Effectiveness of Identity Theft Services Limited
A congressional watchdog is reiterating its findings that identity theft services are rarely efficient at mitigating data breach risks.
If you’ve ever been the victim of a data breach or even just read a data breach disclosure, you’ve likely seen it: text informing the victim they're entitled to a year or more of an identity theft protection service.
While identity theft protection companies offer valuable services, like the ability to monitor your credit files, alert you to new accounts opened in your name, along with whether your personal information's been used, they're not without their limitations.
The U.S. Government Accountability Office, a watchdog of sorts for the U.S. Congress, warned again last week that no such solution can prevent a data breach in the first place.
“We did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services encounter fewer instances of identity theft or detect instances of financial or other fraud more—or less—rapidly than consumers who take steps on their own,” the office wrote in a report, "Range of Consumer Risks Highlights Limitations of Identity Theft Services" (.PDF), “Views of experts varied, but most said identity theft services have limitations and would not address all data breach risks.”
In addition to preventing data breaches, nor can any identity theft service diminish the risks of nonfinancial harm, like medical identity theft, child identity theft, or other types of fraud, like when personal information can be used to set up phone or utility accounts, or to rent a home. The GAO points out that most identity theft providers don't offer protection for these kinds of theft, medical identity theft and identity theft tax refund fraud especially.
The GAO said in the report that it’s concerned that attackers could continue to leverage real data for something it calls synthetic identity theft, a hodge-podge variety of theft that relies on the creation of a fake identity from real data and fabricated information.
For the report, which the GAO produces for congressional consideration, the office interviewed 35 academic, consumer, government, and industry experts, along with representatives of seven companies that offer identity theft services.
Even the reps for the services themselves - 9 out of the 10 interviewed - said they viewed credit or identity monitoring to be of limited value. It's a different story, in the eyes of some of the reps, if the services are either free, or can to be used in a situation in which Social Security numbers were compromised.
The report builds on a 2017 GAO report on identity theft services in which the office said that some levels of ID theft insurance provided to agencies following a breach, like the Office of Personnel Management offered to victims following its June 2015 breach, are more or less unnecessary.
The GAO's work has apparently fallen on deaf ears at the Office of Management and Budget, which publishes guidance for how agencies response to data breaches. The GAO recommended the OMB update its guidance after noting the effectiveness of ID theft services relative to lower-cost alternatives but two years after, the OMB has not taken action.
“We contacted OMB several times between May 2018 and early March 2019 to update the status of this recommendation but as of March 2019, OMB had not responded with an update,” the GAO said, “In our current review, we found that information on the effectiveness of various consumer options continues to be limited. We also found that some free and low-cost alternatives to free or fee-based identity theft services can prevent or more directly address new account fraud and some options consumers can take on their own have become less burdensome. Therefore, we stand by this recommendation.”
In lieu of some ID theft protection services, the GAO is encouraging consumers to use a credit freeze - not a credit lock - to prevent identity theft related fraud, to set a fraud alert to make it harder for thieves to open accounts in consumers' names, and to periodically review their credit reports.
The report is one of two the GAO released last week. It also released another, "Consumer Data Protection: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies," on Tuesday that called on the FTC to enforce GLBA's safeguarding provisions and impose greater civil penalties against consumer reporting agencies like Equifax to ensure they have the tools they need to handle data privacy and security violations.