Q. How can cyber security violations endanger my job?
With the finger pointing over the massive data breach at the Office of Personnel Management reaching frantic levels, it may only be a matter of time before federal agencies start hunting for employees who may have made them vulnerable to this or other cyber attacks. Former OPM Director Katherine Archuleta's testimony before the House Oversight Committee, in which she said the only people to blame for the devastating hack were the "perpetrators," should not be viewed as affording federal employees blanket coverage against allegations of cyber security policy violations.
Indeed, blame is like air in the federal government; the system suffocates without it. And if an employee cannot be blamed for this data breach, then I am sure agencies will have little problem finding others to blame for smaller breaches. Violations of cyber security procedures are nothing new in the federal government. Employees caught sharing passwords or using data and information systems without authorization will face an uphill battle at the Merit Systems Protection Board against any adverse action proposals that may result from Agency action against them as a consequence.
Such violations commonly fetch removal notices. That was what happened in Rene Whittaker v. Internal Revenue Service (2012), where the agency removed the appellant for inserting a personal flash drive in her government-issued laptop and infecting it with malware. The appellant in Lenora Porzillo v. Department of Health and Human Services (2008) received the same penalty for sharing her password with a co-worker and downloading an Excel spreadsheet with the names and Social Security numbers of over 1,000 employees from a restricted drive so she could send it to her personal e-mail account. And in Von Muller v. Department of Energy (2006), the Board found the appellant could be removed for, among other things, attempting to stifle the agency's cyber security measures by "encouraging coworkers to barrage the Cyber Security department with requests to review incoming email attachments."
Probably the best chance for employees facing removal for cyber security policy violations is to show that agency treated similarly situated employees less harshly. Some companies such as IBM have suggested that 95 percent of cyber security incidents are attributable to human error, and while inadvertent actors only account for 5 percent of cyber attacker population, IBM claims they are "among the most dangerous." As stated above, the government often comes down hard on cyber security policy violators, but agencies often fail to do so across the board. I suspect the government's payroll would take a steep hit if that were the case. In Michelle Washington v. U.S. Postal Service (2011), for example, an MSPB judge did not sustain the password sharing specification of an improper conduct charge because "other employees testified that during 'crunch' times this sharing of passwords happened with some frequency to make working more efficient."
In Smith v. Department of Transportation (2012), the MSPB and Equal Employment Opportunity Commission refused to sustain the 30-day suspension of an employee for the unauthorized disclosure of government information after the agency refused to provide requested information on how it disciplined similarly situated employees. That failure enabled the EEOC to draw an adverse inference and prove the suspension was retaliation for prior Equal Employment Opportunity activity.
Mistakes happen, especially when computers are involved. Federal employees facing removal or suspension for misusing government equipment or violating cyber security policies should immediately consult with an experienced federal employment law attorney to see what their rights and possible responsibilities are.