Equifax Breach Fuels Identity Theft Remediation Debate

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

 

On Sept. 7, 2017, Equifax Inc. announced to the world that from May 2017 through July 2017, it had experienced a cyberattack that had compromised the security of the personal information of 145.5 million U.S. consumers. Equifax's initial offer to provide affected individuals with a year of its own credit monitoring service in response was met with skepticism and downright incredulity by those who maintained that the suggested “fix” was hardly enough to compensate consumers for the fallout they were bound to experience as a result of the incident.

In the wake of suits filed against Equifax by consumers, businesses and governmental units, courts will have to grapple with the question of what remedies are appropriate. These issues are not unique to the Equifax incident, but the scope of the breach will undoubtedly lead to more debate than ever before.

Questions regarding the effectiveness of credit-monitoring and other traditional breach remediation measures are not new. On Mar. 30, 2017, just a few short months before the Equifax breach, the U.S. Government Accountability Office (GAO) published a 70-page report concerning the effectiveness of identity-theft services (including credit monitoring, identity monitoring, identity restoration and identity theft insurance) as remedies for data breach victims (GAO-17-254).

The GAO report was issued at the request of members of Congress in the wake of two high-profile data breaches experienced by the Office of Personnel Management (OPM), which exposed the personal information (including background investigations and other personnel records) of approximately 22.1 million individuals. OPM awarded two contracts obligating about $240 million for identity theft services as a result.

The GAO report examined several relevant issues, including the potential benefits and limitations of identity theft services, and factors that affect government and private-sector decision-making about such services. While the purpose of the GAO report is to make recommendations to Congress regarding data breach responses of federal agencies, the report has implications for the private sector as well.

In compiling the report, the GAO reviewed the websites of 26 providers of identity theft services, as well as relevant studies and federal enforcement decisions. The GAO also interviewed decision-makers representing federal agencies and private entities regarding how they chose which services to provide following a data breach.

The GAO report identified several limitations of the four most common types of identity theft services.

Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users when their personal information is used in connection with a new loan, credit card or other account. While early detection can be useful, credit monitoring is limited in effect because it does not prevent new-account fraud or address fraud with respect to existing accounts, such as misuse of a stolen credit card number.

While new-account fraud is on the rise, partly due to the increased availability of microchipped payment cards, existing-account fraud continues to be a significant issue. According to the Bureau of Justice Statistics, a substantial majority of identity theft victims (86%) experienced fraud relating to existing account information. Further, a study published by Javelin Strategy & Research in February of this year found that in 2016, incidence of fraud related to account takeovers rose 31% from 2015.

Consumers have alternatives to credit monitoring that can prevent certain types of fraud. Free fraud alerts and low-cost credit freezes can prevent new-account fraud by requiring businesses to verify the consumer's identity prior to issuing credit and restricting access to the consumers' credit report, respectively. But the consumer has to lift the freeze before they can obtain new credit, so a freeze may not be optimal in all situations.

Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites. Identity monitoring services scan sources other than credit reports (including public records, proprietary databases and black-market websites) and alert consumers when they detect new or inaccurate information, or when they detect the consumers' personal information in inappropriate places. Similar to credit monitoring services, identity-monitoring services allow the consumer to benefit from early detection. They have the added benefit that they access sources that might not be readily available to the average consumer, but their effectiveness at preventing identity theft is unclear.

Identity restoration seeks to remediate the effects of identity theft, but the level of service varies. Some providers offer hands-on assistance, such as contacting financial institutions to dispute fraudulent accounts or contacting credit bureaus to report errors or place fraud alerts on the consumer's behalf. But others largely provide self-help information, which is of more limited benefit.

Identity theft insurance covers certain expenses of identity restoration, but coverage generally excludes direct financial losses, and the number and dollar amount of claims has been low. According to the Bureau of Justice Statistics, in 2014, only 5% of all identity theft victims reported indirect losses — defined as expenses such as legal fees, postage, notary fees and other miscellaneous expenses — associated with their most recent incident of identity theft. The average indirect loss was $261, and half of all indirect losses were less than $10.

 

Angela R. Matney is an attorney with Hirschler Fleischer in Fredericksburg, VA, who counsels employers on information privacy compliance. She is a Certified Information Privacy Professional (CIPP), and may be reached at 540-604-2117 or by e-mail at [email protected].

