The American Postal Workers Union (APWU) recently filed a NLRB charge against the United States Postal Service (USPS) in connection with a data breach that led to the release of 800,000 employee and retiree medical records, social security numbers and bank account and routing information. This has been widely reported and discussed elsewhere.
One overlooked element of this case is the detailed testimony about how the data breach itself was handled. While many breaches make news, the USPS’ testimony before Congress is fairly unique and gives us very interesting insight into the breach. So, what can we learn?
First, another word on the case. The mere failure of the USPS to notify the union is not at issue; rather, the complaint focuses on the fact that the USPS made “unilateral changes in wages, hours and working conditions by, among other things. providing free credit monitoring services to employees.” In short, APWU would have liked to have been notified earlier in order to be in a position to bargain over USPS’ employee-related response matter.
Whether the USPS should have held back notifications for negotiations or should have notified-then-negotiated is, of course, up to the NLRB, Congress and the courts. I won’t comment on this aspect of the APWU’s charge except to say that it appears to me from the testimony of Randy Miskanic, vice president of secure digital solutions at the USPS, that the earliest anyone outside of the crisis response team could have been notified was after a”brownout” period of November 8 and 9 (during which the USPS severely limited its access to the web and instituted major, system-wide changes to its security systems). At the very least, the scope of the breach was not known until October 16, 2014 and the theft was only confirmed on November 4, 2014. For the same reasons of investigation and confirmation, the suggestion by some members of Congress that employees be notified as soon as a social security number is known to be compromised may produce legislative proposals but likely very little law making.
Some thoughts while reading Miskanic’s testimony:
- How would your own systems and procedures hold up under such pressure? Would you (the employment lawyer) have been called in? In fact, you might wish to run a “table top” exercise based on this scenario. When would your counsel have been sought?
- Had this been a private entity dealing with a breach, would the Postal Service been in full compliance with most state laws concerning breach notification (here, to employees)?Arguably, yes, as such statutes typically require notification after law enforcement and data security needs are handled. Here is New York’s statute:
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Based on the testimony, several federal agencies were very reluctant to permit notification until the full scope of the breach was known and the perpetrators known (to the extent possible). As for “restor[ing] the reasnable integrity of the system,” the two-day brown out period likely satisfies that prong. Finally the national security implications of this matter would likely weigh heavily on a court’s decision-making. After all, the suspects in this matter are Chinese government hackers. (This is very relevant to private enterprises because the United States indicted Chinese government officials who were said to be aggressively launching cyberattacks against US business).
3. The testimony provides a good look at a serious remediation effort (and what employment lawyers must understand during remediation discussions):
The new network security safeguards put into place over this two-day period included removing workstation administrator rights and enhancing network monitoring. We also upgraded and segmented Administrative Domain Controllers, removed compromised systems and accounts, and implemented two-factor authentication for administrative accounts.
To further reduce the likelihood of phishing or spear-phishing emails—common and increasingly sophisticated ways of compromising computer users and systems—impacting the Postal Service network, access to personal email sites such as Gmail or Yahoo was, and continues to be, blocked. In addition, direct database access is now only enabled to technology support staff and a number of business applications have been retired.
Interesting insight and hopefully, some lessons learned.