Mark Van Scyoc /

OPM Takes Steps Toward Finding a Contractor to Notify Hack Victims

An information request put out to interested companies indicated a mid-August contract award is the "best case."

Nearly two weeks after announcing that over 21.5 million people had their information hacked from government servers, the Obama administration is moving to hire a contractor to notify and provide identity fraud-protection services to affected individuals.

But it won't be until at least mid-August until one is hired.

The Office of Personnel Management, which was hit last year by a massive hack that officials have privately linked to China, is working with the Department of Defense to find a contractor to notify the affected individuals and provide them with identity fraud-protection services, according to an OPM spokesperson.

CSID, the contractor that provided those services to the 4.2 million employees affected by the smaller data breach announced in June and was heavily criticized for how it handled the process, will face competition for the new contract from LifeLock and other large fraud-protection services. They will be vying to provide services at a scale five times the previous breach—21.5 million individuals will need to be notified and protected.

OPM has promised at least three years of credit monitoring and identity theft protection to the affected people.

In the first formal step toward securing a contractor, the General Services Administration on Thursday put out a request for information, notifying potential contractors about the scope of work the government will expect and soliciting information from the interested companies.

Included in the request was a rough timeline of the contracting process. After the hopeful companies convened in a "virtual meeting" on Monday, responses to the GSA request were due by Tuesday night.

According to the preliminary timeline, which represents the "'best effort' plan of action," no contract will be awarded until Friday, August 14. Notifications would likely begin to go out the following week, at the earliest.

The GSA request did not make any mention of the potential length of coverage. Although OPM has said it will offer at least three years of services for free, some lawmakers are pushing to provide lifetime protection for individuals affected by government data breaches.

As CSID gears up to bid again on the second contract, executives from the Austin-based company and its contracting partner, Winvale, have spent recent days on a public relations tour of Washington.

The campaign is designed in part to counteract the intense criticism the contractor received from lawmakers, federal worker unions, and the press, as it dealt with the first round of notifications and service provision.

Sen. Mark Warner, a Democrat who represents tens of thousands of Virginia-based federal workers, wrote a letter in June to CSID with complaints from Virginians who encountered three hour-long wait times at the contractor's call center or incorrect information on their accounts after they signed up.

But as CSID President Joe Ross and Winvale CEO Kevin Lancaster take their message to press and members of Congress, they are arguing that the hiccups that afflicted their operations as they got off the ground were unavoidable, and that many, in fact, were caused by government mismanagement.

Complaints about wait times, for example, stemmed from a decision to make public the 1-800 number for the call center intended for data breach victims, Ross told National JournalTuesday, opening the floodgates to a deluge of calls from worried current and former federal employees who did not receive notifications.

Why exactly the number was made public was unclear as CSID and Winvale began their media blitz. Politico reported Monday that CSID "felt compelled by the public interest" to release the number, but according to the Washington Post on Monday, Ross said it was the government's decision to share the number. Ross said Tuesday it was a combination of the two.

"Were there long hold times? Yes," said Ross Tuesday. "Was it the right thing to do? Yes."

The crux of CSID's pitch is that the work it did for 4.2 million could easily be scaled up to accommodate the 21.5 million people affected by the breach announced this month.

"The thing about this is you've got people hitting the website, and that's repeatable. You've got a notice process—you just build a schedule for that. You've got the mailing houses that we utilize, so we spread the notifications across three mailing houses," Ross said.

"So the scaling is pretty easy, and the main thing is we've developed a kind of rapport," he continued. "We have daily standups with OPM on a daily basis, we've got the reporting in place, so the scalability is the key. If it was to come down to the next 21.5, it's just that we're positioned to scale."

Ross trumpets that more than 22 percent of the 4.2 million individuals who were notified that their information was compromised—that's nearly one million people—have signed up for CSID's service.

LifeLock, one of CSID's larger competitors, itself hit an obstacle Tuesday when the Federal Trade Commission accused it of violating a previous settlement with the agency. The commission said LifeLock was putting out false advertising and failed to notify paying users when their identity was used, or protect their data.

CSID—along with its competitors—will be given a chance to prove itself to the government. Each interested contractor was given until 8 p.m. Eastern Tuesday to submit the answers to eight detailed questions in the GSA's request for information, which asked about the "maximum volume" each company has processed in response to a data breach, and whether the company could handle signups from more than 20 percent of the 21.5 million people who were affected by the breach.

The request also asked how each company's call center employees are vetted, since they will need to handle sensitive information over the phone, and whether the company can meet government cybersecurity and data hosting standards.

But Lancaster, Winvale's CEO, said Tuesday that Winvale and CSID did not submit a response before the deadline.

(Image via  /