Judges' PII Compromised in 2015 Cyber Attack
When discussing the importance of guarding against data breaches with attorneys, keep in mind that federal judges were the victim of a cyber attack in 2015. As this June 4, 2015 notice on the site of the Office of Personnel Management makes clear, in April 2015 its systems were penetrated during an attack that compromised the personally identifiable information (PII) of 4.2 million federal employees including that of federal judges. This attack was followed by a second data breach in July 2015 that disclosed information related to background checks for almost 20 million people. See this post on the OPM's site.
The National Law Journal reported that the spokesman for the Administrative Office of the United States Courts described the federal judiciary as having been in 'crisis mode'. The report noted that the Chief Judges of the District of Nebraska, the Western District of Texas, and the District for the District of Columbia had all received notices from the OPM indicating their data was compromised.
The initial data breach began in May 2014 and was not discovered until a year later. The breach gave rise to an information privacy suit, National Treasury Employees Union v. Archuleta, No. 4:15-cv-03144 (N.D. Cal.), alleging that the OPM violated federal employees' due process rights under the Fifth Amendment. The complaint in this suit, provides details about the data breaches. The compromised data included Form SF-86 Questionnaires for National Security Positions. The inspector general of the OPM identified deficiencies in the OPM data security programs in a 2014 audit report. This report noted that, "OPM 'continues to be negatively impacted by years of decentralized security governance' causing its technical infrastructure to remain 'fragmented and therefore inherently difficult to protect.'" Compl. at ¶ 40, quoting OPM: Data Breach: Hearing Before the House Comm. on Oversight and Gov’t Reform, 114th Cong. (2015) (statement of Michael Esser, Asst. Inspector General for Audits, Office of Personnel Management), available at www.democrats.oversight.house.gov/legislation/hearings/full-Committee-hearing-OPM-data- breach. Mr. Esser also noted that the OPM, "does not maintain an accurate centralized inventory of all servers and data bases that reside within the network." Id. at 4-5. So no data map at the OPM. Social security numbers in OPM databases were not encrypted.