I can’t remember more high profile breaches occurring in such close succession, as has been the case over the last year. These “mega” breaches have spurred an enormous amount of attention on the topic and, while more education and dialogue around breaches and identity theft is beneficial, it also produces a proliferation of misinformation. For example, everyone seems to have an opinion on the best ways to protect yourself from identity theft and fraud, and the value of identity protection and credit monitoring products.
First, I’d like to state that I am proud of the products and services that Experian provides. We offer comprehensive solutions for consumers affected by a breach, including credit monitoring, internet scanning, fraud resolution assistance and identity theft insurance. In fact, following the most recent retail data breaches, we are offering consumers a discounted introductory membership in our award-winning ProtectMyID product for only $.99 cents per month for the first twelve months. This offer will be available for 30 days, starting Sept. 9, 2014.
Part of our rationale for making this very affordable, limited time offer is to help provide consumers with the opportunity to receive proactive alerts about potential identity theft. We also want to provide a little clarity on the subject of credit monitoring and fraud protection after a data breach. There are some communications out there that are misleading so I’d like to address those here:
- The terms “automatic enrollment” and “no action claim” – what they really mean
When a breach happens and consumers are offered a product that touts, “There is no action required on your part at this time” it’s doing the consumer a disservice. Why? Because there is always a need for action. Recent breach notifications have seemed to suggest that you just need to call a hotline only if a “problem arises.”
How are consumers supposed to know when problems arise if they think “no action is required?” They don’t.
These notifications are promoting a fraud resolution service as a primary defense but you have to identify the fraud on your own. YOU have to do the legwork to check your own credit report and monitor your financial or health records to identify any fraudulent activity before this service can assist you. This is much more time consuming and ineffective than receiving ongoing credit monitoring that alerts you to key changes in your credit report. Ultimately, with this kind of limited product, you are left with the burden to detect any identity theft and fraud cases.
In fairness, breach victims are told that, “for additional protection,” they can sign up for, what is, a more appropriate service (for free) that includes credit monitoring and identity theft insurance. Why not just tell them to sign up in the first place? Why risk that they would miss the opportunity to be alerted to possible identity theft and fraud? They have to know about the fraud before they can call the assistance hotline – but how can they without a monitoring product? You may find out about a fraudulent credit card charge by reviewing your statements but there are other types of fraud that can happen, such as a new account opened in your name, which will be reflected in your credit report. Implying “no action is required” seems disingenuous.
- Credit monitoring isn’t the right product for certain breaches
A popular argument is that credit monitoring is not useful or beneficial for breaches that do not expose Social Security numbers. For example, a breach may have exposed your debit card number, or your email address and password.
Studies show that cybercriminals use information from non-Social Security number breaches to gain access into other accounts. In other words, a cybercriminal may be able to use a password and username to access an individual’s bank account or credit card account. A recent study by the Rand Corp. found that cybercriminals who stole information from one website (such as usernames and passwords) could use that information to gain access into 10 other websites. Also, thieves can either piece together an identity or create an entirely fake identity, called synthetic identity theft, from multiple breaches combining names, email passwords and credit card numbers, for instance, to commit fraud.
Many government agencies and knowledgeable sources agree that credit monitoring is one of the best ways to protect yourself. In California, legislators enacted A.B. 1710, a bill that would require breached businesses offering identity theft protection services to affected persons to provide the services for free for at least one year. Also, just this week Attorney General Patrick Morrisey of West Virginia responding to the data breach at Community Health Systems, Inc., encourages consumers to take advantage of credit monitoring. We can already see that many states are following in California’s lead.
Some other entities and experts that publicly recommend credit monitoring or provide educational information about the benefits of credit monitoring include: The Department of Homeland Security (DHS) in its Privacy Incident Handling Guidance report; Federal Trade Commission; and Identity Theft Resource Center, to name a few.
People are naturally anxious when they hear of a breach at a large retail chain where they likely shopped. Expect that breached organizations will take the extra steps to help customers protect themselves. This means there should be clear communication about what that protection product being offered really does on your behalf. There is no one fool-proof method to monitor and protect against identity fraud, but good defensive habits and a comprehensive service, like ProtectMyID, improve the chances you can catch something suspicious quickly and address it before it becomes a bigger problem.