OPM Takes Steps Toward Finding a Contractor to Notify Hack Victims

An information request put out to interested companies indicated a mid-August contract award is the “best case.”

The Office of Personnel Management is teaming up with the Department of Defense to find a contractor to notify the 21.5 million people affected by the latest data breach at OPM.
National Journal
Kaveh Waddell
Add to Briefcase
See more stories about...
Kaveh Waddell
July 22, 2015, 4:21 a.m.

Nearly two weeks after an­noun­cing that more than 21.5 mil­lion people had their in­form­a­tion hacked from gov­ern­ment serv­ers, the Obama ad­min­is­tra­tion is mov­ing to hire a con­tract­or to no­ti­fy and provide iden­tity-fraud-pro­tec­tion ser­vices to af­fected in­di­vidu­als.

But it won’t be un­til at least mid-Au­gust un­til one is hired.

The Of­fice of Per­son­nel Man­age­ment, which was hit last year by a massive hack that of­fi­cials have privately linked to China, is work­ing with the De­fense De­part­ment to find a con­tract­or to no­ti­fy the af­fected in­di­vidu­als and provide them with iden­tity-fraud-pro­tec­tion ser­vices, ac­cord­ing to an OPM spokes­per­son.

CSID, the con­tract­or that provided those ser­vices to the 4.2 mil­lion em­ploy­ees af­fected by the smal­ler data breach an­nounced in June and was heav­ily cri­ti­cized for how it handled the pro­cess, will face com­pet­i­tion for the new con­tract from Life­Lock and oth­er large fraud-pro­tec­tion ser­vices. They will be vy­ing to provide ser­vices at a scale five times the pre­vi­ous breach — 21.5 mil­lion in­di­vidu­als will need to be no­ti­fied and pro­tec­ted.

OPM has prom­ised at least three years of cred­it-mon­it­or­ing and iden­tity-theft pro­tec­tion to the af­fected people.

In the first form­al step to­ward se­cur­ing a con­tract­or, the Gen­er­al Ser­vices Ad­min­is­tra­tion on Thursday put out a re­quest for in­form­a­tion, no­ti­fy­ing po­ten­tial con­tract­ors about the scope of work the gov­ern­ment will ex­pect and so­li­cit­ing in­form­a­tion from the in­ter­ested com­pan­ies.

In­cluded in the re­quest was a rough time line of the con­tract­ing pro­cess. After the hope­ful com­pan­ies con­vened in a “vir­tu­al meet­ing” on Monday, re­sponses to the GSA re­quest were due by Tues­day night.

Ac­cord­ing to the pre­lim­in­ary time line, which rep­res­ents the “‘best ef­fort’ plan of ac­tion,” no con­tract will be awar­ded un­til Fri­day, Au­gust 14. No­ti­fic­a­tions would likely be­gin to go out the fol­low­ing week, at the earli­est.

The GSA re­quest did not make any men­tion of the po­ten­tial length of cov­er­age. Al­though OPM has said it will of­fer at least three years of ser­vices for free, some law­makers are push­ing to provide life­time pro­tec­tion for in­di­vidu­als af­fected by gov­ern­ment data breaches.

As CSID gears up to bid again on the second con­tract, ex­ec­ut­ives from the Aus­tin-based com­pany and its con­tract­ing part­ner, Win­vale, have spent re­cent days on a pub­lic-re­la­tions tour of Wash­ing­ton.

The cam­paign is de­signed in part to coun­ter­act the in­tense cri­ti­cism the con­tract­or re­ceived from law­makers, fed­er­al work­er uni­ons, and the press, as it dealt with the first round of no­ti­fic­a­tions and ser­vice pro­vi­sion.

Sen. Mark Warner, a Demo­crat who rep­res­ents tens of thou­sands of Vir­gin­ia-based fed­er­al work­ers, wrote a let­ter in June to CSID with com­plaints from Vir­gini­ans who en­countered three-hour-long wait times at the con­tract­or’s call cen­ter or in­cor­rect in­form­a­tion on their ac­counts after they signed up.

But as CSID Pres­id­ent Joe Ross and Win­vale CEO Kev­in Lan­caster take their mes­sage to the press and mem­bers of Con­gress, they are ar­guing that the hic­cups that af­flic­ted their op­er­a­tions as they got off the ground were un­avoid­able and that many, in fact, were caused by gov­ern­ment mis­man­age­ment.

Com­plaints about wait times, for ex­ample, stemmed from a de­cision to make pub­lic the 1-800 num­ber for the call cen­ter in­ten­ded for data-breach vic­tims, Ross told Na­tion­al Journ­al Tues­day, open­ing the floodgates to a de­luge of calls from wor­ried cur­rent and former fed­er­al em­ploy­ees who did not re­ceive no­ti­fic­a­tions.

