OPM Breaches Still Resonating

The response to the breaches of federal personnel files and background investigation files affecting more than 22 million current and former federal employees and others cost about $140 million in the first year and will cost an additional $100 million a year moving forward, OPM told a House hearing. Those were costs of notifying victims and of providing free identity theft insurance and identity restoration services—which are automatic—as well as for free credit monitoring and identity monitoring services for those who elected them. OPM acting director Beth Cobert said that about 11 percent of those the government was able to reach have opted into the monitoring services, well above the 2-3 percent rate of such offers after breaches of private company records. She noted that the cost is being paid by employing agencies and that under a law passed in late 2015, the services are to go on for 10 years total—well beyond the periods OPM originally contracted for. A small number of individuals have contacted OPM to say they have been victims of identity theft, she said, although in some of those cases the information may have been stolen in another way. She also said that the government was able to contact more than 90 percent of those affected by the background investigations breach—by far the larger of the two—by mail before it finished sending those notices in December. Notices of the personnel records breach were sent earlier, mostly by email. OPM meanwhile is asking for $37 million for IT in its current budget request, much of which will go to shoring up cybersecurity and preparing to move background investigation data to DoD under a recently announced initiative. That will be a long-term project that also will involve creating a new entity within OPM to perform those checks, and revising how they are done. OPM would have needed to incur some similar costs to shore up its systems even if the breaches had not happened, she added.