Bids are due Friday on a government contract to notify and protect the 21.5 million people whose data was compromised in a catastrophic breach of the federal government's security-clearance database.
The contract is part of at least $500 million the government is planning to spend on the fallout from past and future hacks. The goal is to have several fraud protection firms at the ready for swifter responses to future cyberattacks.
But the immediate focus will be on the identity theft monitoring firm tapped to reach out to the victims of the recent breach at the Office of Personnel Management (OPM). It was the second of two breaches at the agency.
The firm will be under close scrutiny after federal workers and lawmakers took issue with credit monitoring firm CSID's handling of the first OPM data breach, which compromised roughly 4.2 million federal workers' personnel files.
Workers complained of website crashes and multi-hour waits on the phone to get basic information about whether they were affected and how to sign up for the 18 months of complimentary credit monitoring services.
This time around, the credit monitoring firm will have to handle more than five times as many people, who will be seeking complementary fraud-protection services for up to three years.
The second breach also hit a security clearance database containing some of the most detailed background investigation files held by the government. The exhaustive forms include details on sexual indiscretions, drug and alcohol abuse and financial history. The wealth of information could make it more difficult to monitor all possible nefarious uses of the data.
It’s believed that China pilfered the information as part of a broad cyber-espionage scheme to build a comprehensive database on U.S. government workers.
The firm will also be under a time crunch.
With the delay in awarding the contract, the company likely won’t even start notifying the affected individuals until nearly two months after the OPM revealed the final tally for the second breach.
According to the contract, the company will have 12 weeks to notify the victims, which means some might not find out their data was taken until November.
Within two weeks, the firm will need to be able to start offering fraud monitoring services to those affected, as well as their children. The government estimates roughly 6.4 million children will be eligible for fraud monitoring services.
All this means the contract will not be cheap.
The OPM spent over $20 million for CSID to cover the first breach. The agency has already informed other agencies it expects them to kick in for the second breach.
“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5M individuals,” said an email that Beth Cobert, OPM acting director, sent to other agencies, according to multiple reports.
The OPM will also raise its fees for security clearance services over the next two years to help cover the three years of credit monitoring services.
The ultimate total for the second contract should be determined when the contract is awarded, by Aug. 21.