Why ex­actly the num­ber was made pub­lic was un­clear as CSID and Win­vale began their me­dia blitz. Politico re­por­ted Monday that CSID “felt com­pelled by the pub­lic in­terest” to re­lease the num­ber, but ac­cord­ing to The Wash­ing­ton Post on Monday, Ross said it was the gov­ern­ment’s de­cision to share the num­ber. Ross said Tues­day it was a com­bin­a­tion of the two.

“Were there long hold times? Yes,” said Ross Tues­day. “Was it the right thing to do? Yes.”

The crux of CSID’s pitch is that the work it did for 4.2 mil­lion could eas­ily be scaled up to ac­com­mod­ate the 21.5 mil­lion people af­fected by the breach an­nounced this month.

“The thing about this is you’ve got people hit­ting the web­site, and that’s re­peat­able. You’ve got a no­tice pro­cess — you just build a sched­ule for that. You’ve got the mail­ing houses that we util­ize, so we spread the no­ti­fic­a­tions across three mail­ing houses,” Ross said.

“So the scal­ing is pretty easy, and the main thing is we’ve de­veloped a kind of rap­port,” he con­tin­ued. “We have daily stand-ups with OPM on a daily basis, we’ve got the re­port­ing in place, so the scalab­il­ity is the key. If it was to come down to the next 21.5, it’s just that we’re po­si­tioned to scale.”

Ross trum­pets that more than 22 per­cent of the 4.2 mil­lion in­di­vidu­als who were no­ti­fied that their in­form­a­tion was com­prom­ised — that’s nearly 1 mil­lion people — have signed up for CSID’s ser­vice.

Life­Lock, one of CSID’s lar­ger com­pet­it­ors, it­self hit an obstacle Tues­day when the Fed­er­al Trade Com­mis­sion ac­cused it of vi­ol­at­ing a pre­vi­ous set­tle­ment with the agency. The com­mis­sion said Life­Lock was put­ting out false ad­vert­ising and failed to no­ti­fy pay­ing users when their iden­tit­ies were used or to pro­tect their data.

CSID — along with its com­pet­it­ors — will be giv­en a chance to prove it­self to the gov­ern­ment. Each in­ter­ested con­tract­or was giv­en un­til 8 p.m. Tues­day to sub­mit the an­swers to eight de­tailed ques­tions in the GSA’s re­quest for in­form­a­tion, which asked about the “max­im­um volume” each com­pany has pro­cessed in re­sponse to a data breach and wheth­er the com­pany could handle sign-ups from more than 20 per­cent of the 21.5 mil­lion people who were af­fected by the breach.

The re­quest also asked how each com­pany’s call-cen­ter em­ploy­ees are vet­ted, since they will need to handle sens­it­ive in­form­a­tion over the phone, and wheth­er the com­pany can meet gov­ern­ment cy­ber­se­cur­ity and data-host­ing stand­ards.

But Lan­caster, Win­vale’s CEO, said Tues­day that Win­vale and CSID did not sub­mit a re­sponse be­fore the dead­line.

What We're Following See More »
Senate Rejects Effort to Nix SALT Tax Changes
14 hours ago

"Senate Democrats on Thursday failed in their first attempt to save the state and local tax deduction, which helps many residents of California and other high-cost states reduce their federal income tax bills. The Republican-controlled Senate voted 52-47 to reject an amendment that would have prevented the Senate from considering any bill that repeals or limits the deduction as part of a planned tax overhaul."

Lewandowski Meets with Senate Intelligence Committee
19 hours ago

"President Donald Trump's former campaign manager Corey Lewandowski appeared on Capitol Hill for a closed-door interview with the Senate intelligence committee Wednesday, according to a source familiar with the matter. Lewandowski is the latest senior official in Trump's orbit who has met with the committee as part of its investigation into Russian election meddling and possible collusion with the Trump campaign."

Some Members Seek to Wrap Up Russia Investigations by Year’s End
1 days ago

"A growing number of key Republicans are sending this message to the leaders of the congressional committees investigating potential Trump campaign collusion with the Russians: Wrap it up soon. In the House and Senate, several Republicans who sit on key committees are starting to grumble that the investigations have spanned the better part of the past nine months, contending that the Democratic push to extend the investigation well into next year could amount to a fishing expedition."

Trump: Marino Withdrawing Nomination for Drug Czar
2 days ago
Doesn’t Express Confidence in Marino
Trump to Declare Opioid Emergency Next Week
3 days ago

After initially promising it in August, "President Trump said Monday that he will declare a national emergency next week to address the opioid epidemic." When asked, he also "declined to express confidence in Rep. Tom Marino (R-Pa.), his nominee for drug czar, in the wake of revelations that the lawmaker helped steer legislation making it harder to act against giant drug companies."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.