Consumer Advocates and Identity Theft Service Providers Create Data Breach Checklist for Companies
How should companies and organizations that have experienced a data breach offer to help those affected?
According to the Identity Theft Resource Center, there were more than 630 data breaches in the U.S. from January 1 through August 31 of this year, putting 2016 on track to exceed the total of 780 breaches that the group recorded in 2015 and millions of individuals at risk of identity fraud.
When companies, organizations or government agencies experience a data breach that may have exposed people's sensitive personal information, one of the many issues they must address is how to help those affected.
Should they offer them identity theft services? If so, how should they choose the provider and what features should they look for?
The Consumer Federation of America (CFA) and its Identity Theft Service Best Practices Working Group, which includes several consumer advocates and identity theft service providers, have created a checklist, entitled My company's had a data breach, now what? 7 questions to ask when considering identity theft services, to help breached entities make these decisions.
"Identity theft services may not be necessary for every breach, but if you're going to offer this kind of service, it is important to make sure that that it provides the information and assistance that best fits the needs of the people who are impacted," said Susan Grant, Director of Consumer Protection and Privacy at CFA.
Identity theft service providers offer a range of services which typically include alerting people about possible fraudulent use of their personal information, mitigating the damage, and/or helping them recover from identity theft. The features of the programs vary and can often be customized to fit particular breach situations.
One of the questions that the checklist suggests asking is whether the service will provide information to the breach victims about how to reduce the potential damage that may result from the breach—for example, by changing their account numbers and passwords, monitoring their accounts online, and using fraud alerts, security freezes and other tools.
Other general questions included in the checklist are: Are services available 24/7? Is there a toll-free number with live operators? What response times will the provider commit to? Can the service handle multiple languages? If monitoring is provided, how quickly are alerts sent? Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren't resolved when the contract ends?
The checklist also explains the different kinds of monitoring and fraud resolution that may be offered in the event of a data breach. Whether identity theft services are needed and what features to look for depends on the types of personal information involved and other factors. If the breached entity is required under state or federal law to notify those affected, it should consider providing these services, the checklist explains. Another consideration is whether to have identity theft services lined up in advance rather than having to shop for them in the midst of a breach.
"Responding to a data breach can be hectic," Grant noted. "Pre-negotiating for these services may save money and lower the stress level."
How to find a reputable identity theft service provider and what additional assistance it may be able to provide in the event of the breach are also covered in the checklist. This information is not meant to be legal advice, however. "Always consult with an attorney on what steps to take in response to a breach," Grant added.
CFA's Identity Theft Service Best Practices Working Group includes Call for Action, Consumer Action, Attorney Mari Frank, Privacy Rights Clearinghouse, AllClearID, Equifax Consumer Services, Experian (ProtectMyID), EZShield Fraud Protection, ID Experts, ID Watchdog, IDT 911, Intersections Inc., Kroll, Merchants Information Solutions, Worldwide Benefit Services (ID Theft Assist), and Zander Identity Theft Services.
With input from the Working Group, CFA has previously produced Best Practices for Identity Theft Services, as well as a guide for consumers titled Nine Things to Check When Shopping for Identity Theft Services.
The data breach checklist and other resources about identity theft for businesses and consumers are available at IDTheftInfo.org.