No One Accessed Any Sensitive Data

The statement comes anytime there is a problem with a hack or an accident of development.  Yes, we know there was a problem that allowed some people to get access to things they shouldn't, but nobody got access to records they were not supposed to see.  The latest of these is on the Federal Retirees who have access to OPM on a portal.  We heard the same thing during the Obamacare website fiasco.  Federal News Radio carried the story of the OPM website in their yesterday on-line addition, saying "the agency is still investigating how some retirees could see others' information".  If some retirees could see other peoples records, that was a problem that wouild leave the statement by OPM a little suspect.  How could they possibly know?

I have heard witnesses or suspects say "Not that I know of" or the less subjective "Not that I remember".  These are not hard and fast statements that nothing bad happened, but they are not denials either.  They are fudges on the edge of truth sometimes, but hard to prove one way or another.  Maybe that subject did really not remember those 614 incidents that led to his indictment on drug charges.  So, why does somebody like OPM deny categorically that anyone got access to somebody else's records, when the flaw they were announcing gave access to those records?  Because they don't know and probably can't find out, whose records were exposed to whom.  Denial is easier than reviewing all those audit records to see who might have been on and what they had access to.  

There has to be a penalty for this kind of behavior.  Obamacare's nortorious beginnings were an open invitation to every hacker in the world to get health and privacy information on millions of people all at once, and have the government officials deny that anything was taken from them.  Considering the state of security of that system, there was no way to tell who got access to what.  Experian still denies that anyone took information from their customers, while the evidence is they may have lost as many as 200,000,000 records.  Brian Krebs wrote extensively about it, but it doesn't stop Experian from the denials.  They told me "Don't believe all those stories on the Internet".  Essentially, OPM is saying the same thing, though on a much smaller scale.  

We need a change in law that compensates for the lack of judgement on the part of some managers who don't report or deny reports of substantiated losses, something like the addtional penalties some robbers get for using a gun.  If you knew about it and intentionally didn't report, or you had evidence from a third party that there were losses and you still did not react, you get additional time in jail or an additional fine for not reporting.  Come to think of it, when has a government or business official ever been prosecuted for negligence in the way they handled our information?  Ever?  I can't think of one.  

After I published this, Brian addressed issues on data breaches that are worth reading at:  

http://krebsonsecurity.com/2015/01/toward-better-privacy-data-breach-laws/