The Office of Personnel Management may have offered more coverage than necessary for current and former federal employee identity theft services following the agency’s 2015 data breaches, according to a March 30 report by the Government Accountability Office.

Examining the potential benefits and limitations of credit monitoring, identity monitoring, identity restoration and identity theft insurance, the GAO found them lacking as protection against certain types of threats, such as medical identity or tax refund fraud.

Legislation required OPM to provide the more than 21 million victims of the breaches with 10 years of services, as well as no less than $5 million in identity theft insurance. Considering the coverage shortcomings and claims typically equalling only a few thousand dollars, however, offering this level of coverage until December 2025 is "likely unnecessary," said the GAO report. 

In addition, duplicative services were provided to around 3.6 million people impacted by both breaches, an issue for the Office of Management and Budget to address in its risk management and internal control guidance. 

Among the primary concerns addressed by the report are the potential for confusion about the insurance’s scope among those covered and the possibility of the government’s actions to increase coverage costs for private companies and consumers misled about the benefit of such insurance.

GAO recommendations to mitigate government waste and improve decision-making about ID theft services include OPM revisiting its breach-response policies, Congress allowing agencies to determine appropriate coverage types and levels on a case-by-case basis, and OMB analyzing the best services for agencies to offer if faced with future breaches.

The complete GAO report can be found on the agency’s website