Editor’s Note: This story has been updated with more details about Sen. Mikulski’s plans to pay for 10-years of credit monitoring services and $5 million in liability protections.
Despite the prohibitive cost, Washington-area lawmakers say they’re convinced the government can provide lifetime credit-monitoring and other protections to the 22 million Office of Personnel Management data breach victims.
The 18 months to three years of credit monitoring and identity protection services OPM has offered victims is not sufficient considering allegations that Chinese sources are behind the hacks, said Rep. Steny Hoyer (D-Md.) during a phone call with reporters Friday.
“We do know that there is in some of these—particularly those who applied for employment or security clearances—extensive information that might be used in ways that could undermine the security of the United States of America,” he said. “We need to have lifetime protection to the extent that we can offer such protection. The bad news is that there are some things we might not be able to compensate people for.”
Extending protections for victims’ lifetimes would also help reassure Americans they can expect government entities, such as the IRS, to keep their sensitive personal information confidential, he said.
It’s not clear how much such protections would cost, or how the government would pay for them, however. OPM is spending $21 million on a contract to provide 18 months of services to the 4.2 million individuals affected by the first breach of its database. Lifetime monitoring for five times as many people could cost billions of dollars. Hoyer said he has not seen an estimate of those costs yet.
Hoyer said because the breaches are an emergency, Congress should consider funding the remedies outside of the regular appropriations process so agencies are not forced to cut their budgets elsewhere.
“The funding levels have been very, very tight over the last few years and nobody contemplated this breach as occurring,” he said. “I’m going to look at how large a sum we’re talking about and the ability to amortize this cost over all the agencies, some of whom clearly had no culpability in the compromising of this information.”
“If you do this for a 10-year period, in the seventh, eighth and ninth year, you ought to have a much better understanding of the loss rate, the exposure rate, the possible damages that are being experienced. To that extent, it’s a very positive step,” he said.
During the Senate committee discussion, Mikulski portrayed the breach situation as an emergency. She argued, unsuccessfully, that Congress should appropriate an extra $37 million for OPM to secure its IT networks immediately.
A Hill staff member familiar with the Mikulski amendment said the Congressional Budget Office scored the cost of providing credit monitoring and identity protection services and more liability protection over and above what OPM Is offering to cost $66 million a year starting in 2017.
OPM and the Office of Management and Budget are paying for the 2016 services for 21.5 million victims of the cyber breach by retroactively charging agencies more for security clearance services between October 2014 and June, and by price increases going forward.
The cost of OPM’s current plan of three years of credit monitoring services and $1 million in liability protection is more than $66 million a year, but less than $100 million, the staff member said. The staff member declined to give a total amount OPM estimates the first year to cost.
“The basis of Sen. Mikulski’s amendment is the fact that a person’s Social Security number, date of birth or medical history doesn’t change,” the staff member said. “That means the vulnerability of that information being in wrong people’s hands doesn’t magically go away after 18 months or 3 years, and that’s why it’s important to provide a level of assistance that is much longer in duration.”
As for Mikulski’s second amendment to give OPM $37 million in emergency funding to expedite cybersecurity upgrades, the staff member said there may be a chance to offer the provision a second time on the floor depending on what Congress does related to sequestration and the budget control caps.
If lawmakers change the law, it may be possible for OPM to get more funding, but otherwise it’s a much harder trade off within the appropriations bill.