As data breaches become more and more prominent, hackers are setting their sights on even bigger targets. Earlier this summer, the U.S. Office of Personnel Management (OPM) — the federal agency that manages personal information records for past and present government employees — disclosed that it had been breached, with the personnel records of some 22 million Americans being compromised. As a result, millions of government workers, their friends and families, any references they had listed and even employees who haven’t worked for the government in years, may now all be susceptible to identity theft.
The OPM incident puts a face on a growing trend in both the public and private sectors: more hackers compromising government or corporate databases, stealing and selling employees’ or consumers’ personal data for their own financial gain, while their millions of victims see their credit histories hijacked for fraudulent purposes. Naturally, the White House is hardly taking this latest episode in stride and, partly in response to the OPM debacle, plans to soon unveil new rules regarding data breaches for both federal agencies and contractors.
As Nextgov notes, the current “federal standards, White House policies and government-wide information security laws have offered departments and contractors a jumble of information security regulations from which to choose.” The new proposal, “Improving Cybersecurity Protections in Federal Acquisitions,” would still allow government departments a lot of leeway in maintaining their employees’ information security, but at the same time set a baseline, universally accepted standard for ensuring that government data is protected whether it’s stored in a database utilized by a federal department or one of their contractors.
Under these new rules, contractors are required to notify the federal government every time there’s a data breach in one of their systems that involves government data. Failure to do so will be met with penalties, though the nature of those penalties is still undisclosed. Additionally, the timetable to report these data breaches to the government will be up to the discretion of the appropriate department.
“The proposed guidance will strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs and the requirements around assessments and monitoring of systems,” the drafted proposal states.
Contractors and the public may submit comments or suggested changes to the proposal through the community forum GitHub until September 10. The White House will release a finalized version of these new guidelines later this fall.
While it’s encouraging to see the government respond to the growing threat of data breaches and take action against future potential risks, for millions of Americans it’s already a case of too little, too late. No amount of new guidelines will help the 22 million whose records were compromised in the OPM hack, after all.
For those and millions of others, consider signing up for a credit monitoring service. While it can’t guarantee complete identity theft protection — unfortunately nothing can promise that — it can keep you aware of what financial activity is happening under your name. A credit monitoring services will alert you in the event that signs of potentially fraudulent activity appear on your credit files, granting you the time to take further proactive measures against identity thieves.