After it failed to safeguard millions of files filled with sensitive personal information, the government’s personnel office is now telling other federal agencies they will be expected to cover the costs of responding to the massive computer breach.
The cost of addressing the breach – which compromised security clearance files affecting 21.5 million federal workers, military personnel and contractor employees – represents an unanticipated expense hitting late in the government’s fiscal year, when agency budgets are especially tight.
And agencies whose employees have been put at risk should expect to absorb even more costs in the future, according to a previously undisclosed memo from the Office of Personnel Management, whose systems were breached.
“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services / benefits” for the incident, wrote acting OPM director Beth Cobert.
The breach involves highly personal information on virtually everyone who applied for a security clearance or had one renewed since 2000, and in some cases before.
OPM has come under intense fire from employees and lawmakers over the failure to prevent several computer breaches and over the response to those hacks. The agency’s director, Katherine Archuleta, resigned under pressure earlier this month.
Some federal employees were taken aback after officials from government agencies were informed at a briefing late last week that they would be expected to pay for the costs of responding to the breach of the security clearance database.
“My mouth dropped open when I read this. I get the fact that the money has to come from somewhere, but, man, oh man,” said a federal official, who was not authorized to speak on the record on the matter.
The amount of the costs is still unknown, since OPM has not yet issued a contract to notify and provide services to those affected by the clearance files breach.
For a separate breach involving personnel records of some 4.2 million current and former federal employees held for OPM on computers at the Department of Interior, the cost of sending notices and providing services was $21 million. OPM and Interior paid for that contract, but officials said they cannot afford to cover what could be much higher costs to address the breach of the security clearance database.
The Office of Management and Budget “fully supports the decision for cost sharing across all agencies given these circumstances,” wrote Cobert, who was transferred from her post as OMB deputy director for management after Archuleta stepped down.
The decision by senior Obama administration officials to distribute the costs across the government means that agencies will have to find potentially substantial savings in their budgets late in the current fiscal year.
Typically, when agencies must find such savings, they look to cutting administrative costs, such as employee awards, training and travel, and overhead such as office equipment. Those accounts, which in many cases already are pinched by years of budgetary restrictions, also pay employee salaries. While salaries could not be cut, restrictions on those accounts could translate into pressure to hold down the number of employees.
Finding the funds will be all the more difficult since there are now barely two months left in the budget year.
In addition to paying costs for credit monitoring, personal identify protection and other measures related to the hack of the the clearance files, the memo says, agencies will be charged higher rates for OPM to process clearance applications on their behalf, retroactive to the start of this fiscal year.
It adds that while the total costs won’t be known until the second contract is issued, “OPM is currently working to approximate each agency’s portion of the total number of individuals impacted and we are gaining more information on the anticipated cost per person in the coming week based on requirements.”
“OPM is committed to providing those affected by the recent cyber incident involving Federal background investigations data with information and appropriate resources in a timely and effective manner,” OPM press secretary Sam Schumach said in a statement. “OPM is asking each agency to fund a share of the cost of monitoring and protection services approximately proportional to the number of individuals impacted.”
The breach of the security clearance files not only affects far more people than the hack of the personnel files but the information could be used in more ways by the hackers, reportedly from China. The files include sensitive information that clearance applicants have to disclose–including on any personal financial problems, criminal records, foreign travel and much more–and in some cases also involves fingerprint records and findings of background investigations.
Further, while the personnel files breach affected persons for whom the federal personnel agency typically would have current contact information, the clearance files breach involves a substantial number of people who did not work directly as federal employees and thus will be more difficult to contact. Also, OPM has promised more extensive services, to be provided longer, for those affected by the clearance files breach.
Almost all of those affected by the personnel records breach already have been notified.
“We understand and appreciate the complexities of this late in FY15 request for funds,” the memo added. “We cannot stress enough the importance and significance of this funding. This funding is critical to ensure that OPM is able to maintain its operational capability in order to allow agencies to continue to fill critical positions and accomplish their missions.”
In addition, agencies will have to help fund costs in 2016 and 2017, the memo says.