Senate Panel Approves 10 Years of Protection Services for Hack Victims

A Senate panel on Thursday approved a measure to give current and former federal employees and contractors affected by the hack of data maintained by the Office of Personnel Management protection services for 10 years, more than three times longer than OPM originally offered.

The Senate Appropriations Committee agreed to the amendment unanimously by voice vote, despite some Republican concern that the 10-year figure was decided arbitrarily. The provision was attached to the fiscal 2016 financial services and general government spending bill, which provides funding for OPM and several other agencies.

The amendment would provide hack victims with 10 years of credit monitoring services and it would offer $5 million in liability protection to hack victims. OPM offered the 21.5 million federal employees, contractors, applicants and family members affected by the breach involving security clearance files three years of a “suite of services,” including full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuing credit monitoring and fraud monitoring services beyond credit files. The 4.2 million current and former federal workers affected by the initial hack of personnel data -- most of whom were also impacted by the second breach -- were offered just 18 months of credit monitoring and identity theft insurance.

Sen. Barbara Mikulski, D-Md., the committee’s ranking member, introduced the measure, saying it was the least lawmakers could to do to ensure the protection of the nation’s civil servants. She added the Congressional Budget Office said the provision would not affect existing spending levels, as the costs for fiscal 2016 would come out of the money already scheduled for appropriation to OPM and the other agencies it will charge.

“They deserve our protection,” Mikulski said of the federal workforce. “This will not affect the budget cap but it will affect how we protect our employees.”

Republican committee members said they supported the notion of having employees protected and even guaranteeing that future employees are protected, but questioned the length of time Mikulski proposed offering credit monitoring and other services to hack victims.

“I don’t know if one year is adequate, I don’t know if 10 years is adequate, I don’t know if 20 years is adequate,” said Sen. John Boozman, R-Ark. “My problem is I simply don’t know. If you can give me good data that some expert has said that 10 years is the magic number instead of nine or 11, that would be fine.”

Mikulski said previous hearings have proven extended protections are warranted. Boozman and Mikulski agreed on the need for additional hearings on the breaches, including a classified session to discuss specifically what the hackers will do with the information they stole.

Sen. Patrick Leahy, D-Vt., said there is “no excuse” for the carelessness by OPM that allowed the breach to happen, but added that management “screwed up” and that should not negatively impact federal workers.

The Republican majority rejected a separate Mikulski amendment that would have provided OPM with additional funding to accelerate network upgrades. The measure would have appropriated an additional $37 million in emergency funding to OPM to improve network systems and information technology infrastructure.

Boozman said Congress could not fix OPM’s networks by simply throwing money at them.

“Often in Washington our answer is more money when fixing problems,” Boozman said. “More money isn’t going to solve the management problem either. And let’s be honest, this is mostly a management problem.”

Mikulski agreed management was largely to blame for OPM’s failures, but said she did now want to “punish federal employees for what management did or did not do.”

While the amendment was rejected, the underlying appropriations bill did fully fund President Obama’s requested spending increase for IT security improvements at OPM. It also would require OPM to work with the Office of Management and Budget, Homeland Security Department and other agencies “with expertise in data security” to prevent future data breaches.

The spending bill -- which also advances the 1.3 percent pay raise for federal employees by staying silent on the subject-- was approved along party lines. The increased benefits for hack victims is far from a done deal; if passed by Congress, Obama would likely veto the measure as it retains sequestration-level spending caps. The credit monitoring provision’s unanimous approval bodes well for those impacted by the breaches, however, either as an attachment to future compromise funding bills or through standalone legislation.