Hacked federal employees should receive an extra seven years of anti-fraud protection in their stockings this holiday season, once Congress votes on a must-pass spending bill.
A legislative package negotiated Tuesday night to keep the government operating slipped in a policy to protect, for a decade, the identities of victims of a personnel records and background investigation breach at the Office of Personnel Management.
Right now, OPM is only providing a year of financial safeguards to 4.2 million current and former federal employees whose Social Security numbers were compromised. Some 21.5 million individuals who applied for security clearances and their family members are receiving three years of coverage, in light of a related, more severe breach.
The $1.1 trillion spending package to avoid a government shutdown could pass as early as Friday. The legislation contains a slew of tax breaks, as well as some policy riders like the ID theft protections and tougher restrictions on foreigners entering the country using the visa-waiver program.
A controversial proposal that would have required administration officials to sign off on every Syrian seeking refuge in the United States was dropped. Lawmakers also included a controversial measure aiming to make it easier for companies to share cyberthreat information with the government.
OPM must provide "complimentary identity protection coverage" at least as comprehensive as the coverage previously offered to the individuals affected by either hack, the legislative text states. The safeguards are "effective for a period of not less than 10 years," and must include at least $5 million in ID theft insurance for each victim.
Some lawmakers have proposed measures that would protect the identities of all OPM hack victims for life, because it is unknown how or when the stolen data will be used.
The years-long cyberspying operation that netted the records is believed to be the work of Chinese-backed hackers. Security experts have said ID monitoring will not guard against email campaigns that weave in the stolen information to look legitimate and convince recipients to divulge more secrets.
Government officials last week announced they had finished mailing notification letters to background check breach victims that provide a PIN for accessing credit monitoring, ID theft insurance and other protections.
The government expects to spend $330 million over three years on the financial security offerings. The one year of similar services for victims of the smaller hack cost OPM $20 million.