It has become a staple for companies that are hit by big data breaches: extending free crediting monitoring and identity protection services to customers whose sensitive personal information is at risk.
There’s nothing wrong with companies doing that, say consumer advocates — but those advocacy groups also say breached companies can do much, much better.
The latest company to get hit by hackers and then offer credit monitoring or identity protection services, Geico, last week outlined a package that’s a little improved above the usual versions, one advocate said.
These existing services seem to offer help, yet in some cases that benefit is limited and in others it’s difficult to measure their effectiveness.
But overall, there’s little incentive for companies to offer improved redress, consumer advocacy groups contend.
“Most breached entities go with credit monitoring because it’s a relatively inexpensive thing for someone to contract with to provide,” said Susan Grant, director of consumer protection and privacy at the Consumer Federation of America. “The more services you give to people, the more expensive it’s going to be.”
While there are some prospective government penalties for breached companies, they don’t have sharp enough enforcement teeth, said James Lee, chief operating officer of the Identity Theft Resource Center.
“By and large, for your garden variety breach, there’s no real penalty to it,” he said. “The incentive to make life better for your customers whose data you lost is, just how well do you want to treat your customers?”
There are numerous sub-types of monitoring and protection services companies might provide to customers after a breach.
Credit monitoring can detect new-account fraud. Identity monitoring is able to alert customers when their information is misused on places like dark web forums. Identity restoration can mitigate the costs of identity theft in a variety of ways, while identity theft insurance covers related costs.
But a 2017 Government Accountability Office report said the quality of some of those services varies, and each has downsides.
For instance, identity restoration services range from interacting with creditors on behalf of a consumer, to simply providing information. Credit monitoring won’t help with existing-account fraud. Identity monitoring and identity theft insurance have mild or unclear benefits.
“Most of those services provide a limited amount of assistance,” Grant said. On the low end, “They give you advice about what to do depending on your circumstance, which you could get free from a website that the FTC [Federal Trade Commission] provides, or organizations that provide identity theft counseling at no charge.”
In some cases, advocacy groups say, the offerings are extremely low-effort, such as simply making existing credit monitoring services more freely available. Companies like TransUnion — called in to provide crediting monitoring after the massive 2017 Equifax breach that compromised the records of nearly 150 million Americans — is already watching everyone’s credit.
Equifax and TransUnion also both happen to be credit bureaus.
“There’s a self-dealing aspect to this,’” said Emily Peterson-Cassin, a digital rights attorney at Public Citizen. “When TransUnion gets breached, are they just going to give you to Equifax?”
Geico’s package was an improvement above the usual for a variety of reasons, said Lee.
“When you look at Geico, you’ll see they’re going beyond just the usual ‘Here’s your two years of credit monitoring,’” he said. “There are also some breach remediation services to help you recover if you actually have some form of identity fraud that occurs, or a compromise occurs, because most of the services are predicated on a theory that you’re actually going to be impacted.”
“More generous redress” includes offerings where the breached company takes a more active role, said Peterson-Cassin.
“Often these agreements are just, ‘Hey, something bad happened and now you have to spend hours and hours trying to fix it yourself,” she said.
Grant said she favored more hands-on identity protection services that involve giving over power of attorney for the service to work on a victim’s behalf, contacting government agencies and other companies to resolve problems.
Further, Peterson-Cassin said, companies could provide financial reimbursement to “make people whole,” but payouts usually only occur after a class-action lawsuit that she said won’t generate enough money for victims.
There also are things the government could do to address things in a bigger way than credit monitoring and identity protection services, consumer advocates say.
“It’s fine and good but is ultimately just a Band-Aid for a much deeper problem,” said Ben Moskowitz, director of the Digital Lab at Consumer Reports. “We need to rethink how consumer data is stewarded, how companies secure this data and deliver stiffer penalties for breaches when they do happen.”
Some states require companies to provide credit monitoring to breach victims, ranging from two years to a lifetime, Lee said.
He said one area where governments could do better is to adequately fund identity theft reimbursement funds. His organization estimates that the U.S. has devoted less than $5 million to the cause over the last 10 years.
And the current picture doesn’t take into account victims of undisclosed breaches who receive no protections. Lee said the U.S. is probably vastly underreporting the number of actual breaches. His organization counted 1,108 publicly reported data breaches in 2020.
Europe’s General Data Protection Regulation requires breach reporting with stiff penalties for not doing so. Since that law went into effect in 2018, there have been nearly 300,000 breaches reported to regulators, Lee said.