OPM Takes Steps Toward Finding a Contractor to Notify Hack Victims

An information request put out to interested companies indicated a mid-August contract award is the “best case.”

The Office of Personnel Management is teaming up with the Department of Defense to find a contractor to notify the 21.5 million people affected by the latest data breach at OPM.
National Journal
Kaveh Waddell
Add to Briefcase
See more stories about...
Kaveh Waddell
July 22, 2015, 4:21 a.m.

Nearly two weeks after an­noun­cing that more than 21.5 mil­lion people had their in­form­a­tion hacked from gov­ern­ment serv­ers, the Obama ad­min­is­tra­tion is mov­ing to hire a con­tract­or to no­ti­fy and provide iden­tity-fraud-pro­tec­tion ser­vices to af­fected in­di­vidu­als.

But it won’t be un­til at least mid-Au­gust un­til one is hired.

The Of­fice of Per­son­nel Man­age­ment, which was hit last year by a massive hack that of­fi­cials have privately linked to China, is work­ing with the De­fense De­part­ment to find a con­tract­or to no­ti­fy the af­fected in­di­vidu­als and provide them with iden­tity-fraud-pro­tec­tion ser­vices, ac­cord­ing to an OPM spokes­per­son.

CSID, the con­tract­or that provided those ser­vices to the 4.2 mil­lion em­ploy­ees af­fected by the smal­ler data breach an­nounced in June and was heav­ily cri­ti­cized for how it handled the pro­cess, will face com­pet­i­tion for the new con­tract from Life­Lock and oth­er large fraud-pro­tec­tion ser­vices. They will be vy­ing to provide ser­vices at a scale five times the pre­vi­ous breach — 21.5 mil­lion in­di­vidu­als will need to be no­ti­fied and pro­tec­ted.

OPM has prom­ised at least three years of cred­it-mon­it­or­ing and iden­tity-theft pro­tec­tion to the af­fected people.

In the first form­al step to­ward se­cur­ing a con­tract­or, the Gen­er­al Ser­vices Ad­min­is­tra­tion on Thursday put out a re­quest for in­form­a­tion, no­ti­fy­ing po­ten­tial con­tract­ors about the scope of work the gov­ern­ment will ex­pect and so­li­cit­ing in­form­a­tion from the in­ter­ested com­pan­ies.

In­cluded in the re­quest was a rough time line of the con­tract­ing pro­cess. After the hope­ful com­pan­ies con­vened in a “vir­tu­al meet­ing” on Monday, re­sponses to the GSA re­quest were due by Tues­day night.

Ac­cord­ing to the pre­lim­in­ary time line, which rep­res­ents the “‘best ef­fort’ plan of ac­tion,” no con­tract will be awar­ded un­til Fri­day, Au­gust 14. No­ti­fic­a­tions would likely be­gin to go out the fol­low­ing week, at the earli­est.

The GSA re­quest did not make any men­tion of the po­ten­tial length of cov­er­age. Al­though OPM has said it will of­fer at least three years of ser­vices for free, some law­makers are push­ing to provide life­time pro­tec­tion for in­di­vidu­als af­fected by gov­ern­ment data breaches.

As CSID gears up to bid again on the second con­tract, ex­ec­ut­ives from the Aus­tin-based com­pany and its con­tract­ing part­ner, Win­vale, have spent re­cent days on a pub­lic-re­la­tions tour of Wash­ing­ton.

The cam­paign is de­signed in part to coun­ter­act the in­tense cri­ti­cism the con­tract­or re­ceived from law­makers, fed­er­al work­er uni­ons, and the press, as it dealt with the first round of no­ti­fic­a­tions and ser­vice pro­vi­sion.

Sen. Mark Warner, a Demo­crat who rep­res­ents tens of thou­sands of Vir­gin­ia-based fed­er­al work­ers, wrote a let­ter in June to CSID with com­plaints from Vir­gini­ans who en­countered three-hour-long wait times at the con­tract­or’s call cen­ter or in­cor­rect in­form­a­tion on their ac­counts after they signed up.

But as CSID Pres­id­ent Joe Ross and Win­vale CEO Kev­in Lan­caster take their mes­sage to the press and mem­bers of Con­gress, they are ar­guing that the hic­cups that af­flic­ted their op­er­a­tions as they got off the ground were un­avoid­able and that many, in fact, were caused by gov­ern­ment mis­man­age­ment.

Com­plaints about wait times, for ex­ample, stemmed from a de­cision to make pub­lic the 1-800 num­ber for the call cen­ter in­ten­ded for data-breach vic­tims, Ross told Na­tion­al Journ­al Tues­day, open­ing the floodgates to a de­luge of calls from wor­ried cur­rent and former fed­er­al em­ploy­ees who did not re­ceive no­ti­fic­a­tions.

