Existing credit monitoring services for victims of 2015 breach are set to expire in 2026.
Two Washington-area Democrats have proposed a measure that would extend the identity theft protection offered to victims of the 2015 Office of Personnel Management data breach to last for life.
Rep. Dutch Ruppersberger, D-Md., and Del. Eleanor Holmes Norton, D-D.C., introduced the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response Act (H.R. 5765) on May 10. The bill marks the latest effort to expand credit monitoring and identity protection services for the more than 21 million current and former federal employees and contractors whose Social Security numbers were exposed as part of multiple data breaches.
Under current law, federal employees impacted by the data breaches can receive identity theft protection services through 2026. OPM had initially offered three years and up to $1 million in protection services, but in 2015, Congress instructed the agency to expand that program to 10 years and up to $5 million.
Ruppersberger and Norton, who were advocates of the original 10-year protection measure, said such services must be offered in perpetuity, given the nature of the information that was compromised.
“The personal records stolen by hackers have no shelf life—so the identity theft protection offered to the victims shouldn’t, either,” Ruppersberger said in a statement. “[Providing] these dedicated and hard-working men and women with a little well-deserved peace of mind is the least we can do.”
“There is no limit to the duration of when the compromised personally identifiable information can be used,” Norton said. “The federal government is responsible for the nerve-racking breaches and Congress has an obligation to make affected employees whole by passing our bill.”
But analysts have questioned the methodology of Congress and OPM’s approach to protecting feds from identity theft. Last year, the Government Accountability Office concluded that insuring a person against identity theft to the tune of millions of dollars is “likely unnecessary” and could distort identity theft insurance prices.
“This level of insurance coverage is likely unnecessary because claims paid rarely exceed a few thousand dollars,” GAO wrote in March 2017. “Requirements such as this could serve to increase federal costs unnecessarily, mislead consumers about the benefit of such insurance coverage, and create unwarranted escalation of coverage amounts in the marketplace.”
And some members of Congress raised concerns about agencies’ data breach responses last summer, highlighting both the limited-time nature of identity protection services and requesting GAO examine existing response strategies and potential future best practices.
“Reliance on these products after the breach may result in consumers being lulled into a false sense of security,” wrote Reps. Frank Pallone Jr., D-N.J., Diana DeGette, D-Colo., and Jan Schakowski, D-Ill., last August.