Identity theft protection for OPM hack victims could extend for life under new bill

A pair of House Democrats on Monday introduced legislation aimed at ensuring victims of the 2015 Office of Personnel Management data breach remain protected for the rest of their lives.

Del. Eleanor Holmes Norton, D-D.C., and Rep. Dutch Ruppersberger, D-Md., are the lead sponsors of the Reducing the Effects on OPM Victims Emergency Response Act (H.R. 7236). Last introduced in 2018, the measure would expand credit monitoring and identity protection services for the more than 21 million current and former federal workers and contractors whose Social Security numbers were exposed as part of multiple data breaches nearly a decade ago.

Shortly after the data breaches were uncovered, the Office of Personnel Management had offered three years and up to $1 million worth of protection services, but in 2015, Congress instructed the agency to expand the program to cover 10 years and up to $5 million. The program is currently set to expire in 2026.

Ruppersberger and Norton, who were early advocates of the 10-year coverage program, argued that the government should protect breach victims for the duration of their lives.

“We got some identity protection for federal workers and contractors impacted by the data breach as a first step, but only lifetime identity protection will give these workers the peace of mind they deserve,” Norton said in a statement. “Because there is no limit to the duration on when the compromised personal information can be used, Congress must protect these federal employees and contractors in perpetuity.”

“The federal workers impacted by the OPM breach are victims,” Ruppersberger said. “Their personal security was jeopardized through no fault of their own and the records stolen by hackers have no shelf life. The identity theft protection offered to these victims shouldn’t, either.”

But some experts have questioned the efficacy of programs like OPM’s. A 2017 Government Accountability Office report examining the issue found that the practice of organizations like OPM providing millions in identity theft insurance are well in excess of most instances of identity theft and could distort insurance prices.

“This level of insurance coverage is likely unnecessary because claims paid rarely exceed a few thousand dollars,” GAO wrote. “Requirements such as this could serve to increase federal costs unnecessarily, mislead consumers about the benefit of such insurance coverage and create unwarranted escalation of coverage amounts in the marketplace.”

And a 2019 GAO report suggests security breach victims pursue avenues like obtaining a credit freeze, a move that analysts said could do more to prevent actual instances of fraud that stem from data breaches.

“Consumer, government and industry experts highlighted other free options, including a credit freeze, which prevents one type of fraud,” GAO wrote. “A freeze restricts businesses from accessing a person’s credit report—and can prevent the illicit opening of a new account or loan in a person’s name.”