Office of Personnel Management director Katherine Archuleta is again facing more tough questions regarding the data breach that hit the agency’s servers and exposed the personal data of millions of current and former federal employees, this time from Senator Mark Warner (D-VA).
In a letter to Archuleta, Warner said that many of his constituents are telling him that they are getting lousy service from CSID, the company OPM selected to give free credit monitoring to the individuals impacted by the data breach, and asks OPM to hold the company accountable if it is indeed not living up to its obligations.
Warner also questioned OPM’s methodology in selecting the company.
A copy of Warner’s letter is included below.
June 19, 2015
Hon. Katherine Archuleta
Director, U.S. Office of Personnel Management
1900 E Street, NW
Washington, DC 20415-1000
Dear Director Archuleta:
I write today to follow up on some important questions that must be answered in the wake of the Office of Personnel Management’s (OPM) June 4, 2015 announcement that a data breach of its information technology systems and data had compromised the Personally Identifiable Information (PII) of millions of current and retired federal workers.
Following that announcement, OPM announced that victims of this breach would be eligible for 18 months of identity theft protection including credit monitoring and fraud insurance through CSID, a company that specializes in identity theft protection and fraud resolution. I have already expressed my concerns that federal workers deserve more than 18 months of credit monitoring following a breach of such enormous size and scale.
Since that letter, additional information has come to light that raises questions about OPM’s awarding of this $20 million contract to CSID, and whether CSID has the expertise and capacity to provide the services for which it was contracted. I write today to seek answers to those questions and bring to your attention the poor performance of the contractor to date.
As you are well aware, I have a large number of constituents in Virginia who are current, former or retired federal employees, and in the past two weeks, I have heard complaints from many of them about the poor quality of service provided by CSID. My constituents have reported that the website crashes frequently, and that the company’s dedicated hotline regarding the OPM breach has incredibly long wait times. Wait times of over an hour are not uncommon. Even as I write, CSID is reporting a wait time of approximately 90 minutes to speak with a representative.
Virginians have also expressed frustration and disappointment with the quality of the information CSID has provided them. Many have reported receiving inaccurate or out-of-date information regarding their credit history, which calls into question CSID’s ability to appropriately protect them from fraud and ID theft. Others have reported extreme difficulties with obtaining information from CSID regarding the terms and conditions of the $1 million in identity theft insurance they have been offered as part of CSID’s contract with the federal government. I also question CSID and OPM’s judgment in contacting victims by email with a recommendation that they click on a link to CSID’s website to sign up for credit monitoring – a violation of basic cybersecurity protocols that employees should never click on unfamiliar links because they risk exposing employees to scammers’ phishing attempts.
Needless to say, I am deeply troubled by these reports. OPM must hold CSID accountable for timely and accurate responses to federal employees who are rightfully concerned about the impact of this breach. If the company is unable to handle the volume resulting from a breach of this size, the contract should be terminated and awarded to a company that can.
The company’s substandard service is especially troubling given the way in which OPM awarded CSID this contract. According to FedBizOpps.gov, the online database of federal government contracting opportunities, OPM posted a Blanket Purchase Agreement (BPA) Request for Quotation (RFQ) for “Privacy Act Incident Services” on May 28 at 11:33 a.m. with a response deadline of May 30 at 11:59 p.m. – providing companies with a period of just 36 hours in which to evaluate OPM’s terms and submit a bid for the contract. During that time, OPM amended the solicitation three times. On June 5 – less than a week after the initial RFQ – OPM awarded the contract to CSID via main contractor Winvale Group LLC.
According to procurement experts, such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID. While there was and remains a time-sensitive imperative to protect the personal information of our federal workers, the General Services Administration (GSA) is already equipped to assist agencies in quickly setting up credit monitoring services in the event of a breach. In 2006, following a theft that exposed the personal information of millions of veterans, their spouses, and active-duty military personnel at the Department of Veterans Affairs, the GSA awarded BPAs to three companies to assist Federal agencies needing credit monitoring services. As GSA noted at that time:
“In the wake of recent incidents that threatened the confidentiality of personal information, this action by GSA will allow Federal agencies to take advantage of significantly reduced unit pricing and volume discounting available through these agreements. They can also select different levels of credit monitoring services depending on the degree of vulnerability, risk, and protection.
“The BPAs also eliminate separate contracting and open market costs that result from separate agencies searching for sources, developing technical documents and solicitations, and evaluating offers. Significantly reduced pricing, strong oversight and reporting, and excellent customer service from these commercially available credit monitoring services are now available on a government-wide basis.”
GSA made three awards under the BPA to two large national companies, Equifax Inc. and Experian Consumer Direct, as well as Bearak Reports, a small woman-owned firm in Massachusetts. It is unclear whether Equifax or Experian bid on the RFQ, but Bearak has publicly said that it was unaware of the OPM solicitation, and that the company would have bid if it had known. This raises questions as to whether OPM followed all appropriate federal procurement protocols in awarding this contract.
It is possible that the decision to award this contract so quickly would raise fewer questions if the contractor was known as an expert in credit monitoring. However, a recent press report noted that the company is “is thought of as a company that helps others get on the GSA schedules, prepare proposals and the like, and their GSA schedules are for things such as lab equipment and IT software/services, but there is nothing about credit monitoring, insurance or similar offerings.”
As a result, I also request that you provide answers to the following questions:
- To the best of your knowledge, how did CSID learn of the RFQ?
- Did OPM receive bids from any companies other than CSID?
- Why did OPM choose not to pursue a bid through GSA, an agency established by Congress in order to cut down on wasteful overhead and administrative costs by centralizing the procurement process?
- If the contract was awarded based on urgency, under federal procurement guidelines, OPM could have properly awarded a sole-source contract for a period of 12 months. How does OPM justify awarding what appears to be a sole-source $20 million contract with four one-year renewal options in this case?
As it stands, at least 14 million federal employees have had their personal and financial information exposed and are now, through no fault of their own, at risk for potential fraud and identity theft. OPM has an obligation to take this threat seriously. The agency’s awarding of this contract suggests, however, that protecting employees exposed by the breach is not the top priority for OPM that it should be. I expect that OPM will act quickly to correct any such impressions.
Mark R. Warner