Lawmakers Question How to Best Protect Data Breach Victims

After a data breach exposes sensitive information, agencies usually offer victims credit monitoring as a catch-all solution to prevent fraud. But a group of lawmakers isn't convinced that strategy always gets the job done.

“We are concerned that the popular response may reflect factors unrelated to the actual protection of breach victims,” House Energy and Finance Committee Reps. Frank Pallone, Jr., D-N.J., Diana DeGette, D-Colo., and Jan Schakowsky, D-Ill., wrote in a letter to the Government Accountability Office Thursday. “Reliance on these products after the breach may result in consumers being lulled into a false sense of security.”

They requested GAO examine how effective current strategies work for various types of breaches, the extent of the protection each one offers, and the factors agencies weigh in choosing a response to a breach. Lawmakers also would like GAO to see if there are better solutions not currently being offered.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

One major issue with credit monitoring services is that they only last for a finite amount of time, while Social Security numbers and other sensitive information gathered in a breach can be used indefinitely.

Following the 2015 breach at the Office of Personnel Management that exposed personal information for more than 21 million federal employees to hackers, the government offered victims 18 months of free credit monitoring.

In a July 2015 letter, also signed by Pallone, committee members questioned whether this short-term response was appropriate considering the stolen data will still put workers at risk years down the line. They also noted that some available services don’t monitor all three major credit bureaus, making it easier for criminals to commit credit fraud.

In Thursday’s letter, lawmakers underscored the importance of addressing breaches not only effectively but efficiently, citing a previous GAO report that faulted both government and the private sector for responding inappropriately.

In that report, the watchdog determined the government paid too much to protect victims of the OPM hack. Affected employees each received $5 million in identity theft insurance, even though GAO said claims “rarely exceed a few thousand dollars.” At the same time, the group noted private-sector companies often offer services for reasons that have nothing to do with the quality of protection, such as avoiding liability and giving customers “peace of mind.”

In addition to examining the effectiveness of data breach responses, committee members also asked GAO to analyze recent trends in data breaches and identity theft, and determine ways the government can more easily implement new solutions.