The Defense Department and Office of Personnel Management, in conjunction with the General Services Administration, on Tuesday awarded a $133.3 million contract to Identity Theft Guard Solutions LLC to provide protection services to 21.5 million OPM hack victims.
The contract covers the first year of three years of ID theft protection OPM has promised; exercising additional option years on the contract will bring the total value to $329.8 million.
Naval Sea Systems Command led the effort to select the vendor, which does business as ID Experts. The company won the first task order of a larger Blanket Purchase Agreement that preapproved three contractors -- including ID Experts -- to provide protection services in the event that agencies experience future data breaches. GSA expects those contracts to be worth $500 million over the next five years.
In a major shift since an earlier hack at OPM exposed the personnel files of 4.2 million current and former federal employees, the Defense Department -- rather than the contractor -- will be responsible for notifying victims that their background investigation information was breached. The Pentagon will cover the vast majority of the contract cost.
Beth Cobert, acting OPM director, said on Tuesday those notifications will not go out until the “end of the month.”
All the notifications will come from .gov or .mil email addresses. The notifications from the last hack were sent out by the contractor CSID, and the non-government address that showed up in feds’ inboxes created security concerns among many of the victims.
NAVSEA said in the original contract it may take up to three months to send out all the notifications. Cobert said they will be sent out “as expeditiously as possible.”
The contract award has already been delayed several times. The last notifications will go out four months from the time breach details were made public, five months from the time OPM became aware of the hack and 17 months since the hackers first infiltrated the data. Cobert blame the delays on the painstaking efforts the government took to identify all victims and protect their information going forward.
Regardless of whether impacted individuals proactively sign up for the protections, ID Experts will provide them with identity theft insurance and restoration services. Hack victims will have to sign up -- at no personal cost -- for the other services the government is offering to them.
As part of that suite of services for victims -- who includes former and current federal employees, contractors, applicants and family members -- ID Experts will provide identity theft monitoring for dependent minors of hack victims. NAVSEA estimated this could include up to 6.3 million children. Even if the dependents’ names were not listed on the SF-86 form at the center of the breach, the family impacted by the breach could opt to enroll children in the services.
Nearly one in four victims of the initial hack involving OPM’s personnel files of current and former federal employees enrolled in the services offered to them by CSID. If that ratio holds for the larger second hack, as GSA and OPM have speculated it could, ID Experts could be on the hook for providing protection services to nearly 7 million individuals.
Those services will include:
- Credit monitoring and the delivery of credit reports from all three nationwide credit agencies;
- Identity monitoring, including but not limited to “monitoring of the Internet and monitoring database sources including criminal records, arrest records, bookings, court records, pay day loan, bank accounts, check databases, sex offender, change of address, and Social Security number trace;”
- And identity restoration, to assist the individuals in getting back to where they were prior to the identity theft, with services including “counseling, investigation, and resolving identity theft issues.”
ID Experts will also have to establish call centers that operate 24 hours per day, seven days per week for the first six months following the award. Subsequently and until the end of the contract -- through December 31, 2018 -- the call center must be open 5 a.m. through 5 p.m. Pacific Time, Monday through Saturday.
The call center was a major point of contention in the first breach, when CSID fielded numerous complaints from lawmakers and federal employee advocates that wait times were too long and customer service was poor. This contract will require ID Experts to have an automated response that allows callers to verify their identities using a touchtone device.
This story was updated to explain the contract's total value of $329.8 million over three years.