Kevin Dietsch/Getty Images

OPM skirted agency norms in assessing the privacy of its new email system

Anonymous federal employees filed a lawsuit alleging that the new email system could be placing their sensitive personal information at risk.

Just over a week into the new Trump administration, the government’s HR agency used a new government-wide email system to contact the federal workforce en masse to offer them a legally dubious delayed-resignation package.

Anonymous feds have already sued, alleging that the Office of Personnel Management violated the law by not publishing a privacy impact assessment before deploying the new system, leaving sensitive data about federal employees potentially vulnerable. 

Although OPM argued in its own legal filing that this assessment wasn’t necessary, the agency simultaneously released one for the government-wide email system last week. But the document looks different than typical PIAs issued by the agency, potentially raising further questions.

PIAs are required by the E-Government Act of 2002 to analyze how agencies collect and protect personally identifiable information in federal systems.

All of OPM’S other public PIAs — over 30 of them — are signed by the agency’s chief privacy officer or OPM’s senior agency official for privacy. 

The PIA released last week is signed by OPM’s new chief information officer, Greg Hogan, who was quickly installed after the new Trump administration pushed Melvin Brown II, a career federal employee, out of the personnel agency’s CIO role. 

Hogan is a political appointee who told OPM staff that, although he’s done cloud and data work, he’s never worked in government and has no executive or people management experience, according to two OPM employees, who spoke to Nextgov/FCW on background as they weren’t authorized to speak on the record. Hogan formerly worked at Comma.ai, which makes driver assistance tech to make cars semi-autonomous. 

OPM didn’t respond to request for comment on Hogan’s background. Nextgov/FCW spoke to several current OPM employees who were granted anonymity to be candid about the happenings at the agency. 

The PIA lists Riccardo Biasini — a Comma.ai alum who more recently worked at Musk’s Boring Company — as a senior advisor at OPM and the point of contact. 

The agency has asked at least one career federal employee to sign the PIA, but that person has so far refused, according to two current OPM employees not authorized to speak on the record. 

An OPM spokesperson, however, said that no career employee was asked to sign the PIA.

Questions remain about where the data from the new email system is being stored and how well it is protected, two of the OPM employees told Nextgov/FCW

Under guidance from the Office of Management and Budget, agencies are supposed to have a senior agency privacy official sign PIAs, although that leaves them discretion as to who is tapped as that official, according Marisol Cruz Cain, a director for IT and cyber at the Government Accountability Office.  

Things like the official designated to sign PIAs can change when administrations change, but it’s not clear why OPM changed the signing official or why it did a PIA in the first place, if it’s arguing that one isn’t needed, she said.

“It’s standard for the CPO to review these, but a PIA can be signed by a CPO or CIO,” OPM’s spokesperson told Nextgov/FCW in a statement.

OPM’s current chief privacy officer is Kirsten Moncada, a longtime federal privacy expert. 

“What we as federal privacy professionals really see our work being is about ensuring trust in government, preserving the trust of the people we serve,” she previously told Federal News Network of her job early last year.

“When a non-normal reviewer is listed on a document like this, there's probably a reason,” John Davisson, senior counsel and director of litigation at the Electronic Privacy Information Center, told Nextgov/FCW, noting that it may likely be because “they're circumventing the normal processes.”

There’s a perception among some that the document was rubber-stamped by a yes-man, said one of the current employees.

“Why don’t we do it legitimately and have the privacy officer just sign it?” asked another. “If you’ve done it the right way, there’s no reason not to follow the protocols.”

The odd PIA is emblematic of a breakdown of normal process and procedure in the agency, that employee said.

OPM was among the first agencies to be visited by billionaire Elon Musk and the Department of Government Efficiency. Amanda Scales, a former employee of Musk’s AI company, now serves as the agency’s chief of staff.

“These are just bureaucratic things that are in the way,” one of the OPM employees said of the DOGE mindset toward standard agency procedures.

One of the current employees told Nextgov/FCW that the public PIA looks incomplete and out of the norm when compared to a typical PIA. Even the fact that OPM is collecting responses from feds directly is different from standard practice for agencies to collect that information, they said.

The agency has also recently seen a slew of departures. In addition to the exit of the agency’s former, sidelined CIO, the agency’s CFO, Erica Roach, resigned last week after being offered a new position that would’ve been a demotion, CNN reported.

“People are just done,” said one of the current OPM employees. “If you don’t need us, we’re leaving. That is the mood.”

The agency’s chief technology officer, Al Himler, has also posted on his LinkedIn that “After an incredible journey as [OPM’S CTO]... I am excited to announce that I am seeking new opportunities.”

People are leaving “in droves,” another current OPM employee told Nextgov/FCW. “Beyond the personal disappointment, we all are feeling how deeply challenging it will ever be to rebuild from this moment.”

The email system — which was introduced at the start of the Trump administration, as OPM hasn’t historically had the capacity to send out government-wide emails — is accessible only to a “handful” of employees overseen by Hogan, the PIA says.

The assessment also says that “the system operates entirely on government computers and in Microsoft mailboxes.” 

OPM built the system using information from key personnel record systems called the Enterprise Human Resources Integration and Official Personnel Folder, the PIA states. Access to these sensitive systems has since reportedly been cut off for some DOGE agents.

The PIA asserts that the new email system is only collecting names and emails of feds, as well as responses to the mass emails, that are stored “in secure mailboxes or on government computers requiring PIV access.” 

The agency also says that the Office 365 mailbox has authority to operate with a system security plan.

But Davisson noted that any vulnerabilities in the system could potentially lead to personal information being breached or hacked. Information can also be sold to further identity theft, and, for government employees, it could be used for blackmail or to facilitate stalking or harassment if it was ever exfiltrated outside OPM. 

The agency is no stranger to these risks. It suffered a massive data breach that was uncovered in 2015, where bad actors got personnel information on millions of current and former feds, in addition to friends and family members.