Lawsuit alleges OPM email blast systems are illegal and insecure
A lawsuit was recently filed in federal court, alleging that the Office of Personnel Management (OPM) engaged in unlawful activities while conducting a mass email blast to federal employees and storing the responses it received without performing a required privacy impact assessment. The legal action was initiated by two federal employees, accusing OPM of hastily setting up a server without proper security measures or privacy assessments.
The complaint stated that despite OPM sending a mass email to federal government employees for testing purposes, not every employee received it. The employees involved in the lawsuit argued that OPM failed to conduct any privacy impact assessment for the new server or any system containing the Personal Identifiable Information (PII) of U.S. Executive Branch employees. This lack of assessment, along with delayed agency actions on the matter, was seen as a cause for concern.
One of the key issues raised in the lawsuit was the potential security risks associated with the server’s operation, given the lack of encryption protocols for email communications. The plaintiffs expressed unease about a repeat of the 2015 OPM data breach that compromised the sensitive data of millions of federal employees due to inadequate security controls. They warned of the vulnerabilities that could attract malicious actors, putting employees’ PII at risk.
The whistleblowers relied on information from an OPM employee with a long tenure in the agency and another federal employee with almost two decades of experience. This source revealed that Melvin Brown II, who was recently replaced as OPM CIO under the new administration, had resisted setting up email lists for direct communications with career civil servants. The whistleblowers cited internal communications that instructed OPM employees to forward email addresses reacting to message blasts to someone named Amanda Scales, allegedly affiliated with Elon Musk.
The lawsuit also referenced recent executive actions involving the U.S. Digital Service and the renaming of the White House digital team under the Trump administration. President Trump’s executive orders instructed federal agencies to ensure full access for the U.S. Digital Service to all agency records, software systems, and IT systems. OPM introduced an email account to gather reports on diversity, equity, and inclusion policies, aligning with the administration’s initiatives to enhance government efficiency.
Overall, the lawsuit challenges OPM’s handling of sensitive employee data and urges the agency to halt the use of the system until proper assessments are conducted. The ongoing legal action highlights concerns regarding information security practices, privacy compliance, and agency transparency in managing federal employee data.