Equifax Breach Fuels Identity Theft Remediation Debate
In the wake of suits filed against Equifax by consumers, businesses and governmental units, courts have to grapple with the question of what remedies are appropriate.
November 27, 2017 at 08:00 AM
11 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
On Sept. 7, 2017, Equifax Inc. announced to the world that from May 2017 through July 2017, it had experienced a cyberattack that had compromised the security of the personal information of 145.5 million U.S. consumers. Equifax's initial offer to provide affected individuals with a year of its own credit monitoring service in response was met with skepticism and downright incredulity by those who maintained that the suggested “fix” was hardly enough to compensate consumers for the fallout they were bound to experience as a result of the incident.
In the wake of suits filed against Equifax by consumers, businesses and governmental units, courts will have to grapple with the question of what remedies are appropriate. These issues are not unique to the Equifax incident, but the scope of the breach will undoubtedly lead to more debate than ever before.
Questions regarding the effectiveness of credit-monitoring and other traditional breach remediation measures are not new. On Mar. 30, 2017, just a few short months before the Equifax breach, the U.S. Government Accountability Office (GAO) published a 70-page report concerning the effectiveness of identity-theft services (including credit monitoring, identity monitoring, identity restoration and identity theft insurance) as remedies for data breach victims (GAO-17-254).
The GAO report was issued at the request of members of Congress in the wake of two high-profile data breaches experienced by the Office of Personnel Management (OPM), which exposed the personal information (including background investigations and other personnel records) of approximately 22.1 million individuals. OPM awarded two contracts obligating about $240 million for identity theft services as a result.
The GAO report examined several relevant issues, including the potential benefits and limitations of identity theft services, and factors that affect government and private-sector decision-making about such services. While the purpose of the GAO report is to make recommendations to Congress regarding data breach responses of federal agencies, the report has implications for the private sector as well.
In compiling the report, the GAO reviewed the websites of 26 providers of identity theft services, as well as relevant studies and federal enforcement decisions. The GAO also interviewed decision-makers representing federal agencies and private entities regarding how they chose which services to provide following a data breach.
The GAO report identified several limitations of the four most common types of identity theft services.
Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users when their personal information is used in connection with a new loan, credit card or other account. While early detection can be useful, credit monitoring is limited in effect because it does not prevent new-account fraud or address fraud with respect to existing accounts, such as misuse of a stolen credit card number.
While new-account fraud is on the rise, partly due to the increased availability of microchipped payment cards, existing-account fraud continues to be a significant issue. According to the Bureau of Justice Statistics, a substantial majority of identity theft victims (86%) experienced fraud relating to existing account information. Further, a study published by Javelin Strategy & Research in February of this year found that in 2016, incidence of fraud related to account takeovers rose 31% from 2015.
Consumers have alternatives to credit monitoring that can prevent certain types of fraud. Free fraud alerts and low-cost credit freezes can prevent new-account fraud by requiring businesses to verify the consumer's identity prior to issuing credit and restricting access to the consumers' credit report, respectively. But the consumer has to lift the freeze before they can obtain new credit, so a freeze may not be optimal in all situations.
Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites. Identity monitoring services scan sources other than credit reports (including public records, proprietary databases and black-market websites) and alert consumers when they detect new or inaccurate information, or when they detect the consumers' personal information in inappropriate places. Similar to credit monitoring services, identity-monitoring services allow the consumer to benefit from early detection. They have the added benefit that they access sources that might not be readily available to the average consumer, but their effectiveness at preventing identity theft is unclear.
Identity restoration seeks to remediate the effects of identity theft, but the level of service varies. Some providers offer hands-on assistance, such as contacting financial institutions to dispute fraudulent accounts or contacting credit bureaus to report errors or place fraud alerts on the consumer's behalf. But others largely provide self-help information, which is of more limited benefit.
Identity theft insurance covers certain expenses of identity restoration, but coverage generally excludes direct financial losses, and the number and dollar amount of claims has been low. According to the Bureau of Justice Statistics, in 2014, only 5% of all identity theft victims reported indirect losses — defined as expenses such as legal fees, postage, notary fees and other miscellaneous expenses — associated with their most recent incident of identity theft. The average indirect loss was $261, and half of all indirect losses were less than $10.
