Congress wants to know how well identity-protection services really work

Andrew Jackson with binoculars on $20 bill

Quazie/Flickr (CC BY 2.0) | Remix by Jason Reed

The OMP hack fallout continues.

House lawmakers are asking the congressional research agency to study the effectiveness of credit-monitoring and identity-protection services.

The renewed push for improved digital safety follows a warning from federal employees that the government isn’t adequately protecting them after hackers stole their personnel files from its servers.

Members of the House Committee on Energy and Commerce, which oversees technology issues, wrote to the Government Accountability Office asking for “a review of credit monitoring and other post-breach identity theft services” and “recommendations to enhance consumer protection.”

The Office of Personnel Management has struggled to set up a system for providing identity protection to the 22 million federal employees whose records were compromised. When the first of two breaches was detected, OPM rushed to award a $20 million contract to identity-protection firm CSID to protect the victims of that breach. But the office hasn’t talked to CSID about protecting the victims of the second breach.

These contracting woes have exposed persistent flaws in how the government partners with private companies to provide services to its employees. The morass of issues surrounding federal contracts is nothing new, but the urgency of the need to protect OPM breach victims has added a new dimension to the decades-old issue.

OPM’s contract with CSID for the first breach only included 18 months of protection services. The four senators from Maryland and Virginia, where the majority of the victims live, have introduced a bill to require lifetime protection for federal cyberattack victims.

The House Commerce Committee’s letter cited several breaches of government systems that exposed federal employees’ personal information, and it noted that, in each of these cases, “questions have been raised … about the usefulness and adequacy of credit monitoring services in protecting victims’ credit following a breach.”

The letter also noted that other components of identity protection, including monitoring of suspicious Internet activity, have come under scrutiny. Major providers of these services have been scrutinized for possible false claims; LifeLock, one of the most famous providers, was forced to pay the FTC $12 million to settle false-claims charges. On Tuesday, the FTC announced that it would take further action in that case after LifeLock violated the terms of the settlement.

Committee members laid out six separate questions that they wanted the GAO report to answer, one of which concerned how identity-protection services “evaluate and keep pace with evolving threats.”

Update 3:10pm CT, July 21: Added new information about FTC’s LifeLock case.

Photo via Quazie/Flickr (CC BY 2.0) | Remix by Jason Reed

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.