Feds Expect to Spend at Least $500 Million on the Next Five Years of Data Breaches

The government is preparing to hire contractors to deal with future breaches.

The Office of Personnel Management is teaming up with the Department of Defense to find a contractor to notify the 21.5 million people affected by the latest data breach at OPM.
National Journal
Kaveh Waddell
Add to Briefcase
Kaveh Waddell
Aug. 13, 2015, 1 a.m.

The fed­er­al gov­ern­ment is own­ing up to the mod­ern-day real­ity that data breaches, no mat­ter the qual­ity of cy­ber­de­fenses in place, are in­ev­it­able.

With an eye to fu­ture hacks, the gov­ern­ment is search­ing for con­tract­ors to keep on call — and it’s pre­pared to pay at least half a bil­lion over the next five years to man­age post-breach cleanup.

A pair of breaches at the Of­fice of Per­son­nel Man­age­ment last year af­fected mil­lions of cur­rent, former, and pro­spect­ive fed­er­al em­ploy­ees and their fam­il­ies, and demon­strated the fed­er­al gov­ern­ment’s need to quickly deal with a re­cur­ring prob­lem.

After the first breach, which was an­nounced in June, OPM signed a con­tract with a com­pany called CSID to no­ti­fy the af­fected in­di­vidu­als and provide them with iden­tity-pro­tec­tion ser­vices. But when a second breach turned out to be more than five times lar­ger in mag­nitude, the gov­ern­ment de­cided it needed to take a dif­fer­ent ap­proach.

In­stead of of­fer­ing an­oth­er one-off con­tract, the gov­ern­ment is cur­rently so­li­cit­ing bids for “gov­ern­ment-wide iden­tity mon­it­or­ing data breach re­sponse and pro­tec­tion ser­vices.”

Those ser­vices will in­clude everything from ba­sic cred­it re­port­ing to in-depth iden­tity mon­it­or­ing — which in­volves keep­ing an eye on sketchy corners of the In­ter­net and court re­cords for a vic­tim’s name, ad­dress, and So­cial Se­cur­ity num­ber — as well as iden­tity-theft in­sur­ance and a pro­gram that helps re­store a vic­tim’s iden­tity in case of fraud.

“It sig­nals an end to the ‘It will nev­er hap­pen here be­cause we have good IT teams’ syn­drome,” said Costis Tore­gas, as­so­ci­ate dir­ect­or of the Cy­ber Se­cur­ity Policy and Re­search In­sti­tute at George Wash­ing­ton Uni­versity.

The Gen­er­al Ser­vices Ad­min­is­tra­tion, with the help of the De­part­ment of De­fense, is look­ing to enter in­to a five-year “blanket pur­chase agree­ment” with mul­tiple con­tract­ors. That would al­low the gov­ern­ment to keep a group of re­sponse teams on call for when the data breach hits, and have an agreed-upon pri­cing struc­ture already in place for when ser­vices are needed quickly. The con­tract win­ners’ ser­vices would be avail­able to all fed­er­al agen­cies.

But while the de­cision to take on the more com­plex pro­cess is an ap­par­ent ef­fort to keep the gov­ern­ment from hav­ing to scramble after it’s hit with the next big data breach, it comes with some short-term draw­backs.

For one, de­vel­op­ing the re­quire­ments for the con­tract took the gov­ern­ment many weeks after the scope of the second breach was an­nounced in Ju­ly, delay­ing the no­ti­fic­a­tion pro­cess for the 21.5 mil­lion people it af­fected.

Al­though the five-year agree­ment will in­clude mul­tiple con­tract­ors, only one will be chosen to deal with the fal­lout of the most re­cent OPM data breach. That con­tract­or will have 12 weeks from the date of the award — likely Aug. 21 — to send the mil­lions of no­ti­fic­a­tions, and will of­fer iden­tity-pro­tec­tion ser­vices to the af­fected in­di­vidu­als at no cost to them. (Bids are due at 8 p.m. on Fri­day.)

The iden­tity-pro­tec­tion ser­vices will last for three years, and will also be avail­able to af­fected in­di­vidu­als’ de­pend­ent minor chil­dren, adding 6.4 mil­lion to the total num­ber of in­di­vidu­als eli­gible for ser­vice.

