Feckless OPM Part II
Jack's depressing experience with OPM has prompted me to share my own sad tale. Like Jack, I too got a condolence letter from the Acting Director of OPM. I noted, too, that she shared my frustration and concern. Frankly my concern was not ameliorated by the fact that one year on from the incident she was still an "Acting" Director and that no permanent replacement had been found. Of course, I doubt anyone would want that job (I sure wouldn't) but still ....
Published by The Lawfare Institute
in Cooperation With
Jack's depressing experience with OPM has prompted me to share my own sad tale. Like Jack, I too got a condolence letter from the Acting Director of OPM. I noted, too, that she shared my frustration and concern. Frankly my concern was not ameliorated by the fact that one year on from the incident she was still an "Acting" Director and that no permanent replacement had been found. Of course, I doubt anyone would want that job (I sure wouldn't) but still ....
Unlike Jack, however, I decided to go through with the registration for the data security protection. My reasoning was that it seemed pretty silly to treat as confidential data (like my SSN) that was already out in the wild -- especially if doing so got me more protection. So I went ahead with the process.
I have to tell you that it did not inspire any great confidence. For one thing, after I gave over identifying data, the web site where I was registering flipped me over to an identity verification module. In theory this is a good thing -- the module will use confidential records to make sure that the registrant really is who he says he is. It may, for example, use a historical phone record data base to ask you which of these four phone numbers is one that you've been associated with in the past. If one of them is an old number from when I lived in San Diego that strikes a chord and the other three are gibberish then the functionality works. I pick the San Diego number and that helps to verify that I am who I am.
What absolutely blew my mind, however, was the quality of the identification module that OPM selected. Here is the actual content of a question I was asked:
Which of these types of cars is a car that you have previously owned or registered:
A. Ferrari Testarosa
B. Tesla Model S
C. Honda Civic
D. Jaguar XJ
I am not making this up. Three cars well beyond my price range and a fourth that anyone would pick even if they didn't know me from a hole in the wall. [I confess I've changed that one to "Honda Civic" from its actual entry since I don't want to salt the world with even more data about me than already exists -- but it was, I assure you, a completely comparable choice.] The remainder of the questions were equally problematic -- all had only a single real answer. Sigh ...
And then, of course, there was the data security program itself. I now have three of them (this one and ones from Home Depot and Target) and not a single one of them has ever alerted. I suppose that is a good thing, but I don't know what I don't know ... and sometimes I wonder if I am fortunate or just getting crummy service.
Over all, "feckless" is a good way to describe it ....