Angela R. Matney is an attorney with Hirschler Fleischer in Fredericksburg, VA, who counsels employers on information privacy compliance. She is a Certified Information Privacy Professional (CIPP), and may be reached at 540-604-2117 or by e-mail at [email protected].
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
On Sept. 7, 2017,
In the wake of suits filed against Equifax by consumers, businesses and governmental units, courts will have to grapple with the question of what remedies are appropriate. These issues are not unique to the Equifax incident, but the scope of the breach will undoubtedly lead to more debate than ever before.
Questions regarding the effectiveness of credit-monitoring and other traditional breach remediation measures are not new. On Mar. 30, 2017, just a few short months before the Equifax breach, the U.S. Government Accountability Office (GAO) published a 70-page report concerning the effectiveness of identity-theft services (including credit monitoring, identity monitoring, identity restoration and identity theft insurance) as remedies for data breach victims (GAO-17-254).
The GAO report was issued at the request of members of Congress in the wake of two high-profile data breaches experienced by the Office of Personnel Management (OPM), which exposed the personal information (including background investigations and other personnel records) of approximately 22.1 million individuals. OPM awarded two contracts obligating about $240 million for identity theft services as a result.
The GAO report examined several relevant issues, including the potential benefits and limitations of identity theft services, and factors that affect government and private-sector decision-making about such services. While the purpose of the GAO report is to make recommendations to Congress regarding data breach responses of federal agencies, the report has implications for the private sector as well.
In compiling the report, the GAO reviewed the websites of 26 providers of identity theft services, as well as relevant studies and federal enforcement decisions. The GAO also interviewed decision-makers representing federal agencies and private entities regarding how they chose which services to provide following a data breach.
The GAO report identified several limitations of the four most common types of identity theft services.
Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users when their personal information is used in connection with a new loan, credit card or other account. While early detection can be useful, credit monitoring is limited in effect because it does not prevent new-account fraud or address fraud with respect to existing accounts, such as misuse of a stolen credit card number.
While new-account fraud is on the rise, partly due to the increased availability of microchipped payment cards, existing-account fraud continues to be a significant issue. According to the Bureau of Justice Statistics, a substantial majority of identity theft victims (86%) experienced fraud relating to existing account information. Further, a study published by Javelin Strategy & Research in February of this year found that in 2016, incidence of fraud related to account takeovers rose 31% from 2015.
Consumers have alternatives to credit monitoring that can prevent certain types of fraud. Free fraud alerts and low-cost credit freezes can prevent new-account fraud by requiring businesses to verify the consumer's identity prior to issuing credit and restricting access to the consumers' credit report, respectively. But the consumer has to lift the freeze before they can obtain new credit, so a freeze may not be optimal in all situations.
Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites. Identity monitoring services scan sources other than credit reports (including public records, proprietary databases and black-market websites) and alert consumers when they detect new or inaccurate information, or when they detect the consumers' personal information in inappropriate places. Similar to credit monitoring services, identity-monitoring services allow the consumer to benefit from early detection. They have the added benefit that they access sources that might not be readily available to the average consumer, but their effectiveness at preventing identity theft is unclear.
Identity restoration seeks to remediate the effects of identity theft, but the level of service varies. Some providers offer hands-on assistance, such as contacting financial institutions to dispute fraudulent accounts or contacting credit bureaus to report errors or place fraud alerts on the consumer's behalf. But others largely provide self-help information, which is of more limited benefit.
Identity theft insurance covers certain expenses of identity restoration, but coverage generally excludes direct financial losses, and the number and dollar amount of claims has been low. According to the Bureau of Justice Statistics, in 2014, only 5% of all identity theft victims reported indirect losses — defined as expenses such as legal fees, postage, notary fees and other miscellaneous expenses — associated with their most recent incident of identity theft. The average indirect loss was $261, and half of all indirect losses were less than $10.
Angela R. Matney is an attorney with
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1DOJ Takes on Largest NFT Scheme That Points to Larger Trend
- 2Arnold & Porter Matches Market Year-End Bonus, Requires Billable Threshold for Special Bonuses
- 3Advising 'Capital-Intensive Spaces' Fuels Corporate Practice Growth For Haynes and Boone
- 4Big Law’s Year—as Told in Commentaries
- 5Pa. Hospital Agrees to $16M Settlement Following High Schooler's Improper Discharge
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
