The Washington PostDemocracy Dies in Darkness

Data exposed in breaches can follow people forever. The protections offered in their wake don’t.

Workers arrive at the Office of Personnel Management (OPM) in Washington in this file photo taken Oct. 17, 2013. (James Lawler Duggan/Reuters/Files)

Whether they're at retailers, health insurers, or government agencies, cyberattacks that have exposed the personal and financial information of millions of Americans in recent years spare no one.

Most recently, a massive hack of the Office of Personnel Management swept up information about millions of former and current government employees. In its wake, the agency is offering 18 months of free credit monitoring and identity theft insurance -- in line with offers that typically follow a company in the private sector.

But increasingly, privacy experts say, that monitoring is not enough.

The OPM breach, which was disclosed earlier this month, may have exposed the Social Security numbers, dates of birth, and addresses of workers along with information typically found in personnel files, according to the government. On Friday, OPM said it had determined, with "a high degree of confidence,” that systems containing information related to the background investigations of “current, former and prospective” federal employees were breached.

That's the kind of information that could be used for identity theft and to set up fraudulent lines of credit. But monitoring services typically focus on detecting those types of problems once they've already occurred rather than preventing them, according to Ed Mierzwinski, federal consumer program director and senior fellow for U.S. PIRG.

Such services can provide "a false sense of security," he said. Workers would be better off putting a freeze on their credit, he argued -- telling credit monitoring agencies to stop any new lines of credit from being opened in their name. To do that, a consumer has to reach out to all three of the major credit monitoring agencies and pay a fee -- between $10 and $15 per agency to freeze and unfreeze each time depending on the state, Mierzwinski said.

If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. "The data is sold off, and it could be a while before it's used," said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. "There's often a very big delay before having a loss."

This is particularly true for breaches, such as the OPM hack, which seems to have exposed more sensitive types of information than the retail breaches that have made headlines in recent years.

The agency did not immediately respond to a Washington Post request for comment for this story.

"Credit card numbers and debit card numbers have a short shelf life, because banks figure out which cards are at risk, and people get new numbers without asking for them," explained Mierzwinski. "Social Security Numbers have a very long shelf life -- a bad guy that's smart won't use it immediately, he'll keep a hoard of numbers and use them in a couple of years."

But thanks to the wave of mega-breaches in recent years, the long-term consequences for federal workers from the OPM hack will be hard to pin down. "If someone stole my identity a year from now, how do I know if it's because of Target breach or the OPM breach?" asked Sussmann, a former federal employee. "It's hard to trace -- they all bleed into each other."

And protections like those being offered in the wake of the OPM hack only protect against a specific kind of financial risk, said Sussmann. "There's no harm in getting it, but there are problems that aren't addressed," he said.

If the Chinese government was behind the attack, as many believe, and are using it to build up huge databases of Americans for intelligence purposes, consumers may never know how exactly the data will be used, Sussmann said.

"It's not just financial risk," said Nuala O'Connor, a former chief privacy officer for the Department of Homeland Security who currently leads the Center for Democracy & Technology. "The information that seems to be compromised is much more invasive," she said, referring specifically to the background check information.

The data collected for a security clearance can be particularly revealing, she said; applicants often share information about other people in their lives as part of the process. "There are potential reputational harms and physical harms that go beyond what you see in private sector breaches," she said -- including the safety of people who work in sensitive jobs and that of their families.