During the past few months, I've learned that after a data breach with sensitive personal data (e.g., name, address, birth date, SS#), the affected company usually offers its affected employees, former employees, or customers one year of free credit monitoring service. An article in the Friday August 31 American Banker (AB) publication explored the best features for a credit monitoring service. The contents of that credit monitoring service offer seems to vary from company to company.
In the article, AB reporter Daniel Wolfe quoted several representatives from IBM, Kroll, Gartner (a market research company), Certegy, and me -- author of I've Been Mugged. Mr. Wolfe wrote a balanced article including a variety of perspectives about credit monitoring services.
In the article, representatives from IBM and Gartner emphasized that the value for ID-theft victims is with credit restoration services rather than credit monitoring:
"This is more than just credit monitoring," said Fred McNeese, an IBM spokesman, in an interview. "In the event that the loss was linked to credit theft, then it's working with Kroll to restore a person's identity." Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said most companies put little thought into nonstandard fraud monitoring services. She said IBM made a good pick in Kroll. "Credit restoration is very labor-intensive," and getting a credit report is not, she said."
No doubt. If identity thieves have stolen your personal data and have already hacked into one or more of your financial accounts (e.g., stole money, or gained credit or loans in your name), then yes -- you need help restoring your credit, your finances, and your identity. And credit restoration services are what an ID-theft victim needs in this situation.
If your data has been exposed by a data breach -- but nothing stolen or hacked yet -- then you need credit monitoring. There's nothing to fix or restore (yet). Credit restoration service becomes critical after identity thieves access your financial accounts and steal credit or money.
Credit monitoring is also important for ID-theft victims who are novices -- they haven't read their credit report recently, or never. Many people I've talked or traded e-mails with haven't read their credit report recently.
Yes, identity thieves operate quickly and the financial damage may happen within hours after the theft of personal information... making credit restoration necessary immediately. However, with corporate data breaches, it may take weeks or months for identity thieves to de-code encrypted tapes; or the stolen personal data may be resold among several thieves before it is used criminally. If you study the TJX data breach, you'll see that thieves who weren't the original hackers were arrested many months (or years) later; personal data clearly was resold among identity thieves in the US and in other countries. And, this theft fact extends the risk window.
I encourage I've Been Mugged readers to read the American Banker article online (registration required). To register, the AB site will ask you to either subscribe to the magazine or try the the 2-week free trial account option.
I wish that the article had given more focus on the duration of the free credit monitoring services offer. I haven't seen much discussion in the literature about what the optimal duration is. Usually, companies with a data breach offer one year of free credit monitoring services to affected individuals (e.g., employees, former employees, and customers). I haven't seen any literature or research about whether all affected individuals receive the same offer. I wonder if senior executives in the company receive the same credit monitoring offer as lower-level employees.
Mr. Wolfe's article accurately stated that I believe that the duration of free credit monitoring services should match the risk period... which is far longer than one year. Why? First, there's no time limit to how long identity thieves will (or will attempt to) abuse your personal data. Second, the company's data breach caused the risk, not the ID-theft victim's actions.
Any free credit monitoring services duration that is shorter than the risk period effectively shifts the burden (and the cost) from the company to the ID-theft victim. In the case of a company data breach, that burden-shifting is unfair, in my opinion.
What do you think? Is one year an appropriate duration for free credit monitoring services after a data breach? What do you think are the best features of a credit monitoring service? You can take our survey located in the column on the right.
Next entry: consumer attitudes about data breaches