Why ex­actly the num­ber was made pub­lic was un­clear as CSID and Win­vale began their me­dia blitz. Politico re­por­ted Monday that CSID “felt com­pelled by the pub­lic in­terest” to re­lease the num­ber, but ac­cord­ing to The Wash­ing­ton Post on Monday, Ross said it was the gov­ern­ment’s de­cision to share the num­ber. Ross said Tues­day it was a com­bin­a­tion of the two.

“Were there long hold times? Yes,” said Ross Tues­day. “Was it the right thing to do? Yes.”

The crux of CSID’s pitch is that the work it did for 4.2 mil­lion could eas­ily be scaled up to ac­com­mod­ate the 21.5 mil­lion people af­fected by the breach an­nounced this month.

“The thing about this is you’ve got people hit­ting the web­site, and that’s re­peat­able. You’ve got a no­tice pro­cess — you just build a sched­ule for that. You’ve got the mail­ing houses that we util­ize, so we spread the no­ti­fic­a­tions across three mail­ing houses,” Ross said.

“So the scal­ing is pretty easy, and the main thing is we’ve de­veloped a kind of rap­port,” he con­tin­ued. “We have daily stand-ups with OPM on a daily basis, we’ve got the re­port­ing in place, so the scalab­il­ity is the key. If it was to come down to the next 21.5, it’s just that we’re po­si­tioned to scale.”

Ross trum­pets that more than 22 per­cent of the 4.2 mil­lion in­di­vidu­als who were no­ti­fied that their in­form­a­tion was com­prom­ised — that’s nearly 1 mil­lion people — have signed up for CSID’s ser­vice.

Life­Lock, one of CSID’s lar­ger com­pet­it­ors, it­self hit an obstacle Tues­day when the Fed­er­al Trade Com­mis­sion ac­cused it of vi­ol­at­ing a pre­vi­ous set­tle­ment with the agency. The com­mis­sion said Life­Lock was put­ting out false ad­vert­ising and failed to no­ti­fy pay­ing users when their iden­tit­ies were used or to pro­tect their data.

CSID — along with its com­pet­it­ors — will be giv­en a chance to prove it­self to the gov­ern­ment. Each in­ter­ested con­tract­or was giv­en un­til 8 p.m. Tues­day to sub­mit the an­swers to eight de­tailed ques­tions in the GSA’s re­quest for in­form­a­tion, which asked about the “max­im­um volume” each com­pany has pro­cessed in re­sponse to a data breach and wheth­er the com­pany could handle sign-ups from more than 20 per­cent of the 21.5 mil­lion people who were af­fected by the breach.

The re­quest also asked how each com­pany’s call-cen­ter em­ploy­ees are vet­ted, since they will need to handle sens­it­ive in­form­a­tion over the phone, and wheth­er the com­pany can meet gov­ern­ment cy­ber­se­cur­ity and data-host­ing stand­ards.

But Lan­caster, Win­vale’s CEO, said Tues­day that Win­vale and CSID did not sub­mit a re­sponse be­fore the dead­line.

What We're Following See More »
Administration Pressing Senate for Rules Changes
12 minutes ago

"The Trump administration is putting pressure on Senate Republicans to crack down on Democratic efforts to delay its agenda, fueling talk about the need for rules reform among Republicans on Capitol Hill. Republicans are in discussions with Democrats about bipartisan changes to Senate rules to speed up consideration of President Trump’s judicial and executive branch nominees, but if that effort flounders — as similar ones have in the past — they’re not ruling out unilateral action."

Trump Had Staff Sign Nondisclosure Agreements
12 minutes ago

During his campaign, Donald Trump indicated to Washington Post reporters that he'd like to have White House employees sign nondisclosure agreements. That is, in fact, what he's done, according to a scoop by the Post's Ruth Marcus. "Some balked at first but, pressed by then-Chief of Staff Reince Priebus and the White House Counsel’s Office, ultimately complied, concluding that the agreements would likely not be enforceable in any event." The administration intended the agreements to remain in force beyond Trump's tenure. An early draft included penalties of up to $10 million.

Rubio Says McCabe Should Have Been Allowed to Retire
10 hours ago
Trump Asking for Bill to “Break the WTO”
11 hours ago

"Trump is asking for a bill" that would effectively break the WTO. One of the core WTO principles — which has underpinned globalization and trade for 70 years — is an idea called 'most favored nation status.' Countries that belong to the WTO have all agreed to charge the same tariff rate for imports from all other WTO members." But Trump covets reciprocal tariffs "nation-by-nation, product-by-product." The GOP free-traders in Congress are unlikely to support such an effort.

Barry McCaffrey Calls Trump “Serious Threat to National Security”
1 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.