5nikolas5 / Shutterstock.com

Does Identity-Theft Protection Really Work?

Victims of data breaches are usually offered identity-theft-protection services, but even the companies that promise to safeguard your identity are far from infallible.

Perhaps your data was compromised in a high-profile data breach at a health insurance company, or you were one of the unlucky victims of the Target or Best Buy hacks. Or maybe you got a letter in June from the Office of Personnel Management, years after you quit your last government job.

If you landed in any of these unfortunate categories—and it's not unlikely that you did, given the sheer scale of some of these data breaches—your consolation prize probably looked something like a free termed subscription to a credit-monitoring and identity-fraud-protection service.

The government in June paid about $20 million to offer the 4.2 million current and former federal employees affected by a data breach with 18 months of protection services from CSID. According to CSID President Joe Ross, almost a million people took the government up on the offer—an astronomical uptake rate compared to average enrollment rates after most private-sector breaches.

But for a service that is often presented as a remedy for breaches that expose sensitive information, credit monitoring and identity-theft protection is far from a panacea.

The programs CSID and its competitors provide range from simple credit monitoring to robust identity-theft protection. The suite of services the government purchased for OPM hack victims in June was "the whole kit and caboodle," according to a spokesman for CSID, and included public-records and loan monitoring, a program that monitors shady corners of the Web to see if clients' personal information is being traded or sold, and $1 million in insurance from damages in the event of identity fraud.

Eric Warbasse, senior director of financial services and breach response at LifeLock, touted the utility of fraud-protection programs in an interview earlier this month. "Enrolling in a service or services that include remediation as a backup in the event that somebody is impacted—has their taxes filed fraudulently, for example, something that would never show on a credit report—is a wise decision regardless of whether or not you're part of the OPM breach," Warbasse said, referring to programs that help victims restore the integrity of their identities after an incident of fraud.

But security experts and the government have questioned the utility and security of these services, suggesting that signing up for a protection program is not enough to safeguard customers' identity.

The Federal Trade Commission last week took legal action against LifeLock over data-security practices the agency said do not adequately protect consumer information.

The FTC alleged that LifeLock violated the terms of a 2010 settlement, in which the company paid $12 million over claims that it was falsely advertising the security and robustness of its service.

Concerns about the company's practices were raised also by a whistle-blowing executive last year and by Experian, a credit-reporting agency, in 2008.

Costis Toregas, associate director of the Cyber Security Policy and Research Institute at George Washington University, said the allegations of security shortcomings are not new. "It doesn't surprise me, because we know that companies whose job it is to secure data are themselves vulnerable," said Toregas.

"Am I shocked and surprised that I found gambling going on in the back room? No," Toregas continued. "Everything is hackable. They should be very, very careful of their promises."

LifeLock says it disagrees with the FTC's decision and will fight the new allegations in court. "Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any member's data being taken," the company said in a statement.

Just one day before the FTC's charges were announced, lawmakers from the House Energy and Commerce Committee sent a letter asking the Government Accountability Office to study the "usefulness and adequacy" of offering ID-theft-protection services to hack victims.

The bipartisan group who signed the letter asked the GAO to answer questions about taxpayer cost and the state of service providers' security standards.

House Minority Whip Steny Hoyer said Monday that identity-theft monitoring may never be enough to protect individuals who lost sensitive personal info. The 21.5 million victims of an OPM data breach announced earlier this month had their names, addresses, and Social Security numbers compromised, and 1.1 million individuals had their fingerprints stolen.

"There may be some things we can't compensate for," Hoyer said.

That said, victims of data breaches who are offered months or years of free identity-theft-protection services should take advantage of it, said Toregas.

"Never look at a gift horse in the mouth," he said. "For sure, accept it. But do not think that that is adequate."

Toregas advises breach victims to learn about cybersecurity practices, change their online lifestyles to manage risk, and always operate under the assumption that their personal information has been stolen at least once.

"Breaches have nothing to do with computers," he said. "They have everything to with your life. They have everything to with your career, with your credit, with your happiness, with your ability to get on an airplane and not to be arrested for a different identity, and so on."

(Image via   / Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.