Washington, D.C. – According to the Identity Theft Resource Center, there were more than 630 data breaches in the U.S. from January 1 through August 31 of this year, putting 2016 on track to exceed the total of 780 breaches that the group recorded in 2015 and millions of individuals at risk of identity fraud. When companies, organizations or government agencies experience a data breach that may have exposed people’s personal information, one of the many issues they must address is how to help those affected. Should they offer them identity theft services? If so, how should they choose the provider and what features should they look for? Consumer Federation of America and its Identity Theft Service Best Practices Working Group, which includes consumer advocates and identity theft service providers, have created a checklist, “My company’s had a data breach, now what? 7 questions to ask when considering identity theft services,” to help breached entities make these decisions.
“Identity theft services may not be necessary for every breach, but if you’re going to offer this kind of service, it is important to make sure that that it provides the information and assistance that best fits the needs of the people who are impacted,” said Susan Grant, Director of Consumer Protection and Privacy at CFA.
Identity theft service providers offer a range of services which typically include alerting people about possible fraudulent use of their personal information, mitigating the damage, and/or helping them recover from identity theft. The features of the programs vary and can often be customized to fit particular breach situations. One of the questions that the checklist suggests asking is whether the service will provide information to the breach victims about how to reduce the potential damage that may result from the breach – for example, by changing their account numbers and passwords, monitoring their accounts online, and using fraud alerts, security freezes and other tools.
Other general questions include: Are services available 24/7? Is there a toll-free number with live operators? What response times will the provider commit to? Can the service handle multiple languages? If monitoring is provided, how quickly are alerts sent? Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?
The checklist explains the different kinds of monitoring and fraud resolution that may be offered. Whether identity theft services are needed and what features to look for depends on the types of personal information involved and other factors. If the breached entity is required under state or federal law to notify those affected, it should consider providing these services. Another consideration is whether to have identity theft services lined up in advance rather than having to shop for them in the midst of a breach. “Responding to a data breach can be hectic,” Ms. Grant noted. “Pre-negotiating for these services may save money and lower the stress level.” How to find a reputable identity theft service provider and what additional assistance it may be able to provide in the event of the breach are also covered in the checklist. This information is not meant to be legal advice, however. “Always consult with an attorney on what steps to take in response to a breach,” said Ms. Grant.
CFA’s Identity Theft Service Best Practices Working Group includes Call for Action, Consumer Action, Attorney Mari Frank, Privacy Rights Clearinghouse, AllClearID, Equifax Consumer Services, Experian (ProtectMyID), EZShield Fraud Protection, ID Experts, ID Watchdog, IDT 911, Intersections Inc., Kroll, Merchants Information Solutions, Worldwide Benefit Services (ID Theft Assist), and Zander Identity Theft Services.
Linda Sherry, Director of National Priorities at Consumer Action said: “The checklist, developed with input from fraud protection, credit monitoring, identity theft experts and consumer protection organizations, provides useful guidance in measuring third-party monitoring services for companies that have suffered a breach or want to be proactive in planning for potential breaches.” “Working collaboratively with all members of the breach response team and following best practice guidelines, such as the checklist from the CFA, is the best course of action for organizations who are committed to doing the right thing for their companies, employees and customers,” said Bob Gregg, CEO of ID Experts. Russ Johnson, President and CEO of Merchants Information Solutions, said “The checklist, developed by industry leaders, is an unbiased, highly valuable and effective way to protect and sustain the viability of your business when considering data breach services.”
With input from the Working Group, CFA has previously produced Best Practices for Identity Theft Services, which were updated last year, and a guide for consumers, Nine Things to Check When Shopping for Identity Theft Services. The Working Group was formed to encourage identity theft service providers to follow good practices after CFA released a report in 2009 that identified problems with some companies’ claims and the lack of clear, accurate information about what they did, how they worked, and what they cost.
“My company’s had a data breach, now what? 7 questions to ask when considering identity theft services” and other resources about identity theft for businesses and consumers are available on CFA’s www.IDTheftInfo.org website.
Contact: Susan Grant, 202-939-1003
The Consumer Federation of America is a national organization of more than 250 nonprofit consumer groups that was founded in 1968 to advance the consumer interest through research, advocacy, and education.