Organizations of all industries and sizes that hold and transmit people’s personal information should keep it secure from unauthorized access and use. But what if there is a data breach that exposes personal information? How should the breached entity help those affected? Should it offer them identity theft services? If so, how should it choose the provider and what features should it look for to ensure that the services will fit the needs of the victims?
To help answer those questions, the Consumer Federation of America (CFA) and our Identity Theft Service Best Practices Working Group, which include consumer advocates and identity theft service providers, have created a new resource – “My company’s had a data breach, now what? 7 questions to ask when considering identity theft services.” In the checklist, we’ve included a link to the information that the National Cyber Security Alliance provides for businesses about how to secure the data they hold. Despite good faith efforts to prevent them, breaches can still happen, so it’s wise to be prepared. This checklist isn’t intended to be legal advice; always consult with an attorney about how to respond to a data breach.
Identity theft services typically involve alerting people about possible fraudulent use of their personal information, mitigating the damage and/or helping them recover from identity theft. In the checklist we explain the different kinds of monitoring and fraud resolution that may be available; these programs’ features can often be customized to fit particular breach situations. One of the basic questions to ask is whether the service will provide breach victims with information about how to reduce the potential damage – for example, by changing their account numbers and passwords, monitoring their accounts online and using fraud alerts, security freezes and other tools.
We also suggest asking the following questions when evaluating an identity theft service:
- Are services available 24/7?
- Is there a toll-free number with live operators?
- What are the provider’s response times?
- Does the service cater to multiple languages?
- If monitoring is provided, how quickly are alerts sent?
- Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?
Identity theft service providers may offer other assistance as well, such as helping breached entities to write and/or send notices to the victims and handling other communications. Another question to consider is whether to have identity theft services prepared in advance. It can be less stressful and save money to pre-negotiate for these services rather than shopping for them in the midst of a breach. The checklist covers how to find reputable identity theft service providers.
Of course, identity theft services aren’t necessary in every breach situation. A good rule of thumb is: if the breached entity is required by state or federal law to notify those affected, the organization should consider offering these services. In interviewing prospective identity theft service providers it’s important to describe the types of personal information that have been – or could be – compromised and ask what features would be most helpful to the victims. We also suggest addressing whether and in what manner the identity theft service provider may solicit the breach victims to purchase services during the contract period and/or once it ends. As in any contract, the services and terms should be clearly described and accurately reflect what has been agreed to.
CFA’s Best Practices for Identity Theft Services, which was updated last year with input from the working group, and the checklist are intended to encourage good practices in the identity theft service marketplace. You can also find a guide for consumers, Nine Things to Check When Shopping for Identity Theft Services, and much more about identity theft at www.IDTheftInfo.org.
About the Author
Susan Grant is the director of consumer protection and privacy at Consumer Federation of America, an association of consumer organizations and agencies across the United States. She works on many issues, including consumer complaints, identity theft, privacy, telemarketing and electronic and mobile commerce.