As part of their breach response strategies, organizations need to establish clear guidelines in advance so they know when it’s appropriate to offer victims free credit monitoring or ID theft protection services, security experts advise.
In addition, they should educate breach victims about the steps they should take to protect their identities as well as how to use the services offered to them.
“More sophisticated companies that take time to understand the actual risks posed by any threat that might warrant such services carefully choose what they offer and explain why,” says Scot Ganow, an attorney at Faruki Ireland and Cox PLL who specializes in privacy and security law. “Such companies have learned that ‘throwing credit report monitoring’ at victims of identity theft can send the wrong message, especially when it is not likely to mitigate or prevent harms specific to an incident.”
Credit Monitoring vs. ID Theft Protection
Credit monitoring aids a consumer in determining whether their identity has been stolen by monitoring the information held by the three national credit bureaus.
If identity theft has occurred, or if there is evidence that fraudulent activity is possible, credit monitoring will alert the customer to any changes reported to any of the national credit bureaus, Ganow says. “Such a service will notify you if changes are made to your accounts or personal information,” he explains.
But once the theft has occurred and a customer is notified about suspicious activity, they often do not know what to do next. That’s where identity theft protection services can play a role. These services can include identity theft insurance, personal information monitoring – where a provider checks underground forums and other locations online to be certain PII isn’t being traded or sold – along with access to consultants, Ganow says. These consultants have the expertise to help consumers address such questions as: Should the police be contacted? Should a Social Security number be changed? Should I initiate a credit freeze?
“You could argue that identity theft protection services are reactive or remedial in helping after a breach, while credit monitoring is more anticipatory in nature, even though many order it after a breach or identity theft event,” Ganow says.
When to Offer Credit Monitoring
Credit monitoring is typically offered to breach victims if a Social Security number or other identifying information has been stolen. “Name, Social Security number and date of birth are the trifecta for committing identity theft,” says Brian Lapidus, practice leader of identity theft and breach notification at Kroll Advisory Solutions. “With these three pieces of information, an identity thief can perpetrate many types of fraud,” making it a good idea to offer credit monitoring or a similar service, he says.
But credit monitoring can also help consumers who have had their payment cards compromised because it will look back in time for new account openings, delinquencies or account takeovers, says Michael Bruemmer, vice president of Experian Data Breach Resolution. “Furthermore, credit monitoring and card scanning on the Internet should be included … to detect fraud on the cards or additional changes to personal identity information,” he says.
Many states have consumer protection laws that require organizations to provide free credit monitoring, notes Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare system in the Pacific Northwest. “So the decision [to offer it] is often a ‘given’ very early on in an information compromise,” he says.
ID Theft Protection Considerations
But when should identity theft protection services be offered? Some experts argue it should always be an option for consumers impacted by a breach. “Most employees and customers don’t have the skills, experience or resources to effectively respond to this type of loss,” Paidhrin says.
Following a breach, if an extensive amount of information has been taken, then offering identity theft protection services would be an appropriate response, says Rebecca Herold, a partner at the consulting firm Compliance Helper. “The greater the risk of identity theft when considering all the factors involved with the breach, the more likely it is the organization should provide identity theft services,” she says.
Still, before making the determination to offer such services, organizations should weigh several factors, Paidhrin says, including:
- Are breach victims likely targets for fraud?
- Does the volume of information breached warrant an organization’s investment in coverage?
- Could offering the coverage help maintain the organization’s reputation and retain customers?
Advice for Organizations
There is no one “right” answer regarding what services to offer customers following a breach, Kroll’s Lapidus says. But Herold, the consultant, says every organization that possesses personal information should be prepared to offer an array of services in case of a breach. “If they cannot self-insure for such costs, then they should invest in cybersecurity insurance which will pay for such costs,” she says.
A breached company must clearly explain to customers why it is offering the services and how customers can participate in their own protection, adds Ganow, the attorney. “Such an approach not only mitigates the potential harm, but empowers customers and provides some control in a situation in which they feel they have none,” he says.
Al Pascual, director of fraud and security at Javelin Strategy & Research, adds: “Unless the victim is aware how they are, and can be, affected by a breach, then they cannot take steps to protect themselves. This includes many steps, such as actively monitoring their accounts or being mindful of phishing e-mails.”