Feds Award Contract to Notify and Protect the 21.5 Million Victims of OPM Data Breach

Nearly three months after a pair of cyberattacks at the Office of Personnel Management were made public, the government has awarded a contract to begin contacting 21.5 million individuals who have not been notified that their personal information was compromised.

It is also lining up a group of contractors to keep on call to provide cleanup services for future data breaches. Under an agreement announced Tuesday, any federal agency will be able to call on one of the contractors to notify and provide identity-theft protection services to individuals affected by a data breach.

Two contractors are cleared to provide services to "populations of significant size," and one is available to provide "routine data-breach responses." The agreement is valid for five years.

One of the contractors in the first group—Identity Guard—has been tasked with a big job right out of the gate.

When OPM announced in June that more than 4 million current and former federal workers had their personal information compromised by a cyberattack, it began almost immediately to notify the individuals and sign them up for identity-theft response services.

But when the agency announced the size of a second breach, which targeted a database that included more sensitive information—names, addresses, Social Security numbers, and more than a million fingerprints—it did not have a provider lined up to notify the 21.5 million individuals whose information was caught up in the attack, or to provide them with identity-theft protection services.

That task now falls to Identity Guard, which will send out the millions of notifications and deal with the ensuing call volume and service signups. The notifications will "begin by the end of this month and continue over the following weeks," said Beth Cobert, OPM's acting director, in a call with reporters Tuesday.

The government will pay $133,263,550 for Identity Guard's notification and protection services, which will be provided at no cost to the affected individuals. Recipients of government notifications are eligible for three years of coverage—until the end of December 2018—as are their dependent children who are under 18 years of age as of July 1, 2015.

All 21.5 million people are immediately covered with an identity-theft insurance plan, and are eligible for identity restoration, which they can use if their identities are stolen. They also have the option to sign up for additional free services such as credit and identity-theft monitoring.

"Millions of individuals, through no fault of their own, had their personal information stolen, and we’re committed to standing by them, supporting them, and protecting them against further victimization," Cobert said in a statement. "And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling."

The government has not made a formal attribution for the cyberattacks, but officials have privately pointed at China, a claim that lawmakers have echoed.

In a document drafted during the search for contractors to keep on call, the government estimated that it would spend $500 million on data-breach cleanup in the next five years.

The first round of 4.2 million notifications in June was handled by CSID, another contractor, which was criticized for how it handled the process. Many federal workers reported long phone wait times and problems with CSID's website, issues which the contractor said were made worse by an unprecedented demand for its services.

While the typical response rate for post-breach notifications is less than 5 percent, Cobert said Tuesday that nearly a quarter of notified individuals signed up for a CSID plan in June.

Representatives of the multiagency task force that developed the requirements for the contracts awarded Tuesday said they took into account lessons from the first round. This time, for example, notification emails will come straight from the Defense Department—sent from a .gov or a .mil email address—rather than from a private contractor's .com email address, which is more difficult to authenticate.