Full Report
A pair of whistleblowers believe the office skirted the law by not conducting a privacy impact assessment for an alleged “on-prem” server used to send mass emails to federal employees and store information from responses. The post Lawsuit claims systems behind OPM governmentwide email blast are illegal, insecure appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: E-Government Act of 2002 (PIA Requirement)
## Overview
This summary addresses legal challenges against the Office of Personnel Management (OPM) for allegedly deploying a new on-premise email server system, used for mass communication and PII collection from federal employees, without conducting a statutorily required Privacy Impact Assessment (PIA).
## Key Details
- Issuing Authority: U.S. Congress (via the E-Government Act of 2002)
- Effective Date: The E-Government Act of 2002 is already in effect, meaning the requirement for a PIA upon deploying a new system that handles PII (like this email server) is mandatory.
- Jurisdiction: U.S. Executive Branch Agencies (Federal Government).
- Status: In Effect (The requirement is alleged to have been violated).
## Requirements
### Mandatory Requirements
1. **Conduct a Privacy Impact Assessment (PIA):** OPM must conduct a PIA for the new on-premise email server system used for sending mass emails and storing response information, especially since it handles Personally Identifiable Information (PII) of U.S. Executive Branch employees.
2. **CIO/Equivalent Sign-off:** The agency’s Chief Information Officer (CIO) or equivalent official must formally sign off on the PIA.
3. **Public Disclosure:** The completed PIA must be made publicly available for review.
4. **Security Measures:** Proper security measures must be built into the system, particularly given the sensitivity of the data involved (as demonstrated by past high-profile breaches like the 2015 OPM hack).
### Recommended Practices
1. **Encryption:** Ensure email communications involving PII are appropriately encrypted, as standard email is often not secure against interception.
2. **Thorough Testing:** Conduct comprehensive security and operational testing *before* mass deployment to an entire executive branch workforce.
## Affected Organizations
- Industries: U.S. Federal Government Agencies.
- Organization Size: Applies to any agency deploying systems handling PII.
- Geographic Scope: Applies to systems processing data of U.S. Executive Branch employees.
## Compliance Timeline
- **Prior to Deployment/Implementation:** The PIA should have been completed, signed off, and made public *before* the launch of the new email distribution and response system.
- **Immediate/Current Demand:** Plaintiffs are demanding an immediate cessation of system use until the required privacy assessment is lawfully completed.
- **Final deadline:** Compliance with the PIA requirement is overdue as the system is already operational.
## Implementation Guidance
### Assessment Phase
- **System Documentation:** Fully document the scope, architecture, data flows (sending and receiving), and PII collected by the new on-premise email server.
- **Security Review:** Conduct an immediate security posture assessment, focusing on encryption (in transit and at rest) for all stored PII.
### Implementation Phase
- **PIA Execution:** Formally execute the PIA, detailing system purpose, data collected, legal authorities, maintenance procedures, and potential privacy risks.
- **Sign-off and Publication:** Secure the required signature from the CIO and immediately publish the completed PIA on a public-facing platform.
### Validation Phase
- **Legal Review:** Validate that all steps mandated by 5 U.S.C. § 706(1) and the E-Government Act have been met to satisfy legal redress requirements.
- **Remediation:** If security gaps are found during assessment, implement fixes before re-authorizing full use of the system for PII processing.
## Technical Requirements
- **PII Handling:** Explicit controls must be defined for handling Personally Identifiable Information collected via email responses.
- **Encryption:** Strong encryption protocols must be verified for all relevant communications and stored data.
## Penalties & Enforcement
- Fines: Not explicitly detailed in the article, but the legal challenge cites violations of law (5 U.S.C. § 706(1) - unlawfully withheld or unreasonably delayed agency action).
- Other Consequences:
* **Injunction:** Plaintiffs are seeking an injunction to stop the use of the systems until compliance is verified.
* **Material Harm:** Plaintiffs claim they are being materially harmed by the denial of transparency regarding how their PII is being managed.
* **Reputational Damage:** High-profile lawsuits relating to PII handling, especially following major past breaches (like the 2015 OPM hack), severely damage public trust.
- Enforcement: Enforcement action is being sought through a **class-action lawsuit** filed in the U.S. District Court for the District of Columbia.
## Related Standards
- **E-Government Act of 2002:** The primary legal standard violated, specifically mandating PIAs for new information technology systems handling sensitive PII.
- **NIST/FISMA:** While not explicitly named, the requirement for proper security measures implies adherence to federal security standards like the Federal Information Security Modernization Act (FISMA) controls.
## Resources
- Official Documentation: E-Government Act of 2002 (Specific section pertaining to PIAs).
- Guidance Documents: OMB guidance on implementing the E-Government Act and conducting PIAs.
- Tools: Internal agency privacy review tools and required templates for PIA documentation.
## Practical Recommendations
1. **Audit New Systems Immediately:** For any new system slated to collect or store federal employee PII, conduct a comprehensive PIA concurrently with development, not after deployment.
2. **Engage Legal Counsel:** Ensure that agency actions regarding PII handling are reviewed by legal counsel to preemptively mitigate claims of "unlawfully withheld or unreasonably delayed" action under 5 U.S.C. § 706(1).
3. **Prioritize Transparency:** Make privacy assessments publicly available promptly to build trust and avert whistleblower litigation demanding disclosure.