OPM may have overestimated cost of ID theft services for cyber breach victims

The Office of Personnel Management may have paid too much for identity theft and credit monitoring services for victims of the two 2015 cyber breaches.

The Government Accountability Office questioned whether the requirement that OPM provide victims of the 2015 breaches with no less than $5 million in identity theft insurance for at least 10 years is too much.

“Many identity theft service providers with whom we spoke acknowledged that identity theft insurance is of limited value to a consumer and that it was hard to imagine covered losses approaching the $1 million limit,” GAO said in a recent report. “Nearly all the providers with whom we spoke said it was not necessary to increase the insurance coverage beyond $1 million.”

OPM is required by law to provide identity protection services for breach victims through at least Dec. 18, 2025.

But GAO is concerned that the high-dollar amount associated with the insurance coverage gives victims the wrong impression of what will be covered.

“The scope of items covered by identity theft insurance is generally limited to out-of-pocket expenses that are typically modest,” GAO said.

Though the $5 million coverage level doesn’t seem to burden the government substantially with additional costs, GAO is worried about the future.

“Any resulting future costs that may result from the increase in insurance coverage to $5 million may not be aligned with goals identified by both Congress and the administration to reduce unnecessary spending, given that there does not seem to be a corresponding benefit to such coverage,” GAO said.

OPM has little documentation detailing how and why it decided to offer the services that it did during the aftermath of the 2015 cyber breaches, and many of the employees who made those decisions have since left the agency, GAO said.

“The current officials told us that they could not find any formal documentation related to the decision to offer identity theft services or the process leading up to this decision,” GAO said. “Agency officials told us these decisions were likely not documented because they were made during a crisis, under intense pressure and were principally the subject of oral discussions during meetings.”

OPM offered “duplicative services” to roughly 3.6 million victims affected by both cyber breaches, according to the agency’s estimate.

The agency contracted with two vendors to provide credit monitoring and identity protection services: Winvale/CSID, which the agency hastily awarded after news of the first cyber breach of personnel records broke, and ID Experts, which OPM offered to the victims of the second breach of background investigation information.

The Winvale contract covered the 4.2 million victims of the first breach, while ID Experts covered the 21.5 million individuals impacted by the second.

Advertisement

But OPM doesn’t have data that shows how many people actually enrolled for both services.

“An official from the Naval Sea Systems Command said that recording such information is not something that an agency would typically do, or have readily available, because it would require cross referencing two lists for each of the breach contracts,” GAO said.

Duplicative services overlapped between the two groups of victims for a little more than a year, according to OPM. Individuals impacted by both breaches had the ability to receive both services from Sept. 1, 2015 through Dec. 1, 2016, when OPM’s contract with Winvale expired and the agency awarded a new one with ID Experts for all victims.

The agency said such duplication shouldn’t continue for victims impacted by the 2015 breaches. Current contracts with ID Experts expire Dec. 31, 2018. In October, OPM said it was working with the General Services Administration to determine the best procurement strategy for these services going forward through 2025.

OPM isn’t alone; GAO said other agencies have offered duplicative identity protection services to breach victims in the past.

But better planning could have prevented OPM from extending duplicative identity theft and credit monitoring services in the first place, GAO said.

The Office of Management and Budget requires all agencies to make plans for detecting, reporting and responding to cyber breaches under the Federal Security Modernization Act (FISMA) of 2014.

January 2017 guidance from OMB tells agencies hows to prepare for and respond to breaches where personally identifiable information is involved, but it doesn’t give them criteria or parameters for when they should offer identity theft protection to impacted individuals.

And the guidance that agencies do have doesn’t give them enough information to determine whether identity theft service options — credit monitoring, identity monitoring, identity restoration and insurance — would be a good fit for the size, scope and population involved in the cyber incident.

“The guidance may not fully reflect the most useful and cost effective options agencies should consider in response to a breach,” GAO said.

OMB doesn’t require each agency to have its own policy for determining when to offer identity theft services. Some agencies, like the Homeland Security Department, IRS and Veterans Affairs Department, have their own policies and standard packages of services that they offer to victims if a breach does occur.

OPM didn’t have such a plan in 2015.

If it did, OPM could have avoided the duplication — and the headaches it endured when members of Congress and its inspector general criticized the strategy, timing and unusual procurement method for its first contract award with Winvale.

But more than a year after OPM first disclosed the two breaches and offered credit monitoring and identity theft services to 21 million victims, the agency does not have a written policy on when it should offer those services in the future.

OPM said it’s in the process of drafting a new policy on identity theft services, but it’s waiting for OMB to finalize its own guidelines on this issue before finalizing an agency-specific plan.

“Without a policy on when to provide identity theft services, OPM risks having to continue to make such determinations under time pressure and without guidance hindering informed decision making on the appropriate services, if any, to offer individuals affected by a breach,” GAO said.