OPM’s plan to ‘pass-the-hat’ to pay for data breach services draws ire

The Office of Personnel Management had the data of more than 21 million current and former federal employees stolen and now it wants your agency to pay for it.

Acting OPM Director Beth Cobert sent an email to agencies telling them about OPM’s plans to raise its fees for security clearance services it provides in order to recoup the costs of the identity protection services it must purchase for the victims of the attack.

Beth Cobert, the new acting director of the Office of Personnel Management. (Official White House Photo by Amanda Lucidon)
Beth Cobert, the new acting director of the Office of Personnel Management. (Official White House Photo by Amanda Lucidon)

“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5M individuals,” Cobert wrote in an email obtained by Federal News Radio. “In addition to FY 2015, funding will also be needed in FY 2016 and FY 2017 to extend these services and provide three years of services/benefits. The Office of Management and Budget fully supports the decision for cost sharing across all agencies given these circumstances. OPM is currently working to approximate each agency’s portion of the total number of individuals impacted and we are gaining more information on the anticipated cost per person in the coming week based on requirements. We will send additional information next week as soon as we have an estimate for your agency’s portion of this contract cost; however final costs will not be known until the contract is awarded.”

The Washington Post first reported the memo from Cobert.

Advertisement

OPM has not yet awarded a contract for credit monitoring services for victims of the second breach.

The contract for the first breach to WinVale and CSID was worth $20 million over five years. Former OPM Director Katherine Archuleta told Congress last month that the agency estimated the cost to cover 4.2 million victims of the first breach would be around $19 million to $21 million.

Cobert said in her email that “OPM is not requesting additional resources” for the first breach and plans to cover the costs by raising fees in 2016.

OPM spokesman Sam Schumach said in a release that the agency gives the 21 million victims of the second cyber breach information and resources in a timely manner.

“OPM is asking each agency to fund a share of the cost of monitoring and protection services approximately proportional to the number of individuals impacted,” he said. “This strategy was developed in concert with the Office of Management and Budget.”

One agency official said they were perplexed by OPM’s decision to ask agencies to pay for credit monitoring services, and even if agencies don’t agree or don’t pay, OMB could withhold funding to force the issue.

Another agency official called OPM’s request to pay for its problems “incredible.”

OPM budget not big enough

Jeff Neal, a former Homeland Security Department chief human capital officer and now senior vice president at ICF International, said OPM just doesn’t have a big enough budget to absorb the costs of providing credit monitoring for 21 million people and still run its critical programs.

“The money has to come from somewhere,” he said. “Will agencies feel good about that? Absolutely not. And it may make agencies less likely to use OPM services that are discretionary. This is just one more way that the effects of this breach will be felt for many years.”

OPM’s budget for 2015 is $240 million, and it requested $272 million in discretionary spending for 2016.

Cobert wrote another major reason for needing to tap agencies for money is the cancellation of its contract with USIS caused it to use its reserve funding it retained through its security clearance program.

“Due to this, OPM has exhausted its retained earnings to cover these increased costs and cannot sustain operations and financial stability unless it recovers the costs. As a result, OPM must assess a billing adjustment in FY 2015 that is retroactive to the beginning of this fiscal year. These higher prices will remain in effect until the prices are further revised,” Cobert wrote. “[S]ome agencies are not on this list because OPM does not conduct their investigations; however, they will have bills associated with the credit monitoring contract.”

Cobert attached a spreadsheet detailing the higher prices for orders placed between October 2014 and June 2015 and the estimated amounts that each agency will have to pay for the rest of 2015.

One government source, who has seen the spreadsheet, said the amount of money each agency pays is based on the number of clearances they have.

While the source, who requested anonymity to speak on this sensitive topic, wouldn’t confirm any specific numbers, the official said it’s logical to assume that large agencies, such as the departments of Defense, Homeland Security and Veterans Affairs, would pay more than smaller agencies.

The source said for their agency, the amount is in the six figures.

“My gut says 9 of 10 people in the same situation would have to do same thing and asked other agencies for help,” the official said. “It’s an optics issue, but it’s also the harsh reality. We will have to find the money. It will be a challenge for some agencies because it’s so late in the fiscal year.”

Another federal official said their agency doesn’t mind paying the fee for security clearance processing, but they did expect it to be a secure system.

“I believe we would have all been very happy to pay more for these investigations over the past 10 years in order to have this process run on up to date, secure software,” the official said.

Cobert to detail price increases by early August

Cobert said agencies should expect to see the first price increases in their Aug. 3 bill for services.

Neal said OPM’s request is just part of the new reality of federal funding.

“OPM uses a mix of fee-based revenue and appropriated money. They may be running into problems using the appropriated dollars due to the purposes for which they were appropriated. If so, that would leave the revolving fund. Given the issues they have had in recent years with that account, that kitty is probably too small to cover the cost,” he said. “Beth is no dummy  — she knows how agencies will react. But she also is does not have access to biblical loaves and fishes. The ideal solution would be for Congress to appropriate money to pay for it, but before they would even consider that, they would have to see a dramatic turnaround in OPM.”

The American Federation of Government Employees called for Congress to step in pay for cost of the identity protection services.

“AFGE believes OPM’s action is unprecedented and improper,” said AFGE National President J. David Cox Sr. in a statement. “There is certainly a need for additional resources to address this important potential national security breach. But diverting agency resources from serving taxpayers and potentially impacting their ability to fund employee salaries and expenses is improper and a possible violation of the Antideficiency Act.”

GAO to review usefulness, adequacy of credit monitoring services

AFGE says agencies could violate the “purpose limitation” of the Antideficiency Act, which directs agencies to spend money for only those “purposes for which appropriated.”

The union says that while agencies paying OPM for routine administrative services are normally included in general appropriations, the size and scope of this data breach cannot be considered routine or a service intended to provide agencies with necessary personnel processing services.

“OPM is attempting to apportion its loss to agencies that have had no part in creating this dilemma. The congressional appropriations process is not meant to serve as an insurance or indemnification fund for a central servicing agency’s critical mission failure,” Cox said. “This is a matter of a national security breach, and we believe that the President has sufficient authority to assist OPM in covering the potential costs associated with this operational crisis.”

Lawmakers and federal employee unions are calling for OPM to provide lifetime credit monitoring services for victims of the second cyber hack. OPM said when it announced the results of its investigation of the second breach that it’s considering three years of credit monitoring services.

Some experts believe credit monitoring and identity protection will not be helpful for victims of the breach.

And now several House lawmakers are asking the Government Accountability Office to look into the usefulness and adequacy of credit monitoring services.

Reps. Fred Upton (R-Michigan), Frank Pallone (D-N.J.) Michael Burgess (R-Texas), Jan Schakowsky (D-Ill.), Tim Murphy (R-Pa.) and Diana DeGette (D-Colo.) sent a letter to GAO on July 20 asking for a review these services and provide recommendations to protect consumers.

The letter details six questions, including asking GAO to evaluate the success and effectiveness of post-breach consumer protection services, and how does the federal government ensure taxpayer dollars are being spent effectively for post-breach services.

The lawmakers also requested information and briefings from the Federal Trade Commission and the Consumer Financial Protection Bureau regarding post-breach protections for consumers.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.