This story was updated on Friday, Feb. 15, 2019 at 1:00 p.m. to reflect additional information from the Office of Personnel Management.
The Office of Personnel Management has chosen to continue its relationship with ID Experts, the company originally tasked to provide free credit monitoring and identity theft protection services to victims of the agency’s 2015 cyber breaches.
OPM awarded a follow-on contract to ID Experts under the General Services Administration’s identity protection services multiple-award blanket purchase agreement (BPA). The contract began on Jan. 1 and will continue through at least June 2020. ID Experts said the contract has an option for up to five years.
The contract is worth at least $416 million, according to USA Spending data.
Individuals currently enrolled in the MyIDCare don’t need to take action to continue their service and will be automatically covered, ID Experts said in a statement announcing the continued contract.
A provision in the 2016 spending omnibus requires OPM to provide these services to all breach victims through 2025.
“ID Experts is excited to continue our service to OPM in providing identity protection services for the approximately 22.1 million individuals impacted by the 2015 cyber incidents,” Tom Kelly, president and CEO of ID Experts, said Tuesday in a statement.
Since OPM first selected ID Experts to provide services for cyber breach victims back in 2015, the company has issued more than 100 million routine credit and identity monitoring alerts, according to the vendor.
OPM announced in late November, about a month before its contract with ID Experts was due to expire at the end of 2018, that existing coverage with the vendor would continue for breach victims until June 30. An additional six months would give OPM time to re-compete the contract and solicit quotations from eligible vendors on GSA’s BPA.
OPM used GSA’s identity protection services BPA back in 2016, the last time the agency solicited bids for this purpose. It signed a two-year, $340 million contract with ID Experts, one of three vendors on the BPA, to provide credit monitoring services to victims of both OPM breaches.
Anyone who was impacted by OPM’s 2015 cyber breaches but didn’t enroll in ID Experts’ services in 2016 or 2017 can still enroll, an agency spokesman said.
“Those who were impacted were sent a notification letter with enrollment instructions,” the spokesman said. “Individuals who do not have a notification letter may contact the verification center, and if it is determined that they were impacted by the 2015 cyber incidents, they will receive a notification letter with enrollment instructions.”
Victims of OPM’s breaches who are interested in the free identity protection services can visit the agency’s cybersecurity resource center for more information here.
From the very beginning, OPM’s attempts to protect cyber breach victims were marked by confusion.
The agency quickly signed a contract with Winvale Group to provide credit monitoring services for the 4.2 million victims of OPM’s first breach. The agency’s inspector general said the contract didn’t follow federal acquisition regulations (FAR) and best procurement practices. Winvale wasn’t on GSA’s BPA, a point that several lawmakers made when OPM first awarded the $20 million contract just 36 hours after the solicitation was made public.
OPM signed another contract with a different vendor, ID Experts, to cover the 21.5 million victims of the second breach. The agency in late 2016 allowed the Winvale contract to expire and signed a new, two-year agreement with ID Experts to cover all breach victims. Some lawmakers criticized OPM for giving some breach victims one month to sign up for new services in 2016.
The Government Accountability Office last year questioned whether the requirement to provide victims of the 2015 breaches with no less than $5 million in identity theft insurance for at least 10 years is too much.