The Government Is Still Considering Better and Longer Protections for Hack Victims

The federal government is making progress on providing protections to 21.5 million victims of a hack of records maintained by the Office of Personnel Management, having received best offers from potential vendors, but it is simultaneously preparing to offer better benefits than those originally outlined.

Naval Sea Systems Command, which is overseeing the selection process in coordination with the General Services Administration and OPM, is still on pace to select a contractor to offer the former and current federal employees, contractors, applicants and family members credit monitoring and identity theft protection by the end of the month. NAVSEA issued a request for quotes in early August, and set a deadline for submitting offers of Aug. 14.  

A NAVSEA spokesman told Government Executive those submissions are currently under review.

In the RFQ, the government spelled out exactly what it is looking for from potential vendors for the 21.5 million victims and up to 6.3 million of their dependents. The contract, designated as the first task order of a larger blanket purchase agreement created to deal with future government hacks, is for three years.

In an updated fact sheet released by GSA last week, however, the agency said that timeline could be extended.

“Based on the team’s ongoing assessments over time, the government will provide additional coverage associated with this incident, as needed,” GSA said. Limiting the contract to three years gives the government wiggle room to “adapt and provide the most up-to-date services.”

In other words, hack victims could receive benefits for longer than three years, and this structure allows the government to take advantage of innovation in the protection industry as it develops. GSA declined to offer more details on that process, as the procurement is currently open.

GSA also said the BPA was purposely crafted as a “flexible contract vehicle” that can adjust to any legislative mandate for stronger or longer protections for hack victims. Rather than scrapping the process and starting from scratch, GSA said the government will work within the existing BPA and affected task orders to determine how to best address any legislative requirements.

Several legislative proposals to provide more extensive post-hack benefits have already been floated or advanced, though none have received a vote by a full chamber.

Once a vendor is chosen, it will have 12 weeks to provide notifications to hack victims that their information was breached. GSA said in the fact sheet this timetable recognizes the “magnitude of validating addresses for the 21.5 million” impacted individuals, which could be compounded by changes in addresses that occur around the time of the award. The three-month window will “allow the government the time needed to ensure due diligence in obtaining valid addresses.”

NAVSEA will automatically award the contract for the background investigation incident to the vendor pre-approved through the corresponding BPA process offering the lowest price, GSA said. If the cheapest contractor later displays performance issues, GSA added the government “has a full range of options available” to mitigate them, including reducing or withholding payment.

Federal employees affected by the hack could be headed for a unique benefit, as an OPM-led taskforce is currently developing a plan for a longer-term proposal. Future hack response policy will reflect the findings of that taskforce, GSA said. 

(Image via wk1003mike / Shutterstock.com)