OPM’s breakup with USIS could be a seminal moment
A state-sponsored breach, not other failings, reportedly prompted OPM to terminate its big contract with USIS.
The Office of Personnel Management’s decision to terminate contracts with background-check-provider U.S. Investigative Services last month could be a watershed moment in government-contractor relations, according to Robert Nichols, a lawyer specializing in government contracts.
Despite having other reputational issues prior to recently suffering a high-profile data breach, which reportedly affected at least 25,000 government employees, "ironically, [it] was a state-sponsored cyberattack on USIS's network that led OPM to say . . . 'We don’t consider you to be a responsible government contractor,'" Nichols, a partner at Covington & Burling LLP, said Oct. 7 at a conference hosted by the National Defense Industrial Association.
The aftermath of those lost contracts could see USIS become a sacrificial lamb to the cause of data security as federal agencies place higher demands on contractors securing their work with government data, he said.
Falls Church-based USIS was no stranger to controversy before it revealed on Aug. 6 it had been the victim of a likely state-sponsored data breach. The Justice Department had joined a civil lawsuit in January alleging the firm left at least 665,000 background checks incomplete over a 4 1/2-year period. The firm also did the background checks for former National Security Agency contractor Edward Snowden and Navy Yard shooter Aaron Alexis, though a company lawyer is quick to point out the government found no wrongdoing in those background checks.
Given that government contractors often handle sensitive, classified data, their margin for error may be smaller than big retail firms that handle civilian customer data, according to Nichols.
"When Target was breached, the interesting thing is everybody still got up and went to Target the next day to shop," he said, referring to when the personal information of between 70 million and 110 million customers was stolen from the retail giant last year. "When a government contractor gets breached, or if they simply don’t have enough systems in place to meet these standards for 'adequate security,' the government cuts them off and that contractor’s out of business, and it may lose its business for years."
The recent cyberattack dealt a significant blow to USIS's business; the firm announced Oct. 7 that it had laid off 2,500 workers as a result of lost contracts with OPM.
On the sidelines of Nichols' presentation at NDIA, John Toomer, director of intelligence, information and cyber systems at Boeing, agreed that the USIS breach and the firm’s loss of government business could shake up security among contractors. Some of the smaller suppliers that Boeing works with were looking at ways of tightening up their cybersecurity since the USIS breach, he said.