The federal government isn’t just setting up credit monitoring services for the millions of federal workers affected by the Office of Personnel Management cyber breaches. OPM is also pursuing giving all federal employees some type of credit monitoring going forward, officials said in announcing the magnitude of the breaches.
Before stepping down as OPM director, Katherine Archuleta said her agency was developing “a proposal for types of credit and identity theft monitoring services that should be provided to all federal employees in the future.”
Details beyond this broad goal haven’t yet been released.
But the pronouncement comes as a small comfort to a number of unions who represent federal workers and have been calling for stepped-up protections beyond just the hack victims.
“We welcome it. But it’s too late,” she said. “You could have alleviated a lot of concerns had you just come out with that right out of the gates.”
Just after news broke that the second breach had impacted 21.5 million people, the Professional Services Council released a statement saying that extending protection to all federal workers means the administration is “taking the right steps.”
“They’re doing now what we urged them and our member companies to do … which is to offer a full array of identity theft monitoring tools to give those at risk peace of mind in this disturbing and difficult time,” PSC President and CEO Stan Soloway said.
Greg Stanford, of the Federal Managers Association, told Federal News Radio his association has been advocating for lifetime protection. That’s not necessarily what OPM will do, but he likes that OPM seems open to talking about increasing the amount of credit monitoring services, as it’s “really what is necessary.”
For the 4.2 million people affected by the first breach, OPM has said it’s offering 18 months of identity theft monitoring free of charge. And for the 21.5 million victimized as part of the second breach, the length of their protections is a bit longer: three years or more.
Archuleta said Thursday during a news conference that OPM and the Department of Defense will work with a contractor — who has not yet been named — to provide a suite of credit and identity theft monitoring and protection services for both background investigation applicants and non-applicants whose sensitive information was stolen.
Some unions are questioning why there’s a discrepancy between the length of time first and second breach victims are being offered. There are also about 3.6 million individuals who fall into the category of being affected by both breaches. For them, their protections will fall into the three years or more camp.
“I don’t know what the difference is between the folks compromised by the first breach and second breach,” Stanford said. “FMA has called for lifetime protection, because this information isn’t going to go away in 18 months. It’s not going to go away in three years. We’ve called for lifetime protection and credit monitoring for the individuals who are affected. We think that that is what the situation calls for.”
In NARFE’s opinion, 18 months of identity theft and credit monitoring for some is not adequate and neither is three years for others. Klement said the hope is that the new director coming in after Archuleta will up those amounts considerably.
Legislation to address lifetime credit monitoring
Members of Congress also are weighing in, not just on Archuleta’s resignation, but on the issue of credit monitoring for federal employees.
Four Democratic senators introduced legislation that would provide lifetime credit monitoring and at least $5 million in identity theft insurance.
Sens. Ben Cardin, (D-Md.), Barbara Mikulski, (D-Md.), Mark Warner, (D-Va.), and Tim Kaine, (D-Va.) put forward the legislation.
Over in the House, Reps. Eleanor Holmes Norton (D-D.C), Chris Van Hollen (D-Md.), Don Beyer (D-Va.), Donna Edwards (D-Md.), C.A. Dutch Ruppersberger (D-Md.), Elijah Cummings (D-Md.), Gerry Connolly (D-Va.) and John Delaney (D-Md.) introduced a similar bill on Friday. Called the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response Act of 2015 (RECOVER Act), the bill seeks complimentary and complete identity protection for those affected by the OPM breaches.
“OPM’s proposed protection would not protect current and former federal workers if hackers simply waited for a period of years before exploiting the stolen identities,” Norton said. “However, our bill would give current and former federal employees some peace of mind.”
The National Treasury Employees Union expressed its support in a statement Thursday, reiterating the union would continue to pursue a lawsuit against OPM, which also seeks to obtain lifetime credit monitoring services and identity theft protections for federal workers.
Feds waiting on notifications
Even with all of the pushes for heightened protections, it might be some time, though, before federal workers get relief. Archuleta announced that individualized notification packages will be sent to feds in the coming weeks.
“We will be incorporating lessons learned and feedback from stakeholders about the notification process just completed for a related cybersecurity incident,” she said Thursday.
Klement said, from the beginning, her organization’s chief complaint for the past several weeks has been the lack of communication with groups like hers and with the millions impacted.
The unknown — does this impact me? — is what’s worrying individuals most, she said.
“It’ll be weeks before these people get their notifications and for the retirees, those who haven’t gotten a letter from the first breach really want to know if they’re affected,” Klement said. “And you can’t pick up the call and say ‘I’ve moved seven times in the last 10 years or 15 years since I retired is my letter in the mail still?’ There are still a lot of people that are still in limbo. It’s the answered questions that’s causing a lot of anxiety.”
Investigation reveals timeline, scope of attacks on OPM networks