TSP breach offers federal agencies a lesson on what not to do

This is a busy week for federal employee issues on Capitol Hill. Digging my toes into a sandy beach will have to wait.

Here is some of what’s happening:

Senate testimony Tuesday indicates that federal employees’ money might be safe with the Thrift Saving Plan (TSP), but their personal information isn’t — and that includes members of Congress.

Greg Long, executive director of the Federal Retirement Thrift Investment Board (FRTIB), had the unenviable task of appearing before a Senate panel whose chairman, Daniel K. Akaka (D-Hawaii), was among 123,000 federal employees whose Social Security numbers and other personally identifiable information were breached in July 2011. The information was in a desktop computer used by an employee of Serco Inc., an outside contractor. TSP didn’t realize it had been breached until April this year, and it notified participants in May.

One thing that stood out in Long’s prepared statement was how woefully unprepared his agency was for the cyberattack.

“I regret to say that the FRTIB did not have a breach notification plan in place prior to 2012,” he told the Homeland Security and Governmental Affairs subcommittee on government management and the federal workforce. The board administers TSP.

Perhaps Long also regrets that TSP did not follow a 2007 Office of Management and Budget directive that told agencies to adopt such a plan. A June e-mail to Congress indicates that TSP officials have the right to follow or disregarded OMB’s instructions, because TSP’s budget is funded by its participants and is not subject to congressional or White House review.

According to the e-mail: “All guidance issued by OMB must be reviewed by the Executive Director to ensure that, in his opinion, following it would further the interests of the TSP’s participants and beneficiaries.

“This particular memo was found not to be legally binding on the Agency though it was noted as likely furthering the interests of the Plan’s participants and beneficiaries.”

TSP might be right on the law, but the agency was neglectful and derelict because for five years it had not developed the kind of policy that it recognized would benefit TSP participants.

Long is lucky that Akaka is a kindly gentleman. Some of his more publicity-seeking colleagues on the Hill would still be reaming out Long.

“I was very upset to learn that federal employees’ personal information was compromised in the TSP cyberattack,” Akaka told the Federal Diary. “I am just one of over 100,000 affected federal employees who now have to worry about who has their data and what it might be used for.”

Before Akaka was notified of his data breach, he had started work on legislation designed to better protect personal information held by government agencies. It would require all agencies, even the TSP board, to have a breach notification policy.

“We need to do a better job of protecting personal information held by the government,” Akaka said when the bill was introduced last week. “This amendment will close loopholes and push agencies to improve the safeguards on the private information they hold about nearly every American.”

There’s a lesson in the TSP breach.

Sen. Tom Carper (D-Del.), co-sponsor of the Cybersecurity Act of 2012 that is now being debated, said the TSP case demonstrates that the government “must do more to ensure that sensitive consumer information is properly protected, and timely notification to consumers is provided in the event of a breach. Fraud and identity theft have serious consequences, and it is time we make sure government agencies, companies and others handling this sensitive information have rules in place to safeguard this information.”

The real lesson for agencies is don’t do like TSP.

DHS in the hot seat

Wednesday will be the Department of Homeland Security’s turn in the spotlight, or hot seat, with two hearings in the House.

Expect members of the Oversight and Government Reform subcommittee on government organization to ask Charles K. Edwards, the department’s acting inspector general (OIG), about his large number of open cases.

In his prepared testimony, Edwards said that “the growth of the OIG workforce necessary to investigate allegations of criminal misconduct by DHS employees has not kept pace with the growth of the DHS employee population, now more than 225,000 strong.”

During fiscal 2006 through 2009, when the DHS workforce grew by 34 percent, Edwards said that his staff increased by only 6 percent.

He might also be asked about disarray in the McAllen, Tex., inspector general’s office. But he’s not likely to say much about it because the local office reportedly is the focus of a grand jury investigation.

According to the Center for Investigative Reporting, eight OIG employees have been placed on leave in connection with a probe into allegations that workers were told to falsify investigative reports.

At the same time, the House Homeland Security transportation subcommittee will hold a hearing on a DHS agency, the Transportation Security Administration (TSA). The title: “Breach of Trust: Addressing Misconduct Among TSA Screeners.”

Rep. Mike D. Rogers (R-Ala), chairman of the subcommittee, said that “high-profile criminal cases, among other failings, have resulted in major image problems and a growing lack of support for the agency.”

The TSA hearing comes as the American Federation of Government Employees (AFGE) expects to finalize its contract talks with the agency, a point not lost on Rep. Bennie Thompson (Miss.), the top Democrat on the full committee.

“We find the timing on this hearing interesting considering TSA and AFGE are scheduled to meet to finalize their contract for the front-line workforce on the very same day,” Thompson said. “Hopefully, this hearing is not an attempt to frustrate those efforts.”

Previous columns by Joe Davidson are available at wapo.st/ JoeDavidson. Follow him on Twitter: @JoeDavidsonWP.

Joe Davidson writes the Federal Diary, a column about the federal workplace that celebrated its 80th birthday in November 2012.
SECTION: {section=local, subsection=dc-politics}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: {allow_comments=true, allow_photos=false, allow_videos=false, comments_period=14, comments_source=washpost.com, default_sort=, default_tab=, display_comments=true, is_ugc_gallery=false, max_items_to_display=15, max_items_to_display_top=3, moderation_required=false, stream_id=}!!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Comments
SECTION: {section=local, subsection=dc-politics}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: {allow_comments=true, allow_photos=false, allow_videos=false, comments_period=14, comments_source=washpost.com, default_sort=, default_tab=, display_comments=true, is_ugc_gallery=false, max_items_to_display=15, max_items_to_display_top=3, moderation_required=false, stream_id=}!!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Show Comments