Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
On Sept. 7, 2017, Equifax Inc. announced to the world that from May 2017 through July 2017, it had experienced a cyberattack that had compromised the security of the personal information of 145.5 million U.S. consumers. Equifax's initial offer to provide affected individuals with a year of its own credit monitoring service in response was met with skepticism and downright incredulity by those who maintained that the suggested “fix” was hardly enough to compensate consumers for the fallout they were bound to experience as a result of the incident.
In the wake of suits filed against Equifax by consumers, businesses and governmental units, courts will have to grapple with the question of what remedies are appropriate. These issues are not unique to the Equifax incident, but the scope of the breach will undoubtedly lead to more debate than ever before.
Questions regarding the effectiveness of credit-monitoring and other traditional breach remediation measures are not new. On Mar. 30, 2017, just a few short months before the Equifax breach, the U.S. Government Accountability Office (GAO) published a 70-page report concerning the effectiveness of identity-theft services (including credit monitoring, identity monitoring, identity restoration and identity theft insurance) as remedies for data breach victims (GAO-17-254).
The GAO report was issued at the request of members of Congress in the wake of two high-profile data breaches experienced by the Office of Personnel Management (OPM), which exposed the personal information (including background investigations and other personnel records) of approximately 22.1 million individuals. OPM awarded two contracts obligating about $240 million for identity theft services as a result.
The GAO report examined several relevant issues, including the potential benefits and limitations of identity theft services, and factors that affect government and private-sector decision-making about such services. While the purpose of the GAO report is to make recommendations to Congress regarding data breach responses of federal agencies, the report has implications for the private sector as well.
In compiling the report, the GAO reviewed the websites of 26 providers of identity theft services, as well as relevant studies and federal enforcement decisions. The GAO also interviewed decision-makers representing federal agencies and private entities regarding how they chose which services to provide following a data breach.
The GAO report identified several limitations of the four most common types of identity theft services.
Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users when their personal information is used in connection with a new loan, credit card or other account. While early detection can be useful, credit monitoring is limited in effect because it does not prevent new-account fraud or address fraud with respect to existing accounts, such as misuse of a stolen credit card number.
While new-account fraud is on the rise, partly due to the increased availability of microchipped payment cards, existing-account fraud continues to be a significant issue. According to the Bureau of Justice Statistics, a substantial majority of identity theft victims (86%) experienced fraud relating to existing account information. Further, a study published by Javelin Strategy & Research in February of this year found that in 2016, incidence of fraud related to account takeovers rose 31% from 2015.
Consumers have alternatives to credit monitoring that can prevent certain types of fraud. Free fraud alerts and low-cost credit freezes can prevent new-account fraud by requiring businesses to verify the consumer's identity prior to issuing credit and restricting access to the consumers' credit report, respectively. But the consumer has to lift the freeze before they can obtain new credit, so a freeze may not be optimal in all situations.
Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites. Identity monitoring services scan sources other than credit reports (including public records, proprietary databases and black-market websites) and alert consumers when they detect new or inaccurate information, or when they detect the consumers' personal information in inappropriate places. Similar to credit monitoring services, identity-monitoring services allow the consumer to benefit from early detection. They have the added benefit that they access sources that might not be readily available to the average consumer, but their effectiveness at preventing identity theft is unclear.
Identity restoration seeks to remediate the effects of identity theft, but the level of service varies. Some providers offer hands-on assistance, such as contacting financial institutions to dispute fraudulent accounts or contacting credit bureaus to report errors or place fraud alerts on the consumer's behalf. But others largely provide self-help information, which is of more limited benefit.
Identity theft insurance covers certain expenses of identity restoration, but coverage generally excludes direct financial losses, and the number and dollar amount of claims has been low. According to the Bureau of Justice Statistics, in 2014, only 5% of all identity theft victims reported indirect losses — defined as expenses such as legal fees, postage, notary fees and other miscellaneous expenses — associated with their most recent incident of identity theft. The average indirect loss was $261, and half of all indirect losses were less than $10.
*****
Angela R. Matney is an attorney with Hirschler Fleischer in Fredericksburg, VA, who counsels employers on information privacy compliance. She is a Certified Information Privacy Professional (CIPP), and may be reached at 540-604-2117 or by e-mail at [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.