If OPM were a private company, many of the victims would’ve been notified by now under some state laws.
Seven states have specific deadlines dictating how long companies have to notify those affected, whereas a 2014 federal statute says the notification process should take place “as expeditiously as practicable.”
In Ohio, Vermont, Washington and Wisconsin, companies are required to notify victims no later than 45 business days after discovery of a significant data breach. In Florida, the deadline is set at 30 business days, and in California companies have 15 business days once unauthorized access of data has been detected.
Maine’s law says that once law enforcement has determined the notification of a breach will not impede or compromise a criminal investigation, a company has no more than seven business days to inform people who had personal information compromised.
While OPM has notified almost all of the 4.2 million people who had personal information compromised in a data breach detected in April, the agency has yet to notify the approximately 20 million victims of a related breach detected as early as May.
More state laws are in the pipeline. Connecticut and Rhode Island are set to have new laws with notification deadlines, with Connecticut’s law including a 90-day limit in effect Oct. 1 and Rhode Island’s law enforcing a deadline of 45 calendar days following a breach’s discovery to be in effect on June 26 of next year.
The federal government, however, operates under different standards than private companies. In December, President Obama signed into law S. 2521, a bill sponsored by Sen. Thomas Carper (D-Del.) that requires agencies, if breached, to notify affected individuals “as expeditiously as practicable and without unreasonable delay after the agency discovers the unauthorized acquisition or access.”
That law covers familiar ground for the federal government. A 2007 memorandum issued by Clay Johnson, then deputy director for management at the Office of Management and Budget, mandated federal agencies to establish a protocol for when a data breaches occur.
OPM did not respond to inquiries regarding the specifics of its notification policy.
Uncertain protocol on this matter is not unique to the OPM. A 2014 report from the Government Accountability Office looked at eight federal agencies and found inconsistent implementation of data breach response policies.