Agencies might be paying too much for the identity theft and credit monitoring services they’ve offered federal employees in the aftermath of data breaches.
The Government Accountability Office, in a report released Wednesday, urged the Office of Management and Budget to keep a centralized record of federal agencies’ efforts to provide identity theft services to their employees.
“What we found is that some of these identity theft services, some of them will cover out-of-pocket costs. They won’t actually cover material losses if something happens or the information is inappropriately used,” Comptroller General Gene Dodaro told lawmakers Wednesday.
Testifying before members of the Senate Budget Committee, Dodaro said agencies might not be offering their employees the level of identity theft protection they thought they’d be paying for.
“They’re typically only reimbursements, so far, of a few thousand dollars, where it’s costing millions of dollars to provide these services to the government,” Dodaro said.
In March 2017, GAO questioned whether having the Office of Personnel Management’s provide victims of its 2015 data breaches with no less than $5 million in identity theft insurance for at least 10 years was cost-effective.
Under law, OPM is required to provide identity protection services for data breach victims until at least Dec. 18, 2025.
Dodaro said OMB should issue guidance to agencies to help identify “alternatives to identity theft services,” such as credit freezes and fraud alerts, which may be cheaper and more effective over time.
He also urged OMB to require federal agencies to conduct a cost-benefit analysis of alternatives before deciding how to move forward.
In doing so, GAO estimates the federal government could save millions of dollars each year.
“OMB has mentioned some concerns about keeping central databases, in terms of privacy concerns, but we think this could be overcome properly. This would be a better value to the government,” Dodaro said.
Last year, OPM claimed it offered “duplicative services” to about 3.6 million victims affected by both of its cyber breaches in 2015.
The agency estimates that the first data breach impacted 4.2 million individuals, while the second breach hit about 21.5 million people.
GAO chief: ‘I’m very concerned about the VA’
The Veterans Affairs Department has implemented about half of the recommendations that GAO has issued between 2011 and 2017.
As of March 2018, about 25 of these 54 actions remained open.
Dodaro has met with every VA secretary since Eric Shinseki to discuss how to check off more of GAO’s recommendations to make the agency more efficient most-effective.
“Each time I met with them, I encouraged them to implement our recommendations. In many cases, they agreed with the recommendation, but then it’s not being implemented,” Dodaro said.
With former VA Secretary David Shulkin, Dodaro had set up quarterly meetings to review outstanding GAO recommendations.
Dodaro said no barrier exists to keep the agency from implementing GAO’s recommendations, but recent shakeups in leadership at the VA have caused setbacks.
“I’m very concerned about the VA. I think it needs leadership. It has some of the most serious management problems in the federal government,” he said.
“The Department of Veterans Affairs could potentially save tens of millions of dollars when acquiring medical and surgical supplies by better adhering to supply chain practices of leading hospitals,” GAO wrote in its recent report.
The watchdog also urged the VA to strengthen its employee performance management processes to improve the level of care it provides to veterans.
“They need some leadership, they need some follow-through and some fundamental management reform,” Dodaro said.
President Donald Trump fired Shulkin in March, but the Veterans Health Administration also lacks a permanent leader.
The contract, which has a $10 billion ceiling over 10 years, was recently described by Acting VA Secretary Robert Wilkie as one of the largest IT contracts in the federal government.
President Trump originally tapped Wilkie to only serve on an acting capacity, but his pick to permanently fill the role, presidential physician Ronny Jackson, withdrew his nomination in April. Just last week, Trump named Wilkie as his latest choice to fill the post permanently.
Sen. John Boozman (R-Ark.), a member of the Senate Veterans Affairs Committee, said he’s also concerned by vacancies at the VA.
“I’m excited about the prospect of us confirming the president’s nominee — I think he’s going to do a very, very good job — but one of the problems I’ve got now is just the fact there’s just so many open spots in key leadership,” Boozman said.
Dodaro said he plans to meet with Paul Lawrence, whom the Senate recently confirmed as the head of the Veterans Benefits Administration, and will meet with Wilkie once he’s confirmed by the Senate.
The VA ranks seventh on the list of agencies with the most outstanding GAO recommendations.
Between 2011 and 2017, GAO has made 724 recommendations to Congress and federal agencies. Of those, the federal watchdog estimates 76 percent have been fully or partially implemented.
GAO projects that the federal government will save $178 billion from implementing these recommendations.