Audit: OPM Offered Duplicate ID Protection ServicesGAO Says OPM Lacks Guidelines for Determining Whether to Offer Beach Victims Services
The U.S. Office of Personnel Management may not be getting the best bang for its buck on its investment in identity protection services provided to federal government employees who have been victims of data breaches, according to a congressional audit.
The Government Accountability Office audit - titled Identity Theft Services: Services Offer Some Benefits But Are Limited in Preventing Fraud - points out that the OPM provided duplicate identity protection services for about 3.6 million people affected by both of its 2015 breaches. And the Office of Management and Budget - which issues IT security guidance to federal agencies - has not explored options to help federal agencies avoid potentially wasteful duplication, according to the report.
In early 2015, OPM discovered a breach of the personnel data of 4.2 million current and former federal employees. In June 2015, OPM then uncovered an apparently related hack that exposed the personal information of 21.5 million individuals, many with security clearances. The two breaches are believed to have emanated from China.
The lack of an plan for how to provide identity protection services led to the duplication of services, GAO says.
"OPM didn't have policies and procedures in place to dictate how to offer the services or to decide whether or not to offer the services, and there was no assessment of effectiveness when they did it, and they didn't document how they made a decision," Lawrance Evans Jr., GAO director of financial markets and community investment, said in a GAO podcast interview.
Evans expressed sympathy for OPM decision makers having to make a quick decision on offering employees identity protection services. "It's difficult to Monday-morning quarterback," Evans said in the interview. "It was an unprecedented situation for OPM. They had to make a decision fast. But one can go back, and start to ask why other alternatives were offered, and that's where it gets pretty tricky. And, because there was no documentation on the decision-making, it's left to speculation."
Contrary to key operational practices previously identified by GAO, auditors say OPM's data breach response policy does not include criteria or procedures to determine when to offer identity protection services. Also, OPM has not always documented how it chose to offer the services in response to past breaches, which could hinder informed decision making in the future.
After revelation of both breaches, Congress enacted legislation to offer identity protection services to victims for 10 years, including $5 million in identity theft insurance. "However, this level of insurance coverage is likely unnecessary because claims paid rarely exceed a few thousand dollars," Evans said. "Requirements such as this could serve to increase federal costs unnecessarily, mislead consumers about the benefit of such insurance coverage and create unwarranted escalation of coverage amounts in the marketplace."
In June 2015, OPM awarded a contract for identity protection services to the Winvale Group to cover the 4.2 million people affected by its personnel records breach.
Three months later, the Defense Department's Naval Sea Systems Command, acting on behalf of OPM, awarded a second contract to ID Experts, which covered the 21.5 million people affected by the second breach of background investigation data. Some individuals were victims of both breaches.
OPM told GAO that the duplicate services offered to about 3.6 million affected individuals overlapped by more than a year, from Sept. 1, 2015, to Dec. 1, 2016. Through last Nov. 22, OPM was obligated to pay $28.9 million to Winvale and $209.1 million to ID Experts.
The duplication ended on Dec. 1, when the Winvale contract expired. Before that contract expired, OPM had modified both contracts to reduce duplication related to identity protection coverage. That left 600,000 people without ID protection services, and OPM awarded a new contract to ID Experts to provide them with services.
According to the GAO report, the contracts included three-bureau credit monitoring; access to an initial credit report and identity monitoring, provided through the same subcontractor; as well as identity theft insurance and identity restoration services. Those affected by the breaches must enroll with the companies to receive credit and identity monitoring, but they receive the insurance and access to restoration services whether or not they enroll.
GAO recommended that OPM adopt procedures for how to assess whether it wants to offer identity protection services. Acting OPM Director Kathleen McGettigan concurred with the recommendation, saying OPM is updating its breach response plan to assess the risk of harm to individuals affected by a breach to determine how best to mitigate the damage, including what identity protection services to offer. That assessment should be completed in July, McGettigan said.