Mugged By Wall Street And The Banks
California Governor Vetoes Another ID-Theft Bill

Should States Mandate A Minimum Period of Credit Assistance For Data-Breach Victims?

In a prior post about the Bank of New York Mellon's latest offer to its data breach victims, a commenter asked:

"Couldn't individual states require more than 2 years and perhaps 10 years credit assistance?"

At first glance, a state law requiring a minimum period of credit assistance for data-breach victims sounds like a great idea. A minimum period of 10 or 15 years of free credit monitoring would be fabulous since companies archive massive amounts of consumers' data, and companies' data breaches create a lengthy risk period for consumers. However, I'm not so sure such a law will work.

First, not all states have data breach notification and Security Freeze laws. About 43 states have laws requiring companies to notify consumers after a data breach. (See the interactive map in the CSO article.) Of these, most lack civil or criminal penalties for a failure to promptly notify consumers.

After the millions of exposed consumer records and hundreds of data breaches, you'd think that every state legislature already would have mandated data breach notification and Security Freeze laws. You'd think that the laws would include civil and criminal penalties for a company's failure to notify consumers.


Second, there is no clear single definition of what would or should be in a credit assistance offer. I learned from my experience with IBM's post-data-breach offer of credit assistance that IBM narrowly defined it as credit restoration and not credit monitoring. The issue of what should be in a credit assistance offer was also the focus of a September 2007 American Banker news article I was interviewed for.

Companies know that a minority (perhaps 30%) of their data-breach victims accept the company's offer of free credit monitoring. Why? some consumers don't need it, and some consumers already have a credit monitoring service in place.

An even smaller percentage of data-breach victims also need credit restoration to fix damaged credit and/or financial accounts opened by identity thieves. So, any state laws mandating a minimum period of free credit monitoring period must also define the features and components of a credit monitoring service. Otherwise, to minimize their post-data breach costs companies will likely:

  • Pick the weakest or credit monitoring service with the fewest features,
  • Offer credit restoration instead of credit monitoring, knowing that an even smaller percentage of data-breach victims will use that,
  • Lower insurance amounts,
  • Insert in the offer stricter rules requiring customers to prove their data breach was the cause before reimbursement of expenses, or
  • All of the above

So far, states legislatures seem unwilling to mandate periods of free credit monitoring. Heck, there doesn't seem to be any consistency on what credit bureaus should be covered. For example, the Innovis credit bureau is rarely, if ever, mentioned in corporate data breach notifications. And, current state data breach laws don't cover C.L.U.E. insurance reports. Consumers need to monitor all of these reports in order to adequately protect their identity information.

I encourage consumers to write to your elected officials and tell them you want your state's identity theft and data breach notification laws to mandate a minimum period of credit assistance after a company's data breach. What do you think? Should states mandate a minimum period of credit monitoring assistance? Share your opinions below.


Feed You can follow this conversation by subscribing to the comment feed for this post.


Great blog, and thank you for exploring this topic!

I think you're being overly focused on the possible financial impact of a breach.

As I wrote in, we should consider breaches as a breach of trust and a duty of confidentiality (as Dan Solove has written about), and not focus overly-much on the financial implications.

I wouldn't want to have to deal with a company selected by the breached entity, which is the likely effect of the law you propose. I think that the market is evolving pretty rapidly, and locking in the services of today would be a mistake.

John Taylor


You're thinking up the wrong tree my friend. From an employers point of view the issue is not identity theft and offering credit monitoring after a breach. All an employer cares about, (and believe me I know), is to protect the company bottom line. Between the state reporting laws, class actions, the federal legislation, the public notification and resulting press pieces, a business cannot affotd to have a breach. So, what is the most practical course of action? Quite simply every employer should follow the guidelines to institute a response program as described in the Red Flag Rule (FACTA secs 114 and 314). Part of that procedure is the adoption of a written policy on the safeguarding of sensitive personal information, training ALL employees on the policy, and offering a mitigating identity theft service BEFORE an incident, and to document the offering. This can either be employer or employee paid, the point is to make it available. The net effect of thie action is to greatly lower the company risk and liability in the event of a breach. Most American buasiness need to be compliant to this legislation prior to Novenber 1st of thie year, but all businesses shoud adopt these guidelines as the most practical approach. The homework is already done.

The comments to this entry are closed.