This Monday was grimmer than most for federal employees, tens of thousands of whom received emails from an identity-protection company notifying them that their personal information may have been stolen in a massive hack of the Office of Personnel Management last week.
But the hack, which could affect up to 4 million federal workers, brought good business to the doorstep of CSID, the Austin, Texas-based cybersecurity company that will provide affected employees with 18 months of access to its identity-fraud protection services.
The services are available to the workers at no immediate cost to them. Instead, OPM is footing the bill for those services with taxpayer money, a sum of potentially more than $20 million.
Data hacks are expensive ordeals for an organization—a report from IBM and the Ponemon Institute found that the average data breach cost a U.S. company $6.5 million in 2015—and providing remedial services to people affected by an attack is no small part of the price tag.
But the OPM hack was on a scale not seen before in government.
A contract between OPM and Winvale Group, a government contractor that works with CSID to provide identity protection, shows that OPM last Tuesday agreed to pay $20,760,741.63 for identity-protection services after the data breach.
The government isn't skimping on the services it bought for the affected OPM employees. Workers are getting the "CSID Protector Plus" package, which entitles them to credit monitoring, public-records and loan monitoring, a service that monitors shady corners of the Web to see if their personal information is being traded or sold, and $1 million in insurance from damages in the event of identity fraud.
"As far as the service package, this is the whole kit and caboodle," said Patrick Hillmann, vice president of Levick, a PR firm that represents Winvale and CSID.
CSID sent out the first batch of 20,000 emails to affected federal workers on Monday, and will continue to send notifications in the coming weeks, Hillmann said.
Although the contract has a $20 million price tag, as reported also by the Washington Examiner, the actual cost of these services could be lower because some pricing is based on consumption, said OPM spokesman Sam Schumach. The OPM request appears to build in options for bulk pricing, but the specific terms agreed upon were not publicly available.
Given the high cost of coverage, the government appears to be taking the long view when it comes to hacks. OPM struck a "blanket purchase agreement" with the data-protection company that would prevent the government from being charged twice if an employee is affected by more than one hack, even one affecting another agency.
"This will help lower the cost of these services in the future," Schumach said.
But the hurried timeline of the contract-awarding process suggests that the government did not have any sort of agreement with Winvale or CSID before the hack, despite such arrangements becoming increasingly common.
The government put out a request for the services on Thursday, May 28, according to records from the General Services Administration. On Tuesday of the next week, June 2, the contract was awarded to Winvale. The government publicly announced the breach, which had occurred in December 2014 and was discovered in April, only two days later.
Organizations are more and more likely to have an agreement with an identity-theft-protection company in place before a breach occurs, says Eric Warbasse, senior director of financial services and breach response at LifeLock.
"That's being driven, candidly, by all the breaches that have been such high-profile news items over the last year or year and a half," Warbasse said. "We've seen demand for pre-negotiated relationships really pick up over the last six to eight months."
These agreements allow an identity-theft-protection company to get to know an organization—whether a private organization or the federal government—before crisis hits. The protection company will assess the customer's potential vulnerabilities, open a line of communication, and settle on (usually reduced) pricing plans for post-breach services, in case they're needed.
These agreements can come with or without a retainer, Warbasse said. LifeLock typically doesn't charge retainers, but some competitors do, he said.
As companies like LifeLock and CSID try to establish relationships with organizations before a data breach, post-breach contracts like the one OPM has with CSID can also be beneficial for the companies, even after the term of "free" service is up.
After his or her 18 months of employer-subsidized identity-protection service is over, a government worker will have to decide whether or not to begin paying out of pocket to stay covered. There's a lot of calculation that goes into that decision. Industry-wide, a "surprisingly small number of people" choose to keep paying for services after the subsidized period is over, Warbasse said.
But that changes if a hack could have exposed the most sensitive personal information. "A data compromise of a Social Security number and name and date of birth as a result of a malicious hacking event is more likely to result in direct-to-consumer relationship following the breach subsidy," said Warbasse.
That means the OPM breach could bring CSID thousands of new subscribers even after its initial contract with the government ends.
Generally, the cybersecurity sector does well after a big-ticket hack, and OPM's was the largest government cyberattack ever revealed. Cybersecurity stocks rose after news of the attack broke on Thursday, and a fund that bundles 30 cybersecurity companies' stocks reached toward an all-time high the following day.