There are reports in the news that Identity Theft Guard Solutions won the contract to offer identity theft protection for the 21.5 million victims of the second OPM breach.
This is 90 days after the breach was disclosed. It is unclear how long it will be before people get letters and have the ability to sign up with this company.
If this was a private company that had been breached, people would be screaming about this. The government usually gets a free pass because it is hard to sue the government.
The contract will cost us, the taxpayers between $133 million and $329 million over 3 years, depending on the options (power windows, maybe, the news is not reporting the details).
This is separate from the $500 million contract request posted by the GSA to prepare for future breaches.
The lack of preparation by the OPM (and many private companies) is the cause of the delay in notifying breach victims. Any business executive watching this who does not have an incident response plan already approved might use this as a lesson,
Earlier, OPM had said that they expected the winner to start sending out letters within a week, but that it would take a couple of months to get all the letters sent out.
This means that it could be Thanksgiving or Christmas before breach victims get the official notification letter. Merry Christmas. If it does wind up taking 6 months after the breach was announced to just get the letters out, I suspect that may spark some interest in lawsuits.
This, of course, has nothing to do with the issue that credit monitoring will do nothing to protect you from, say, a blackmailer who has your entire criminal record or mental health history as disclosed on the forms that the government was supposed to protect.
Also, it is certainly possible that there will be a protest of the contract award – that is fairly common in federal contract awards.
Stay tuned for the next chapter.
Information for this post came from the Washington Times.