OPM Breach Shows Need for Congress To Act on Cybersecurity, Privacy Protections, House Members Say
The recent Office of Personnel Management (OPM) data breach signals that the federal government needs to address serious policy issues involving cybersecurity and privacy protections, said Congressional Privacy Caucus Co-Chairwoman Diana DeGette, D-Colo., and Congressional Cybersecurity Caucus Co-Chairman Jim Langevin, D-R.I., on an episode of C-SPAN’s The Communicators Saturday. The OPM breach has been cited as a reason for Congress to pass legislation dealing with cybersecurity information sharing and data breach notification requirements (see 1506080061), along with having implications for the ongoing Internet Assigned Numbers Authority (IANA) transition.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The OPM breach “could very well have been prevented” if Congress had managed to pass cybersecurity information sharing legislation during the last Congress, Langevin said. The House has repeatedly passed information sharing legislation in recent Congresses, including two bills in April (see 1504230062) -- the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act (HR-1731). The Senate needs to “get their act together” on passing HR-1560 and HR-1731 after having failed to pass companions to House legislation on previous occasions, Langevin said. Senate Majority Leader Mitch McConnell, R-Ky., is pushing for Senate consideration this week on the unrelated Cybersecurity Information Sharing Act (S-754), though that effort continued to get criticism Monday (see 1508030033). Langevin didn’t comment on S-754 but said HR-1560 and HR-1731 “had very strong” privacy and civil liberties protections.
Langevin said he's concerned by reports that the White House might not retaliate against China, which has been widely cited as the source of the OPM breach, but said it will be “difficult to prove in an ironclad way” that the Chinese government itself was responsible for the attack. “When you talk about retaliation, you have to have a very strong case,” he said. The White House didn’t comment Monday about new media reports over the weekend that there would be an as-of-yet-undefined retaliatory response.
The OPM breach itself raises questions about government and private sector privacy protections, DeGette said. It’s difficult to keep ahead of advances in hacking technology, making it more important to “think about how to minimize the need” for anyone to enter private information online, she said. “We need to really think about minimizing the amount of personal information people are putting onto these websites to begin with,” she said, questioning whether OPM needed to require job applicants to enter their Social Security numbers on online applications. Customers also need to learn to ask “the hard questions” about why they need to provide personal information online, DeGette said.
Previous data breaches also have led to calls for a national standard for data breach notifications and related consumer privacy bills, though neither has been a priority for Congress thus far, DeGette said. There’s public support for consumer privacy legislation, but it’s challenging for Congress to “try to put a regulatory framework in place that will both protect customers but also allow the free flow of data” for corporations, DeGette said. A national data breach notification bill may be easier for Congress to address, she said, saying the OPM breach may give Congress “more of an inclination” to address the issue after the August recess.