The 21.5 million victims of the breach of background investigation data maintained by the Office of Personnel Management will likely have to wait a bit longer than originally planned to receive their promised protection benefits.
OPM, in conjunction with the General Services Administration and the Defense Department, has delayed formally kicking off the process of finding a vendor to provide the services after falling behind on a self-imposed timetable for issuing a request for quotes. GSA was scheduled to issue the RFQ on its eBuy service Thursday, according to an update provided to contractors, but the agency had still not released the document as of Friday afternoon.
An OPM spokesman said the schedule was “notional,” and that the RFQ -- which will include the exact services the vendor will have to provide and ask for the most competitive price the vendor can offer -- will come “soon.”
One contractor that plans to make a bid on the contract once GSA and OPM provide the opportunity to do so said this is the second time the agencies have delayed the posting, and he expects it to be released next week.
The initial schedule proposed vendors issuing their quotes on Aug. 12, with GSA making a final decision by Aug. 21. It is unclear if those dates will also be pushed back. Once the contract is awarded, it will likely take several weeks before the first notifications go out. Winvale, which was awarded the contract for providing services to the victims of the initial breach of 4.2 million personnel records, hired CSID and sent out notifications within one week, but the second hack will require tracking down contact information for five times as many individuals.
Even before the second delay, victims of the second hack -- which includes current and former federal employees, contractors, job and security clearance applicants, and family members -- complained the process was taking too long. Stan Soloway, CEO of the Professional Services Council, said OPM is leaving hack victims with unacceptable uncertainty.
“It has now been more than four weeks since the first public release of the existence of the second breach and still no notifications have been sent out, and these estimated 21.5 million employees and their family members are not sure of their exposure,” Soloway wrote in a letter to acting OPM Director Beth Cobert.
The eventual contract is expected to include at least three years of credit monitoring and a “suite of services” more extensive than those offered to the initial hack victims. The larger size of the hack, the more extensive and longer offering of benefits and the new standard set by the higher-than-expected “take rate” of those opting into the services offered to victims of the first breach will likely cause the price of the new deal to far exceed the $21 million agreement between OPM and Winvale.
Even after the contracting process is finalized and all the notifications are sent out, Congress may still write the final chapter of the hack saga. A Senate committee last week unanimously backed a provision to give hack victims 10 years of credit monitoring and identity theft protection services. A bipartisan pair of House lawmakers introduced a similar measure this week, while a Democratic leader in the lower chamber has endorsed lifetime credit monitoring.
“Everybody deserves to have peace of mind and assurance that their personal information is secure,” said Rep. Scott Rigell. R-Va., a cosponsor of the 10-year, House bill.
PSC’s Soloway said OPM should consider using “existing contracts” to provide victims of the second hack 18 months of credit monitoring until it determines a “a comprehensive and uniform longer-term solution.”
(Image via hin255 / Shutterstock.com)