Del. Eleanor Holmes Norton of Washington, D.C., is working to preempt the expiration of a provision that offers free identity protection to millions of federal employees and their families whose data was exposed in a cybersecurity breach in 2015.
After the incident lay bare the personnel records of more than 20 million federal employees, job applicants and their family members in networks maintained by the Office of Personnel Management, the agency and a contractor, Peraton Risk Decision Inc., were sued in a class action. The defendants denied wrongdoing and ended up settling for $63 million. As of December, the first round of distributions for payments were initiated.
In the years since the attack, which was believed to have been led by Chinese hackers, Congress has approved in appropriations bills free lifetime identity protection coverage to those compromised. The requirement to offer this service expires in fiscal 2027, and Norton’s proposed bill would make that indefinite.
“We got some identity protection for federal workers and contractors impacted by the data breach as a first step, but only lifetime identity protection will give these workers the peace of mind they deserve,” Norton said in a statement. “Because there is no limit to the duration on when the compromised personal information can be used, Congress must protect these federal employees and contractors in perpetuity.”
Federal agencies have been working within the frameworks of recent executive orders and guidance by the Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology to shore up their networks against increasingly potent attacks on public infrastructure. At the same time, modernization is taking center stage across government as agencies recognize their aging IT systems are especially vulnerable and in need of fortification.
Data breaches by local, state and federal agencies over the past eight years cost governments some $26 billion, according to a new report, Federal Times previously reported.
Congressman C.A. “Dutch” Ruppersberger, D-Md., co-introduced the bill, entitled the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response Act, or the RECOVER Act. Specifically, it would provide $5 million in identity theft insurance.
Previous versions of this bill have been introduced but failed to pass.
“The federal workers impacted by the OPM breach are victims. Their personal security was jeopardized through no fault of their own and the records stolen by hackers have no shelf life. The identity theft protection offered to these victims shouldn’t, either,” Ruppersberger said. “I am proud to once again support this effort to help provide these hard-working men and women with the protections they need and deserve forever.”
The court order held that OPM has no role in providing actual monetary damages to claimants, and Epiq is the claims administrator for the settlement.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.