) June 4, 2015 announcement that a data breach of its information technology systems and data had compromised the Personally Identifiable Information (PII) of at least four million federal workers, with reports today that the number affected could be much larger.

Sensitive information belonging to members of our nation’s federal workforce deserves the highest level of protection.  Unfortunately, there has been a lack of clarity around the extent of the December 2014 breach and what information was accessed or acquired by the perpetrators of this cyber attack.  We find it unacceptable that over two months lapsed between the discovery of the breach and OPM’s public disclosure of the breach.   What is even more troubling is the fact that this is the second major breach that OPM has suffered in a year.  Our federal employees deserve more timely and helpful information about this breach and the potential for significant disruptive impacts on their lives.

We ask that you take the following steps as soon as possible: 

• Work with the appropriate federal employee organizations to provide for a significantly longer period of credit monitoring than the current proposed 18 months.  Should the data be used for damaging purposes after the credit monitoring term has ended, federal workers must be assured that the appropriate safeguards will be in place to alert and protect them from financial harm.  In addition, the offer of $1 million in liability insurance to victims of the breach must be increased substantially. 

• Provide an explanation as to why the Social Security numbers of these federal workers were not encrypted, which we understand is a relatively easy step to take.  The failure to encrypt Social Security numbers is an embarrassing indication of how far behind the curve OPM has been in protecting this data.

The federal government has an obligation to provide timely and accessible background about the security of sensitive personal information to its employees.  In addition, the federal government has a duty to make every effort possible to continuously improve upon the methods and technology used to keep sensitive personal information from getting into the wrong hands.  We look forward to a timely response to the concerns we raise.  In addition, we request regular updates on your investigative findings and notification of affected federal workers.  For our part, we will continue to work here in Congress to provide more resources so that we can employ the latest and most up-to-date technology to secure these databases.

Sincerely,

Mark R. Warner

U.S. Senator

Barbara Mikulski

U.S. Senator

Tim Kaine

U.S. Senator

Benjamin Cardin

U.S. Senator