The General Services Administration  (GSA) announced on Tuesday (8/29) that they are purchasing blanket credit monitoring services from three different companies at reduced rates to use when data privacy breaches occur.

"Washington DC – The U.S. General Services Administration awarded Blanket Purchase Agreements (BPAs) to assist Federal agencies in protecting the confidentiality of personal credit and payment information, as well as providing a fast and effective solution for Federal agencies needing commercial-off-the-shelf credit monitoring services.

The BPAs were awarded to Equifax, Inc. based in Atlanta, Ga., Experian Consumer Direct of Irvine, Calif., and Bearak Reports, a small, woman-owned firm in Framingham, Mass.

In the wake of recent incidents that threatened the confidentiality of personal information, this action by GSA will allow Federal agencies to take advantage of significantly reduced unit pricing and volume discounting available through these agreements.  They can also select different levels of credit monitoring services depending on the degree of vulnerability, risk, and protection.

The BPAs also eliminate separate contracting and open market costs that result from separate agencies searching for sources, developing technical documents and solicitations, and evaluating offers.  Significantly reduced pricing, strong oversight and reporting, and excellent customer service from these commercially available credit monitoring services are now available on a government-wide basis.   

The BPAs do not obligate funds.  There is no limit on the dollar value of task order purchases made under the BPA.  BPA vendor numbers are as follows:

GS-23F-06-E3-A-0013 Bearak Reports (Woman-Owned, Small)
GS-23F-06-E3-A-0014 Equifax Inc. (Large)
GS-23F-06-E3-A-0015 Experian Consumer Direct (Large)"

This is a good, pro-active move on the part of the government, particularly considering how they've mishandled recent and past privacy breaches. 

The Bearak Reports site is interesting.  I think it is a good thing to include a small boutique organization such as this in with two of the other big fish in this industry space.  Bearak Reports offers three different levels of identity theft policies; don't know which of these the government cut the deal for, but most likely the one with the lowest coverage in consideration they also have the other two companies they can use.

I wonder what the "significantly reduced unit pricing and volume discounting" amounts are?  Seems this would be something the GSA would have to make available to the public.  Perhaps it's just not posted out there yet...I couldn't find it on the government sites.  Something to check on next week...

Will the government then fulfill the original promises for credit monitoring they made to the 26.5 million individuals involved with the VA incident that they later reneged upon when the laptop and hard drive were found months later? 

Will they use one one credit monitoring service per incident, or multiple?  Will it depend upon the type and complexity of the incident?

It would be interesting to know the parameters around which they will use these credit monitoring services:

• Have they documented the types of incidents for which credit monitoring should be launched?
• Have they documented how to determine the types and levels of credit monitoring?
• Have they documented the specific types of personal information involved with the breach that would trigger credit monitoring?
• Are they going to establish a certain number of indivudals that must be involved?  It would be too bad if the number of individuals would be a factor; isn't it important to help prevent bad things from happening to each individual for whose information their incident impacted, and not just a group of a specific size?

Technorati Tags
information security
IT compliance
data breach
credit monitoring
GSA
breach response
security incident
policies and procedures
awareness and training
privacy