[BreachExchange] Few Claims Filed for Post-Data Breach Services

Destry Winant destry at riskbasedsecurity.com
Thu Apr 4 03:11:38 EDT 2019 

https://www.fedweek.com/fedweek/few-claims-filed-for-post-data-breach-services/

In the more than three years since the government started offering
identity protection services and identity theft insurance to those
affected by the breaches of OPM databases, only 61 individuals have
received payouts from insurance claims, averaging about $1,800 per
claim, GAO has found.

GAO said that of the 22 million people—current and former federal
employees, military personnel and others in a database of federal
personnel files and another on people who had undergone background
checks—about three million have enrolled in the services. Enrollment
is still open and the benefits are to continue through 2026; some
members of Congress have proposed that they be made permanent.

About 1 percent of enrollees have made identity restoration requests,
and of the 81 insurance claims filed, 61 were approved, GAO said.

The services are free to enrollees but as of last November had cost
OPM $361 million; shortly afterward, OPM signed a new contract with
the same provider that is effectively a five-year extension with a
total potential cost of $400 million.

GAO added that given the size of the claims paid so far, “the $5
million per-person coverage limit mandated by Congress likely was
unnecessary and might impose costs without providing a meaningful
corresponding benefit.” It noted that it previously had recommended
that OMB revise its guidance to agencies on responding to data
breaches by considering alternatives such as fraud alerts, credit
freezes, or the agency conducting monitoring on its own.

In that earlier report, GAO also had stressed the limits of the type
of protection being offered, saying for example that while identity
monitoring can alert victims to misuse of certain personal information
its effectiveness in addressing such theft is unclear; and while
identity theft insurance covers expenses related to responding to such
theft, it generally excludes direct financial losses.

More information about the BreachExchange mailing list