GAO said in a report published Thursday agencies that experienced data breaches are required by law to provide identity theft services for impacted persons.
The Office of Personnel Management, which experienced cyber attacks in 2015, is required by law to offer identity theft services to affected individuals and cover $5 million in identity theft insurance.
Auditors noted that the mandated level of insurance coverage is “likely unnecessary” since paid claims seldom cost more than a few thousand dollars.
GAO added that insurance requirements could increase federal costs; mislead consumers on insurance benefits; and lead to an escalation of coverage amounts in the marketplace.
The congressional watchdog also found that OPM delivered duplicative identity theft services to approximately 3.6 million impacted individuals and that the Office of Management and Budget has yet to consider options to help federal agencies mitigate service duplication.
OPM does not have criteria or procedures in place to determine when to offer identity theft services and the agency does not always document how it decided to offer such services, the report stated.
GAO urged OPM to establish procedures on the provision of identity theft services as well as document its decision-making process.
OMB should also evaluate the effectiveness of identity theft services and explore options to prevent duplication in federal agencies’ service delivery, the government audit agency noted.