A prior blog entry discussed how IBM had lost data tapes containing the personal data for thousands of current and former employees. What was IBM's offer for the affected employees? One year of free credit monitoring. While a Fraud Alert is free, consumers can pay anywhere from "$50 to $200 per year" for a credit monitoring service.
I really do appreciate IBM's offer of free credit monitoring service for one year. Credit monitoring is wise because the 2003 FTC Identity theft survey found that consumers who monitor their credit tend to lose less money to identity theft and spend less time and money fixing the problem. About.com has a page that clearly explains the benefits of a credit monitoring service. However, a credit monitoring service has its limitations.
First, credit monitoring is like any other service. Some consumers like it, some say the value isn't there, and others prefer stronger protection. A recent BBB and Javelin study found that credit monitoring services uncovered about 11% of fraud. A credit monitoring service won't protect you against all types of identity theft, just the scams where the thief applies for credit, a loan, or a product purchase where the company checks with one of the three national credit bureaus for your credit data. An example, a credit monitoring service won't protect you when an identity thief gives law enforcement your stolen identity during a traffic stop or a crime.
Second, while credit monitoring is strongly recommended, paying for a credit monitoring service isn't for everyone. The Identity Theft Resource Center advises the following after a data breach:
Place a fraud alert with each bureau (asking companies to contact you prior to issuing credit) and request your free copy of the credit report. It is free because your information was breached. If asked, you are a potential victim of id theft... Check your report carefully for any irregularity...Use the annual credit reports system to monitor your credit report over the next year. Stagger them out by ordering one every four months.
According to the Security Breach Guide at the Privacy Rights Clearinghouse site:
"Every consumer, whether or not a victim of identity theft, can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report. In addition, laws in several states give individuals other opportunities to obtain free credit reports."
So, you can order your free annual credit report from all three national credit bureaus at once, or stagger when you receive them over several months.
Third, if you already have credit monitoring, then another offer of free credit monitoring is really minimal or no help at all. When IBM notified me, I had already established a credit monitoring service through my Discover Card 4 or 5 years earlier. At worst, IBM's offer is no help because it duplicates an existing credit monitoring service. At best, IBM's offer is an opportunity for me to compare over time two credit monitoring services and cancel the poorer service at the end of the year. What I did learn is this: make sure that whatever credit monitoring service you use, a)provides real-time alerts about inquiries into your credit file; and b) monitors all three national credit bureau services. My service monitored one, but it provided a free upgrade to all three credit bureaus. Obviously, I happily upgraded.
Fourth, IBM's offer of free credit monitoring for one year could be seen as a slick effort to shift focus and responsibility from IBM to the consumer and his/her credit monitoring service. IBM still has a duty to protect the personal data for all current and former employees, to inform us of IBM's processes to protect our data (e.g., through various required correspondence, IBM now has my current personal data), and to inform us of the results of its investigation about the data tape loss/theft. The credit monitoring service is not and should never be an excuse for any company to avoid responsibility for protecting the personal data it stores.
Fifth, IBM's offer of free credit monitoring for one year doesn't address the fact that the risk period of identity theft extends far beyond one year. IBM created this risk when their subcontractor lost (or stole) my personal data. Smart identity theft thieves can just sit on the data for 2 years or longer, and then use (or sell) the stolen data. Or it may take more than a year for the thief to sell the data and for a buyer to use the stolen personal data.
In my opinion, the length of the free credit monitoring service should match the risk period. IBM lost my personal data. There has to be a consequence when a company doesn't adequately protect personal data. If the free credit monitoring period doesn't match the risk period, then IBM has unfairly shifted the burden from themselves to the ID theft victim. In the instances where a victim already has a credit monitoring service, the company should reimburse the consumer for that risk period.
Moreover, IBM's offer is like giving me the sleeves from a vest. It does not solve the problem that led to the data tape loss/theft. It does not address IBM's internal process and policies, or lack of enforcement, which led up to an IBM contractor losing (or stealing) the employee data. It does not address IBM's responsibility to inform victims and to protect the personal data consumers have entrusted it with.
Next entry: protecting yourself