The Professional Services Council, a trade group representing scores of government contractors, has urged the Office of Personnel Management to notify and protect the millions of victims affected by a massive breach of background investigation files.
PSC President and CEO Stan Soloway sent a letter to acting OPM Director Beth Cobert, imploring her to take immediate steps to notify the 21.5 million people who may have been affected by the second of two related hacks into OPM systems.
The 4.1 million current and former federal employees who fell victim to an initial cyber breach of federal personnel files -- announced by OPM last month -- were informed almost immediately, Soloway noted. But it has now been more than four weeks since government officials publicized the full scope of the second, much larger breach -- with no official word about the protections hack victims will be offered.
Last week, the General Services Administration released a request for information, giving potential contractors information about the work it would need done to protect victims of the second breach. The RFI also included a "best effort plan of action" timeline for the contracting process.
While it said the contract would be awarded by Aug. 14, notifications to victims would not go out until at least one week after that.
“This is an unacceptable delay in notifications to and protection for these affected individuals,” Soloway stated in his letter.
Congress is currently determining the best way to protect all victims of both agency breaches. In an annual spending bill passed by the Senate last week, lawmakers voted to expand coverage of credit monitoring and identity-theft protections to breach victims to at least 10 years and liability protections of $5 million.
“The ongoing debate regarding the scope and length of coverage for all affected individuals . . . leads us to believe that the longer-term solution requirements for this second breach may take some time to finalize and will probably also change the coverage for those individuals affected by the first breach,” Soloway stated.
While these decisions are being fleshed out, PSC recommended OPM employ existing contracts so it can immediately provide temporary coverage for those affected by the second breach. Soloway suggested OPM immediately provide all affected employees with the 18 months of free credit monitoring offered to victims of the first breach.
As some 3 million individuals were likely affected by both breaches, using an existing contract could also help eliminate duplicate coverage, according to Soloway.