So You’ve had a Data Breach, Now What?
Companies, organizations and agencies that hold and transmit people’s personal information should keep it reasonably secure from unauthorized access and use. But what if there is a data breach that exposes the information? How should the breached entity help those affected? Should it offer them identity theft services?
If so, how should it choose the provider and what features should it look for to ensure that the services will fit the needs of the victims? To help answer those questions, Consumer Federation of America and its Identity Theft Service Best Practices Working Group, which includes consumer advocates and identity theft service providers, have created a checklist, “My company’s had a data breach, now what? 7 questions to ask when considering identity theft services.” This isn’t intended to be legal advice, however – always consult with an attorney about how to respond to a data breach.
Identity theft services typically include alerting people about possible fraudulent use of their personal information, mitigating the damage, and/or helping them recover from identity theft. In the checklist we explain the different kinds of monitoring and fraud resolution that may be available and that the features of the programs can often be customized to fit particular breach situations. One of the basic questions to ask is whether the service will provide breach victims with information about how to reduce the potential damage – for example, by changing their account numbers and passwords, monitoring their accounts online, and using fraud alerts, security freezes and other tools.
We also suggest asking:
- Are services available 24/7?
- Is there a toll-free number with live operators?
- What response times will the provider commit to?
- Can the service handle multiple languages?
- If monitoring is provided, how quickly are alerts sent?
- Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?
Identity theft service providers may offer other assistance as well, such as helping breached entities to write and/or send notices to the victims and handling other communications. Another thing to consider is whether to have identity theft services lined up in advance in case they’re needed. It can be less stressful and save money to pre-negotiate for these services rather than shopping for them in the midst of a breach. The checklist covers how to find reputable identity theft service providers.
Of course, identity theft services aren’t necessary in every breach situation. A good rule of thumb is: if the breached entity is required by state or federal law to notify those affected, it should consider offering these services. In interviewing prospective identity theft service providers it’s important to describe the types of personal information that have been or could be compromised and ask what features would be most helpful to the victims. We also suggest addressing whether and in what manner the identity theft service provider may solicit the breach victims to buy services during the contract period and/or once it ends. As in any contract, the services and terms should be clearly described and accurately reflect what has been agreed to.
CFA’s Best Practices for Identity Theft Services, which was updated last year with input from the working group, and the checklist are intended to encourage good practices in the identity theft service marketplace. There is also a guide for consumers, Nine Things to Check When Shopping for Identity Theft Services and much more about identity theft on CFA’s www.IDTheftInfo.org website.
This blog was written by Susan Grant, Director of Consumer Protection and Privacy at the Consumer Federation of America. Ms. Grant also sits in the ITRC's Board of Directors.