The government isn't skimping on the services it bought for the affected OPM employees. Workers are getting the "CSID Protector Plus" package, which entitles them to credit monitoring, public-records and loan monitoring, a service that monitors shady corners of the Web to see if their personal information is being traded or sold, and $1 million in insurance from damages in the event of identity fraud.
"As far as the service package, this is the whole kit and caboodle," said Patrick Hillmann, vice president of Levick, a PR firm that represents Winvale and CSID.
CSID sent out the first batch of 20,000 emails to affected federal workers on Monday, and will continue to send notifications in the coming weeks, Hillmann said.
Although the contract has a $20 million price tag, as reported also by the Washington Examiner, the actual cost of these services could be lower because some pricing is based on consumption, said OPM spokesman Sam Schumach. The OPM request appears to build in options for bulk pricing, but the specific terms agreed upon were not publicly available.
Given the high cost of coverage, the government appears to be taking the long view when it comes to hacks. OPM struck a "blanket purchase agreement" with the data-protection company that would prevent the government from being charged twice if an employee is affected by more than one hack, even one affecting another agency.
"This will help lower the cost of these services in the future," Schumach said.
But the hurried timeline of the contract-awarding process suggests that the government did not have any sort of agreement with Winvale or CSID before the hack, despite such arrangements becoming increasingly common.
The government put out a request for the services on Thursday, May 28, according to records from the General Services Administration. On Tuesday of the next week, June 2, the contract was awarded to Winvale. The government publicly announced the breach, which had occurred in December 2014 and was discovered in April, only two days later.
Organizations are more and more likely to have an agreement with an identity-theft-protection company in place before a breach occurs, says Eric Warbasse, senior director of financial services and breach response at LifeLock.
"That's being driven, candidly, by all the breaches that have been such high-profile news items over the last year or year and a half," Warbasse said. "We've seen demand for pre-negotiated relationships really pick up over the last six to eight months."
These agreements allow an identity-theft-protection company to get to know an organization—whether a private organization or the federal government—before crisis hits. The protection company will assess the customer's potential vulnerabilities, open a line of communication, and settle on (usually reduced) pricing plans for post-breach services, in case they're needed.