Cybersecurity: The Department of the Interior

7/15/2015

House Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Interior

Chairman Hurd, Chairman Lummis, Ranking Member Kelly, and Ranking Member Lawrence, distinguished members of the Subcommittee on Information Technology and Subcommittee on Interior, I would like to thank you for the opportunity to share our members’ perspectives on the recent Office of Personnel Management (OPM) data breaches impacting federal employees. I also commend you for holding this hearing regarding the Department of Interior’s (DOI) role with federal employee personnel records and human resources functions and for devoting attention to this extremely urgent issue. As President of the National Treasury Employees Union (NTEU), I have the honor of representing over 150,000 federal workers in 31 agencies.

There is still great fear and outrage on the part of federal employees and retirees in the aftermath of OPM’s recent announcements that millions of current and former federal employees have had personally identifiable information (PII) compromised owing to breaches in databases containing various personnel and investigative records. Federal employees have had a difficult few years, facing multi-year pay freezes, furloughs, sequestration, and this type of exposure is simply unacceptable.

Following its first statements beginning on June 4th, OPM confirmed that a personnel records breach had potentially compromised names, dates and places of birth, Social Security numbers, and addresses. A month later, much remains unknown about what type of personnel records were compromised, making it impossible for these 4.2 million federal employees and retirees, to truly understand the risk that they, and possibly their family members, are facing. Employees deserve to know what exact databases and information was hacked, particularly given the high number of OPM databases that exist containing various types of agency and employee records.

Media reports have indicated that the Interior Business Center (IBC), a unit of DOI, which serves as a shared services provider for a number of federal agencies, responsible for a myriad of human resources, financial, payroll, data warehouse, and benefits administration functions, may have been involved in the OPM personnel records breach. Additionally, IBC also provides support for the Office of Management and Budget’s and OPM’s Human Resources Line of Business (HRLoB), that seeks to modernize, align, and allow for strategic human capital planning in the day-to-day management of employing agency human resources functions and processes. Further, recent congressional hearings on the OPM breaches have confirmed that the electronic Official Personnel Folder system (eOPF), one of OPM’s key e-government initiatives under the Enterprise Human Resources Integration (EHRI) initiative, that aims to consolidate, gather, and transform the use of government-wide data and human resources processes though the use of information technology, was compromised. While much attention has focused on OPM in recent weeks, it is important to remember that all federal agencies, including DOI, house huge amounts of personal information on the federal workforce, as well as for many other Americans. Congress needs to ensure that agencies receive the proper funding to be able to adequately safeguard this information physically and virtually, and to hire and retain a skilled IT workforce.

Given IBC’s various roles for federal agencies, NTEU believes additional information is needed as to what exact data and personal information was compromised, including whether or not any of the personnel records contained family member information, such as would occur for family member benefit designations for the Federal Employees Health Benefits Program (FEHBP) or the Federal Employees Group Life Insurance (FEGLI) program. IBC’s payroll functions also lead to serious remaining questions as to the security of employee’s financial and bank account information. I ask Members of the Committee on Oversight and Government Reform to ensure that affected federal employees and retirees know for sure what was and was not compromised in the personnel records breach. While the U.S. government cannot now undo the damage caused by the breach, it can at least be transparent about the data compromised, and duly inform affected employees and retirees.

NTEU continues to seek notifications for individuals affected by the background investigations breach, who a month following its announcement, have yet to be notified. These individuals have given the U.S. government the most sensitive personal information that exists, and deserve to have credit and identity theft protections already in place. We are also working to ensure free lifetime credit monitoring, including the option to set up credit freezes, as well as free lifetime identity theft protection for affected individuals, and support Congresswoman Eleanor Holmes Norton’s bill, H.R. 3029. I ask that your Subcommittees support this legislation, and seek swift passage of this measure by the U.S. House of Representatives. I also urge your Subcommittees to ensure the creation of a high level task force to quickly secure personnel databases across government, and to seek a review of what information the federal government requires employees, and their family members, to provide, and how agencies collect, process, disseminate, and store this information. And, further to review the Executive branch’s “Continuous Evaluation” (CE) proposals which would expand the amount of personal information gathered for those serving in sensitive positions in light of these recent data breaches.

Thank you for the opportunity to share NTEU’s views.