Lawsuit by federal employee claims security and privacy risks in new OPM communications system
Two federal employees have taken the Trump administration’s Office of Personnel Management (OPM) to court over the creation and testing of a new email system aimed at sending mass communications directly to federal employees’ inboxes. The plaintiffs in this lawsuit, filed anonymously, claim that OPM violated the 2002 E-Government Act by not disclosing how the communication system would handle personal information of federal employees stored within it.
Represented by Kel McClanahan, the executive director of the National Security Counselors law firm, the plaintiffs argue that the new email system poses security risks to federal employees’ personal data. McClanahan expressed concerns over the information of every government employee in the federal executive branch being concentrated in one place, potentially making it a target for hackers or those seeking unauthorized access.
According to the 2002 E-Government Act, agencies must conduct a “privacy impact assessment” for any new online federal system to evaluate how personally identifiable information is collected, stored, protected, shared, and managed within that system. The assessment is typically made public unless national security issues or classified information are involved. McClanahan emphasized the importance of transparency in informing individuals about where their government-held data is stored and how it is safeguarded.
OPM’s announcement of the new mass communications system sparked concerns among federal employees who received test emails from the agency asking them to confirm receipt. Details of the system’s purpose remain murky, with speculations that it could be used to relay updates on potential reductions in force (RIFs). However, OPM has refrained from commenting on both the lawsuit and the system’s intended functionalities.
Despite the system’s objectives, the focal point of the plaintiffs’ complaint lies in ensuring the secure handling of federal employees’ personal information. McClanahan pointed out the lack of clarity surrounding the system’s nature and security measures, calling for robust data protection protocols and transparency from OPM, which have yet to be established.
Among other claims, the lawsuit raises concerns about the urgency with which OPM initiated the email tests, highlighting vulnerabilities associated with unencrypted standard email susceptible to hacking attempts. By drawing parallels to the 2015 OPM data breach affecting millions of federal employees, the plaintiffs underscore the need for cautious and secure deployment of communication systems to prevent unauthorized access or data compromise.
Additionally, the lawsuit references a Reddit post attributed to a purported long-time career federal employee at OPM. The post mentions the removal of a former OPM CIO for resisting the establishment of email lists for mass communications, suggesting organizational tensions and potential risks associated with unsecure information dissemination practices.
In conclusion, the lawsuit underscores the critical importance of data security and privacy protection in government communication systems, urging agencies to prioritize transparency, safeguards, and risk mitigation strategies to protect federal employees’ personal information from security and privacy risks.
