The magnitude of the OPM hacking just keeps growing — the original estimate of 4+ million records has now been upped to over 20 million records. Could this breach get even worse?  Let’s hope not but there is one potential future issue that could do so.  It’s a thorny issue that the OPM officials who contracted with CSID for its’ security services might not have even contemplated.

Here’s the issue.  It’s become fairly standard for a company’s Privacy Policy to include a statement about the sale of some or all of its assets in the case of a merger, acquisition or any type of sale to a third party.

Unfortunately for consumers, their personal information is considered an asset which the company might disclose or sell or transfer to the third party buyer in such an event. The CSID Privacy Policy contains just this type of provision in the section titled “Do We Disclose or Share Your Information?”  CSID says it won’t sell or share personal information with third parties for promotional or marketing purposes.

However, it clearly says that personal information held by CSID “…will be among the assets transferred to the buyer [.]” “… in the event of a merger, acquisition or any form of sale of some or all our assets ….” I doubt anyone at OPM thought to get this clause modified in their contract with CSID.

It would be terrible if, under some future scenario, CSID would be able to transfer the personal information of millions and millions of individuals whose information CSID is supposed to be protecting due to the OPM hacking.