Way More Feds Signed Up for Post-Hack Protections Than Anyone Anticipated

The contractor chosen by the Office of Personnel Management to provide protection services to victims of the initial breach of personnel files maintained by the agency took a lot of heat for its perceived customer service, though it may have actually altered the industry standard for performance.

Prior the hack of OPM data, which exposed the personal information of 4.2 million former and current federal employees, organizations affected by large-scale breaches saw between 3 percent and 5 percent of victims opt into the free credit monitoring and other services they offered. CSID, the company OPM selected to provide credit and identity theft protection to the hack victims, saw about 22 percent of the hack victims enroll into its services.

Even those who did not proactively enroll will automatically receive identity restoration services, an OPM spokesman said, meaning if their information is used for nefarious purposes they will automatically get help restoring their credit and with the resulting legal process.

About 960,000 individuals signed up for CSID’s services, the OPM spokesman said. In a recent breach of data maintained by the Texas comptroller’s office, just 3 percent of the 3.5 million individuals affected accepted the protection services the state government offered. In the private sector, the “take rate” can be even lower; a recent massive hack of 80 million records held by the insurance company Anthem yielded just 0.5 percent of victims accepting the free services.

So what made the OPM hack so different? Joe Ross, CSID’s president and co-founder, told Government Executive the high acceptance rate resulted from a combination of circumstances and calculated effort.

CSID worked with OPM to ensure nearly every former and current fed received the notification, either through email or a letter delivered through the U.S. Postal Service. If the mailing address on file bounced back with a return to sender, CSID attempted to locate an updated address through USPS’ national registry. Those efforts, coupled with the widespread press coverage of the incident, helped foster the high take rate, Ross said.

Once the official notification letter offering the protection benefits reached an affected individual, OPM and CSID made no follow up effort to encourage victims to actually enroll, according to the OPM spokesman. However, the Web portal CSID set up “made it easy for people to enroll,” Ross said.

Despite those efforts, Ross did not anticipate so many individuals would enroll in CSID’s services. That CSID was caught off guard was evident nearly immediately upon the company sending out notifications; from the get go, hacked individuals and federal employee advocates complained of long wait times on the telephone hotline and poor customer service. Still, Ross said, CSID “performed better than anyone would have expected.”

The take rate “is how you measure the success of a breach” response, he added. The high take rate did not affect the cost to the government; Winvale, which was awarded OPM’s contract and in turn hired CSID, collected a flat rate of $21 million. Similarly, CSID collected a flat fee based on the total hacked population.

OPM and CSID emphasized the services offered went beyond simple credit monitoring.

“Your iPhone can do that,” the OPM spokesman said of suspicious activity on your credit card. Hack victims will receive notifications if their name or address was falsely given in connection to a crime, added to the sex offender registry, submitted for a change of address or posted on the “dark Web.”

OPM is readying a solicitation for a contractor to offer protection services to the 21.5 million former and current federal employees, contractors, applicants and family members affected by the breach of background investigations data. The agency has started “ongoing discussions” between potential bidders and the government with a request for information.

That document -- which OPM called “an early exchange of information between the government and potential vendors” -- is already warning companies interested in the contract that they will have to be equipped for a higher-than-normal number of people actually using their services. The RFI noted the demand for services could exceed 20 percent. The OPM spokesman said companies must “always build in for a surge” of enrollees.

“I think we set the bar,” Ross said, “not just for the take rate but also the breach response product.” He added that bidders on the new contract will have to “take into account” the new reality of the higher enrollment rate.

The second breach response is all but certain to garner significantly more than the nearly 1 million enrollees in the first incident, as the hacked population is five times the size. Whichever bidder is awarded the contracted can handle the increased workload, Ross said, as long as it has a plan and sends out the notifications on a schedule that enables its call centers to deal with a steady flow of volume. Winvale is likely to make another bid at the second contract, the company’s CEO Kevin Lancaster told Government Executive.

A smaller take rate may be inevitable, the contractors said, given the makeup of the hacked population and the news of the hack being less fresh in people’s minds.

“If something is talked bout every time you turn on the TV and then you get a letter, you’re going to take action,” Ross said.

Lancaster said that given the sensitivities of working for the federal government, the population of the first hack “took it a lot more serious.” He added he was hopeful the victims of the second hack “will react the same way, because this is a serious problem.”