Com­pared to the first round of no­ti­fic­a­tions, which began to go out just days after the agency an­nounced the first breach, the second round of no­ti­fic­a­tions is sig­ni­fic­antly delayed. The late-Au­gust con­tract award means that by the time no­ti­fic­a­tions be­gin to be sent, more than a month and a half will have passed since the second breach was an­nounced in Ju­ly.

Fur­ther, the five-year agree­ment will not be cheap. The gov­ern­ment es­tim­ates the con­tract is worth $500 mil­lion, but stip­u­lated that its es­tim­ate is “not a ceil­ing” and that the total cost could “ex­ceed this amount without modi­fic­a­tion to the [con­tract].”

That’s com­pared to the roughly $20 mil­lion cost of send­ing more than 4 mil­lion no­ti­fic­a­tions and cov­er­ing ap­prox­im­ately 1 mil­lion in­di­vidu­als who signed up for iden­tity-pro­tec­tion ser­vices after the first data breach. Act­ing OPM Dir­ect­or Beth Cobert asked fed­er­al agen­cies last month to pitch in to help fund the cost of the ser­vices.

The per­son­nel agency was cri­ti­cized after its first data breach for how its con­tract­or, CSID, handled the no­ti­fic­a­tion and sign-up pro­cess. No­ti­fic­a­tion emails and let­ters ar­rived in fits and starts, and law­makers com­plained that their con­stitu­ents were sub­jec­ted to long wait times when they called in to a pub­lic hot­line for more in­form­a­tion.

In a me­dia blitz after the first round of no­ti­fic­a­tions was com­plete, CSID Pres­id­ent Joe Ross told the press many of the prob­lems his com­pany ran in­to were really the gov­ern­ment’s fault. He said the long call-cen­ter wait times, for ex­ample, were the res­ult of a de­cision to make the hot­line pub­lic, which in­und­ated rep­res­ent­at­ives with calls from people wor­ried they had been af­fected by the hack.

The new con­tract — which was de­veloped by a task force staffed by rep­res­ent­at­ives from OPM, DOD, GSA, the Of­fice of Man­age­ment and Budget, the De­part­ment of Home­land Se­cur­ity, and the Fed­er­al Trade Com­mis­sion — spe­cific­ally re­quires that con­tract­ors’ call-cen­ter wait times not ex­ceed an av­er­age of 10 minutes.

And be­cause sev­er­al le­gis­lat­ive pro­pos­als have been put for­ward that would lengthen the terms of breach-re­sponse ser­vices or in­crease the amount of iden­tity-fraud in­sur­ance offered to af­fected in­di­vidu­als, the re­quest for bids was de­signed with the flex­ib­il­ity to “ac­com­mod­ate le­gis­lat­ive or oth­er changes,” ac­cord­ing to an ad­dendum with an­swers to fre­quently asked ques­tions.

But simply hav­ing a sys­tem in place to eas­ily provide breach vic­tims with mon­it­or­ing and pro­tec­tion is not enough, Tore­gas said in an email.

“We need to take ser­i­ously the al­most total lack of aware­ness of cy­ber threats and good cy­ber hy­giene, and or­gan­ize (sadly after the fact) a way to bring some aware­ness and know­ledge to the Amer­ic­an pub­lic,” he wrote.

What We're Following See More »
Deutsche Bank Gave Kushner a $285 Million Loan in October
1 hours ago

"One month before Election Day, Jared Kushner’s real estate company finalized a $285 million loan as part of a refinancing package for its property near Times Square in Manhattan. The loan came at a critical moment. Kushner was playing a key role in the presidential campaign of his father-in-law, Donald Trump. The lender, Deutsche Bank, was negotiating to settle a federal mortgage fraud case and charges from New York state regulators that it aided a possible Russian money-laundering scheme."

Senate Judiciary Sends Questions to Loretta Lynch
2 days ago
Sens. Paul, Cruz, Johnson and Lee Oppose Senate Health Care Bill
3 days ago

The four Senators released a joint statement, saying in part, "There are provisions in this draft that repreesnt an improvement to our current health care system, but it does not appear this draft as written will accomplish the most important promise we made to Americans: to repeal Obamacare and lower their health care costs."

No Comey Tapes
3 days ago

Trump tweeted Thursday afternoon, "With all of the recently reported electronic surveillance, intercepts, unmasking and illegal leaking of information, I have no idea whether there are "tapes" or recordings of my conversations with James Comey, but I did not make, and do not have, any such recordings."

Senate Healthcare Bill In Trouble?
3 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.