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

 

On Sept. 7, 2017, Equifax Inc. announced to the world that from May 2017 through July 2017, it had experienced a cyberattack that had compromised the security of the personal information of 145.5 million U.S. consumers. Equifax's initial offer to provide affected individuals with a year of its own credit monitoring service in response was met with skepticism and downright incredulity by those who maintained that the suggested “fix” was hardly enough to compensate consumers for the fallout they were bound to experience as a result of the incident.

In the wake of suits filed against Equifax by consumers, businesses and governmental units, courts will have to grapple with the question of what remedies are appropriate. These issues are not unique to the Equifax incident, but the scope of the breach will undoubtedly lead to more debate than ever before.

Questions regarding the effectiveness of credit-monitoring and other traditional breach remediation measures are not new. On Mar. 30, 2017, just a few short months before the Equifax breach, the U.S. Government Accountability Office (GAO) published a 70-page report concerning the effectiveness of identity-theft services (including credit monitoring, identity monitoring, identity restoration and identity theft insurance) as remedies for data breach victims (GAO-17-254).

The GAO report was issued at the request of members of Congress in the wake of two high-profile data breaches experienced by the Office of Personnel Management (OPM), which exposed the personal information (including background investigations and other personnel records) of approximately 22.1 million individuals. OPM awarded two contracts obligating about $240 million for identity theft services as a result.

The GAO report examined several relevant issues, including the potential benefits and limitations of identity theft services, and factors that affect government and private-sector decision-making about such services. While the purpose of the GAO report is to make recommendations to Congress regarding data breach responses of federal agencies, the report has implications for the private sector as well.

In compiling the report, the GAO reviewed the websites of 26 providers of identity theft services, as well as relevant studies and federal enforcement decisions. The GAO also interviewed decision-makers representing federal agencies and private entities regarding how they chose which services to provide following a data breach.

The GAO report identified several limitations of the four most common types of identity theft services.

Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users when their personal information is used in connection with a new loan, credit card or other account. While early detection can be useful, credit monitoring is limited in effect because it does not prevent new-account fraud or address fraud with respect to existing accounts, such as misuse of a stolen credit card number.

While new-account fraud is on the rise, partly due to the increased availability of microchipped payment cards, existing-account fraud continues to be a significant issue. According to the Bureau of Justice Statistics, a substantial majority of identity theft victims (86%) experienced fraud relating to existing account information. Further, a study published by Javelin Strategy & Research in February of this year found that in 2016, incidence of fraud related to account takeovers rose 31% from 2015.

Consumers have alternatives to credit monitoring that can prevent certain types of fraud. Free fraud alerts and low-cost credit freezes can prevent new-account fraud by requiring businesses to verify the consumer's identity prior to issuing credit and restricting access to the consumers' credit report, respectively. But the consumer has to lift the freeze before they can obtain new credit, so a freeze may not be optimal in all situations.

Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites. Identity monitoring services scan sources other than credit reports (including public records, proprietary databases and black-market websites) and alert consumers when they detect new or inaccurate information, or when they detect the consumers' personal information in inappropriate places. Similar to credit monitoring services, identity-monitoring services allow the consumer to benefit from early detection. They have the added benefit that they access sources that might not be readily available to the average consumer, but their effectiveness at preventing identity theft is unclear.

Identity restoration seeks to remediate the effects of identity theft, but the level of service varies. Some providers offer hands-on assistance, such as contacting financial institutions to dispute fraudulent accounts or contacting credit bureaus to report errors or place fraud alerts on the consumer's behalf. But others largely provide self-help information, which is of more limited benefit.

Identity theft insurance covers certain expenses of identity restoration, but coverage generally excludes direct financial losses, and the number and dollar amount of claims has been low. According to the Bureau of Justice Statistics, in 2014, only 5% of all identity theft victims reported indirect losses — defined as expenses such as legal fees, postage, notary fees and other miscellaneous expenses — associated with their most recent incident of identity theft. The average indirect loss was $261, and half of all indirect losses were less than $10.

 

Angela R. Matney is an attorney with Hirschler Fleischer in Fredericksburg, VA, who counsels employers on information privacy compliance. She is a Certified Information Privacy Professional (CIPP), and may be reached at 540-604-2117 or by e-mail at [email protected].