OPM says other federal agencies have to pay for its giant data breach

July 21, 2015 - 5:38 PM

The Office of Personnel Management warned federal agencies on Tuesday that they will have to help defray the cost of offering credit-monitoring services to current, former and potential federal employees affected by the massive breaches of OPM data, which put the personal information of 22.1 million Americans in the hands of hackers.

When OPM made the first hack public early last month, it and the Interior Department covered the costs of giving most of the 4.2 million affected federal employees free credit-monitoring for 18 months, and a capped amount of liability insurance for losses caused by identity theft. The compromised files were stored at the Interior Department, which OPM contracted with because it had extra cyberstorage space.

That cost, which former OPM Director Katherine Archuleta told Congress was around $20 million, will be "recovered" via fiscal 2016 "price adjustments," Acting Director Beth Cobert wrote in an email to agency heads. Congress is still in the process of trying to approve spending bills for the upcoming fiscal year, which begins Oct. 1.

OPM quickly announced a second major breach involving 21.5 million people, some of which were also hit in the first incident. To pay for credit monitoring and other services for this group, OPM said federal agencies would need to make budget room in the current fiscal year, and in the next two fiscal years.

"Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute [fiscal year] 2015 funding to cover the first full year's costs of credit monitoring and related services/benefits for the second incident involving 21.5" million Americans, Cobert wrote. Additionally, OPM is seeking help from agencies' 2016 and 2017 budgets to extend aid to all 21.5 million people for three years.

The Office of Management and Budget "fully supports the decision for cost sharing across all agencies given these circumstances," Cobert wrote. "OPM is currently working to approximate each agency's portion of the total number of individuals impacted and we are gaining more information on the anticipated cost per person in the coming week based on requirements."

OPM warned agencies that a heftier bill is coming for the background investigations OPM conducts for most federal departments, and said that increase would be assessed retroactively.

In September, OPM didn't retain the services of its largest background investigations contractor, U.S. Investigative Services, because of allegations that it billed OPM for work it never completed, among other things. OPM absorbed that work and underestimated the cost of its labor, Cobert said.

"OPM has exhausted its retained earnings to cover these increased costs and cannot sustain operations and financial stability unless it recovers the costs," Cobert wrote. "As a result, OPM must assess a billing adjustment in [fiscal] 2015 that is retroactive to the beginning of this fiscal year. These higher prices will remain in effect until the prices are further revised."

Cobert apologized for throwing a monkey wrench into departments' budgets roughly six weeks before the fiscal year ends but said it couldn't be helped.

"This funding is critical to ensure that OPM is able to maintain its operational capability in order to allow agencies to continue to fill critical positions and accomplish their missions," she wrote.The largest union of federal workers said it was "improper" for OPM to ask the agencies it serves to dig into their pockets to cover the costs associated with mitigating the effects of the hacks, and instead called on Congress to appropriate OPM additional money.

"OPM's action is unprecedented and improper," stated J. David Cox Sr., president of the American Federation of Government Employees. "[D]iverting agency resources from serving taxpayers and potentially impacting their ability to fund employee salaries and expenses is improper and a possible violation of the Antideficiency Act."

"Some of the damages do not even directly relate to agency needs ... OPM is attempting to apportion its loss to agencies that have had no part in creating this dilemma," he stated. "If Congress is not able or willing to act, then ... President Obama should consider using contingency funds from national security accounts to assist OPM."