The OPM data breach has put the government’s personnel agency in a deep hole. Critics are accusing OPM of an inadequate response and poor communications and questioning how the agency can continue to operate effectively.
That is not a surprise. Something as big and as shocking as this can be a credibility killer for any organization. Even so, I have been surprised by the number of people who have told me OPM should be shut down and its mission transferred to other agencies. Others have told me the agency just has to “hunker down” and take its lumps before returning to business as usual. Neither approach is productive.
When an organization finds itself in a security, morale and public relations nightmare, it has to act or be damaged beyond recovery. Like Sony, Target, Anthem and others, OPM can recover from this mess, but it will have to take a number of deliberate steps to begin moving forward and eventually emerge as a better and more effective agency. In this post I am going to address some steps OPM should take to get started. I believe OPM has a vital mission and it certainly should not be shut down, but there are structural changes that OPM should make to refocus and ensure it does not find itself here again. I will address those in my next post.
The Rest of the Story
Every story has a beginning, middle and end. We already know the beginning of this story. Two cyber security breaches exposed vital records of more than 20 million people. We are in the middle of the story now, and it is very personal. Rather than being an abstract tale about someone else’s misfortune, this one directly affected virtually every Federal employee (including members of Congress), cleared employees of government contractors, and 1.8 million family members and associates. We/they are angry. We still do not know everything we want to know. We saw an agency that was slow to respond, did not want to say ‘we are profoundly sorry for this failure,” did not maintain clear and open communications, and did not appear to know what to do next. Given the scope and long-term impact of the breach, that reaction was infuriating, but not surprising. Few organizations take the necessary steps to prepare for a crisis of this scale.
OPM has the opportunity to help define the arc of this story and influence how it ends. If OPM is going to emerge from the breach successfully, it needs to address the anger and fear and demonstrate that it knows what to do. Here are some suggestions on how to begin:
Get the Credit Monitoring/Identity Protection Issue Off the Table
Because this is such a personal issue and the fear of identity theft is so strong, the government needs to offer long-term credit monitoring and identity theft protection to everyone who was affected by both breaches. This one will require help.
I know a lot of people say OPM should pay for what happened, but that is not the way Federal budgets work. It is unlikely OPM’s appropriated dollars can be used without violating the Anti-Deficiency Act and their revolving fund does not have the money to pay for it. That means, as distasteful as it seems, it will require either a new appropriation or money from other agencies. OPM has already advised agencies that it is raising fees for background investigation services to cover the coverage they have already offered. Any long-term protection contract should be awarded competitively after rigorous competition and price negotiations.
It is no secret that everyone wants more information. They want to know what happened, they want to know what will be done to make certain it will not happen again, and they want to know what will be done to protect them and their families from the consequences of this breach.
Perhaps early communications were poor because of security concerns, but we are at a point where OPM must share more information, answer questions, and start reassuring people. They need crisp messaging that does just that. They need to be out in public talking about it.
Acting Director Beth Cobert addressed the breach at the July 15, 2015 meeting of the National Council on Federal Labor Management Relations. OPM also participated in a July 16, 2015 event hosted by Maryland representative John Delaney. Those were a good start, but they reached only a few hundred people.
Because people get their information from many different sources, OPM should use multiple forms of communications, including social media (the OPM Facebook page has been virtually silent on the breach), press releases, interviews with the media, and more information on OPM’s website. As my new colleague, Jeff Hunt, an international expert in crisis communications with ICF’s PulsePoint Group noted: “Everyone looks for the villain, the victim, the hero and the moral to the story during situations like this. There is a natural vacuum created as these roles get cast. It may be unreasonable to expect OPM to ever achieve ‘hero’ status, but they should be making sure everyone knows who the real villain is. That would be the hackers and not OPM.”
Engage the OPM workforce
The OPM workforce should become a part of the communications strategy. OPM should give their workforce information that they can share with colleagues in other agencies, their families and friends. Those folks are talking with OPM employees anyway. If the OPM workers have nothing to say but “I don’t know anything and am not allowed to talk about it” their opinions of their employer will suffer, they will feel isolated, and the best may look elsewhere for jobs. While the breach certainly was not the responsibility of just one person, likewise it was not the fault of every OPM employee. Many of them have been doing their jobs and doing them well. If OPM employees are empowered with some useful information that the ability to share it, they will be more engaged and will help share information that is accurate and beneficial.
Share the Learning
The learning is important to the healing. As OPM progresses through the fallout of the breach, it will no doubt learn many lessons. An important part of recovery is sharing that learning so the people who were harmed by the breach know that the learning is taking place. We can be remarkably forgiving people when we believe people and organizations who have had failures have accepted responsibility, learned from their mistakes, and taken steps to avoid another failure. OPM should begin communicating what is has learned and how it will incorporate that learning into how it conducts business.
Identify Metrics that Show Progress
OPM will have to make changes as a result of the breach. That may include how it manages technology programs, the types of oversight managers will receive, how it responds to reports from its Inspector General, how it addresses updates to software and operating systems, and many others. Most agencies do not have public metrics about such “weedy” internal operations, but most agencies have not lost the personal data of 20+ million people. OPM will have to go above and beyond the norm to regain its credibility. Publicly reported metrics, based on what the agency has learned from the aftermath of the breach, will provide the transparency that is needed to “trust, but verify” that the agency is taking the learning and applying it in a meaningful way.
Recovery from the breach is going to take a long time, but beginning to regain the trust of Federal employees, the Congress and the public can begin immediately. We need to see visible signs of change and we need them now.