For the first data leak, OPM secured credit monitoring and identity theft recovery services, at a cost of about $21 million, and in doing so followed a script of data-crisis management written and rehearsed with increasing frequency in recent months by companies such as Anthem Inc., Target Corp. and Home Depot Inc.
With news of the second data breach, OPM is under increasing pressure from lawmakers to control the damage as much as possible. That decision could be both costly to taxpayers and a financial windfall for one or more credit-monitoring firms.
Unlike the private sector, the government agency is bound by federal statute to recompense victims of an unauthorized release of data. But OPM will have to decide on questions such as how long to protect victims and what services to offer.
The deal OPM struck with Winvale Group, a government services company, grants $1 million in protection and credit monitoring for 18 months from subcontractor CSID, an Austin, Texas-based identity protection company.
But that applies only to the current, former and potential employees caught up in the breach announced on June 4, the one affecting 4.2 million Americans, not the separate but related breach announced by OPM this month that pertains to 19.7 million people.
That leaves the agency seeking a solution for more than five times as many breach victims as it has so far accounted for, potentially for a much longer time span.
OPM spokesman Mark Jacobson said in a phone interview Thursday that the agency is “working to find an appropriate mechanism” to provide credit monitoring for the 19.7 million victims. He said that effort involves collaboration with the Department of Defense, and that “there’s been no request for proposals” from potential contractors to implement that coverage.
Lawmakers on Capitol Hill, particularly from government-employee heavy Maryland, Virginia and the District of Columbia, already know what kind of coverage they want for their constituents affected by the hacks.
Sen. Ben Cardin (D-Md.) last week introduced S. 1746, a measure that would require lifetime credit monitoring and $5 million in identity theft insurance for all victims of the recent pair of hacks – 21.5 million people at OPM’s final count. The measure’s four cosponsors – all Democrats – come from Maryland, Virginia and New Mexico.
Del. Eleanor Holmes Norton (D-D.C.) introduced a companion measure, H.R. 3029, the next day in the House. Six of the eight cosponsors are Maryland Democrats; the other two are Virginia Democrats.
The Senate measure is awaiting a hearing in the Senate Homeland Security and Governmental Affairs Committee, according to Sue Walitsky, a spokeswoman for Cardin.
Walitsky said in an interview Thursday that they are still trying to get estimates for the cost of implementing the bill, and that any tweaks made in this preliminary phase may have effects on that number.
When asked Thursday how many people are expected to use the eventual credit-monitoring services, OPM’s Jacobson said, “We don’t know what the total amount will be.”
Walitsky said the lifetime credit monitoring would be extended to everyone affected by the breaches, not just the estimated 21.5 million who have been subject to government background checks in the last 15 years.
“If your name and your Social Security number was on a form that someone else was submitting on a form for their security clearance, you would be covered,” she said.
The National Treasury Employees Union, which represents 150,000 federal employees, and the American Federation of Government Employees with its 650,000 members have signaled their support for both bills. Each union is suing OPM for damages related to the breach.
NTEU has also called for credit monitoring to be extended to all government employees, and OPM has signaled it would work with stakeholders to determine what type of lifetime protection it could offer federal workers.
OPM’s preparedness for dealing with the fallout of the breaches has also drawn criticism for security experts.
Tim Rohrbaugh, head of product at identity protection firm Identity Guard, a division of Intersections Inc., said that agencies should already have a contingency plan mapped out before a breach actually happens.
“Best practice is you strike a relationship with a company that’s basically on retainer,” he said.
As data breaches rise in profile and frequency, an industry has arisen to provide victims with a suite of services, from dark web monitoring to handholding for people whose identity has been stolen.
“We’re bullish on the industry as a whole,” Rohrbaugh said.
But firms vary in how prepared they are to take advantage of those services.
“It’s all over the map,” said Neal O’Farrell, a cybersecurity consultant who has advised dozens of firms and national governments about identity theft issues. On the one hand, he said, “you have the clever, responsible, smart companies who assume in advance that at some point they’re going to be the victim of a data breach.”
O’Farrell said OPM doesn’t appear to have fallen into that category.
“There’s the other end of the spectrum, which is the OPM debacle, which is, ‘Let’s stick a pin in the map and hope for the best,’” said O’Farrell.
Far from having a pre-designated provider, OPM settled on a contractor in less than a week, shorter than the industry standard.
“Typically that’s not a very long period of time for the types of bidders who have experience in this area to know it’s out there to respond,” said Mary Karen Wills, a government contracting specialist with consulting firm Berkeley Research Group LLC, headquartered in Emeryville, Calif.
She added that in a rush, agencies can consult a General Services Administration list of contractors that have offered similar services in the past.
Neither Winvale nor CSID is on GSA’s list of contractors in the “data breach analysis” category, which includes credit monitoring.
“OPM said they did the due diligence, but in the same breath said it took us less than a week,” O’Farrell said. “That’s not due diligence.”
That puts OPM in a pinch if it hopes to build out credit services for employees, particularly if it wants to craft a lifetime protection plan, a move that could require looking for new contractors every few years, Rohrbaugh said.
“I have never heard of anybody structuring a deal with credit bureaus for a lifetime,” he said. “Longest run you’ve got is two to four years.”
Amir Nasr contributed to this report.