OPM Looks for Contractor to Notify Victims of Background Check Breach

Mark Van Scyoc/Shutterstock.com

An information request put out to interested companies indicated a mid-August contract award is the "best case."

Nearly two weeks after announcing that over 21.5 million people had their information hacked from government servers, the Obama administration is moving to hire a contractor to notify and provide identity fraud-protection services to affected individuals.

But it won't be until at least mid-August until one is hired.

The Office of Personnel Management, which was hit last year by a massive hack that officials have privately linked to China, is working with the Department of Defense to find a contractor to notify the affected individuals and provide them with identity fraud-protection services, according to an OPM spokesperson.

CSID, the contractor that provided those services to the 4.2 million employees affected by the smaller data breach announced in June and was heavily criticized for how it handled the process, will face competition for the new contract from LifeLock and other large fraud-protection services. They will be vying to provide services at a scale five times the previous breach—21.5 million individuals will need to be notified and protected.

OPM has promised at least three years of credit monitoring and identity theft protection to the affected people.

In the first formal step toward securing a contractor, the General Services Administration on Thursday put out a request for information, notifying potential contractors about the scope of work the government will expect and soliciting information from the interested companies.

Included in the request was a rough timeline of the contracting process. After the hopeful companies convened in a "virtual meeting" on Monday, responses to the GSA request were due by Tuesday night.

According to the preliminary timeline, which represents the "'best effort' plan of action," no contract will be awarded until Friday, August 14. Notifications would likely begin to go out the following week, at the earliest.

The GSA request did not make any mention of the potential length of coverage. Although OPM has said it will offer at least three years of services for free, some lawmakers are pushing to provide lifetime protection for individuals affected by government data breaches.

As CSID gears up to bid again on the second contract, executives from the Austin-based company and its contracting partner, Winvale, have spent recent days on a public relations tour of Washington.

The campaign is designed in part to counteract the intense criticism the contractor received from lawmakers, federal worker unions, and the press, as it dealt with the first round of notifications and service provision.

Sen. Mark Warner, a Democrat who represents tens of thousands of Virginia-based federal workers, wrote a letter in June to CSID with complaints from Virginians who encountered three hour-long wait times at the contractor's call center or incorrect information on their accounts after they signed up.

But as CSID President Joe Ross and Winvale CEO Kevin Lancaster take their message to press and members of Congress, they are arguing that the hiccups that afflicted their operations as they got off the ground were unavoidable, and that many, in fact, were caused by government mismanagement.

Complaints about wait times, for example, stemmed from a decision to make public the 1-800 number for the call center intended for data breach victims, Ross told National Journal Tuesday, opening the floodgates to a deluge of calls from worried current and former federal employees who did not receive notifications.

Why exactly the number was made public was unclear as CSID and Winvale began their media blitz. Politico reported Monday that CSID "felt compelled by the public interest" to release the number, but according to the Washington Post on Monday, Ross said it was the government's decision to share the number. Ross said Tuesday it was a combination of the two.

"Were there long hold times? Yes," said Ross Tuesday. "Was it the right thing to do? Yes."

The crux of CSID's pitch is that the work it did for 4.2 million could easily be scaled up to accommodate the 21.5 million people affected by the breach announced this month.

"The thing about this is you've got people hitting the website, and that's repeatable. You've got a notice process—you just build a schedule for that. You've got the mailing houses that we utilize, so we spread the notifications across three mailing houses," Ross said.

"So the scaling is pretty easy, and the main thing is we've developed a kind of rapport," he continued. "We have daily standups with OPM on a daily basis, we've got the reporting in place, so the scalability is the key. If it was to come down to the next 21.5, it's just that we're positioned to scale."

Ross trumpets that more than 22 percent of the 4.2 million individuals who were notified that their information was compromised—that's nearly one million people—have signed up for CSID's service.

LifeLock, one of CSID's larger competitors, itself hit an obstacle Tuesday when the Federal Trade Commission accused it of violating a previous settlement with the agency. The commission said LifeLock was putting out false advertising and failed to notify paying users when their identity was used, or protect their data.

CSID—along with its competitors—will be given a chance to prove itself to the government. Each interested contractor was given until 8 p.m. Eastern Tuesday to submit the answers to eight detailed questions in the GSA's request for information, which asked about the "maximum volume" each company has processed in response to a data breach, and whether the company could handle signups from more than 20 percent of the 21.5 million people who were affected by the breach.

The request also asked how each company's call center employees are vetted, since they will need to handle sensitive information over the phone, and whether the company can meet government cybersecurity and data hosting standards.

But Lancaster, Winvale's CEO, said Tuesday that Winvale and CSID did not submit a response before the deadline.

(Image via Mark Van Scyoc/ Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.