In late 2015, the U.S. Office of Personnel Management (OPM) disclosed that 21.5 million people were swept up in a colossal breach of government computer systems. Basically, every person given a government background check for the last 15 years was most likely affected.
According to the agency, hackers stole “sensitive information,” including addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check, as well as 1.8 million others, including their spouses and friends. The theft was separate from, but related to, an earlier breach that compromised the personnel data of 4.2 million federal employees, according to officials.
In February 2016, just two days before she was scheduled to appear once more before the House Committee on Oversight and Government Reform, Donna Seymour, CIO for the Office of Personnel Management, announced she would retire.
The resignation came almost eight months after OPM officials announced a massive breach of the agency’s networks had resulted in the compromise of millions of personnel records — a number that eventually grew to include 21.5 million current, former and prospective federal employees and their relations. Then-OPM Director Katherine Archuleta resigned shortly thereafter, but Seymour hung on despite calls for her firing. She now faces a lawsuit for her role in failing to protect millions of personal data files of employees. The suit accuses her and others of negligence, privacy violations and other transgressions.
How does this bode for CIOS of companies?
In a recent article in the Wall Street Journal, one attorney expects to see more of these types of suits. “We are absolutely going to see more CIOs and other C-level executives taking the fall and ultimately being named in lawsuits,” said Matthew Karlyn, a partner at Foley & Lardner LLP.
What’s important, said Karlyn, is that a CIO is able to demonstrate that a methodical, attentive approach was implemented to conceiving, installing, monitoring and adapting cyber security measures. “Although CIOs may be sued, they may not be judged liable if they can show proof of carrying out these fiduciary responsibilities. They have to play an active role,” Karlyn said.
Some of the issues that CIO and its board members should be asking regarding their cyber security policies to ensure that robust mitigation measures are being implemented include:
- Is cyber security a business or IT responsibility?
- Do security goals align with business priorities?
- Have we identified and protected our most valuable processes and information?
- Does our business culture support a secure cyber environment?
- Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.)
- Do we focus on security compliance or security capability?
- Are we certain our third-party partners are securing our most valuable information?
- Do we regularly evaluate the effectiveness of our security?
- Are we vigilant and do we monitor our systems and can we prevent breaches?
- Do we have an organized plan for responding to a security breach?
- Are we adequately resourced and insured?
Download the EZProtect brochure with full FAQs to understand how EZProtect can provide virus scanning within Salesforce orgs to protect against cyber security threats.