Data breaches have exposed the personal data of hundreds of millions of people and put them at risk for identity theft. Identity theft services can be convenient, but they don’t prevent fraud from happening in the first place. So what can you do if you’re a victim of a data breach and subsequently identity theft?
The Government Accountability Office (GAO), which has previously recommended that Congress reconsider legislation requiring federal agencies to offer high levels of identity theft insurance coverage, says there are some steps you can take on your own for free. These include freezing your credit reports which prevents the opening of new credit accounts or loans in your name.
GAO was asked to review issues related to consumers’ options to address risks of harm from data breaches. Its March 27 report examines information and expert views on the effectiveness of consumer options to address data breach risks.
The findings? Unsurprisingly, no one solution can address the range of potential risks from a data breach, according to interviews with academic, consumer, government, and industry experts and documentation GAO reviewed. Perpetrators of fraud can use stolen personal information—such as account numbers, passwords, or Social Security numbers—to take out loans or seek medical care under someone else’s name, or make unauthorized purchases on credit cards, among other crimes. Foreign state-based actors can use personal information to support espionage or other nefarious uses. Because the attacks vary in method and intensity, a one-size-fits-all solution simply does not work. As with other security threats, a layered approach combined with vigilance is key to protecting against identity theft and data breaches.
Public and private entities that experience a breach sometimes provide complimentary commercial identity theft services to affected individuals to help monitor their credit accounts or restore their identities in cases of identity theft, among other features. Consumers also may purchase the services. As of November 30, 2018, the Office of Personnel Management (OPM) had obligated about $421 million for a suite of credit and identity monitoring, insurance, and identity restoration services to offer to the approximately 22 million individuals affected by its 2015 data breaches. As of September 30, 2018, about 3 million had used the services and approximately 61 individuals had received payouts from insurance claims, for an average of $1,800 per claim. OPM re-competed and awarded a contract to the previously contracted company in December 2018.
GAO’s review did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services were less subject to identity theft or detected financial or other fraud more or less quickly than those who monitored their own accounts for free. A few experts said consumers could sign up for such services if offered for free. Credit monitoring may be convenient for consumers and personalized restoration services may help identity theft victims recover their identities, but such services do not prevent fraud from happening in the first place. The services also do not prevent or directly address risks of nonfinancial harm such as medical identity theft.
Consumer, government, and industry experts interviewed by GAO highlighted other free options for those at risk following a data breach, including a credit freeze. A freeze restricts businesses from accessing a person’s credit report—and can prevent the illicit opening of a new account or loan in the person’s name. A provision of federal law that took effect in September 2018 made it free for consumers to place or lift credit freezes quickly at the three nationwide consumer reporting agencies (Equifax, Experian, and TransUnion).
Consumers also can regularly monitor their accounts and review their credit reports for free every 12 months. In addition, they can take advantage of free federal assistance such as the guidance on the Federal Trade Commission’s IdentityTheft.gov website.
Large amounts of personal information are outside of consumers’ control and bad actors can use stolen information for years after a breach. Therefore, experts noted that data security at entities that hold such information—and efforts to make stolen information less useful for identity thieves, through use of new identity verification technologies, for example—are important ways to mitigate risks of harm for consumers.
If prevention is no longer an option and you have become a victim of identity theft, GAO recommends visiting IdentityTheft.gov to set up an account and fill out and file the necessary reports. In addition, consumers are advised to contact state or local government resources such as consumer protection helplines, and to consider using commercial identity restoration.
GAO reiterates protecting against data breach is matter for congressional consideration. In a 2017 report, GAO found that legislation requiring federal agencies that experience data breaches, including OPM, to offer certain levels of identity theft insurance coverage to affected individuals requires coverage levels that are likely unnecessary. Therefore, GAO says Congress should consider permitting agencies to determine the appropriate coverage level for such insurance. The $5 million per-person coverage limit mandated by Congress likely is unnecessary and might impose costs without providing a meaningful corresponding benefit. Specifically, it was noted that $5 million in coverage would increase federal costs unnecessarily, likely mislead consumers about the benefit of the product, and create unwarranted escalation of coverage amounts in the marketplace.
GAO also recommended OMB update its guidance for agency responses to data breaches, after analyzing the effectiveness of identity theft services relative to lower-cost alternatives. OMB did not agree or disagree and had not taken action as of early March 2019.