ICFE eNEWS #17-15 - April 2017
View this eNEWS online

United States Government Accountability Office (GAO) Report:
"Identity Theft Services Offer Some Benefits but Are Limited in Preventing Fraud"

by Yan Ross, ICFE Director of Special Projects

According to a recently-released 70-page report in response to Congressional requests, the GAO reached these summary findings:

Identity theft services offer some benefits but have limitations.

• Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users, but it does not prevent such fraud or address existing-account fraud, such as misuse of a stolen credit card number.

• Consumers have alternatives to credit monitoring, including requesting a low-cost credit freeze, which can prevent new-account fraud by restricting access to the consumers' credit report

• Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites, but its effectiveness in mitigating identity theft is unclear

• Identity restoration seeks to remediate the effects of identity theft, but the level of service varies: some providers offer hands-on assistance, such as interacting with creditors on the consumer's behalf, while others largely provide self-help information, which is of more limited benefit

• Identity theft insurance covers certain expenses related to the process of remediating identity theft but generally excludes direct financial losses, and the number and dollar amount of claims has been low

These services also typically do not address some types of threats, such as medical identity or tax refund fraud.

The impetus behind this research and report is apparently the continued proliferation of data breaches among federal agencies and the "standard" response of providing identity theft services for the affected consumers, as well as the implications for consumers in subscribing to services such as credit report monitoring, restoration services, and related means of managing the risk of identity theft.

This description of the thrust of the GAO report sheds additional light on its purpose:

"This report examines (1) the marketplace for identity theft services; (2) the potential benefits and limitations of identity theft services available to consumers; (3) marketing, billing, and security issues associated with these services; and (4) factors that affect government and private-sector decision making about offering identity theft services."

The Office of Personnel Management (OMB) breach in 2015, and the steps taken to mitigate potential damage to the affected individuals, provide the foundation for the GAO study. In this regard, the report mentions "In response to data breaches in 2015, OPM awarded two contracts obligating about $ 240 million for identity theft services."

From this perspective, the GAO proceeds to list and evaluate many of the points of coverage and pricing for the various providers of post-data breach services. Further, the GAO reports that in the case of affected federal agencies, there is no common standard for the evaluation of the risk of loss or the cost-effectiveness of monitoring and recovery services, as well as insurance against actual losses arising out of the particular data breach.

An important aspect of this report is the information regarding the 26 providers of identity theft services whose web sites were reviewed by GAO officials. Further direct contact with representatives of eight of the service providers confirmed that the level of hands-on service, as opposed to simply consulting with affected consumers to engage in "do-it-yourself" recovery efforts, vary widely.

In the section on "Types of Threats Not Addressed by Existing Identity Theft Services," the most prominent, and potentially disruptive, are medical identity theft and tax refund fraud.

Recognizing that the origin of this research and report is from the federal agency perspective, the ultimate GAO recommendations are centered on both statutory and regulatory initiatives:

"Congress should consider permitting agencies to determine the appropriate coverage level for identity theft insurance they offer after data breaches. OMB should analyze the effectiveness of identity theft services relative to alternatives, and should explore options to address duplication in federal agencies' provision of these services. OPM should address in its breach-response policy when to offer these services and should document its decision-making process. OPM agreed with GAO's recommendations to the agency."

While the focus of the GAO report is on prospective responses by federal agencies that may experience data breaches, there is much to be learned by private sector holders of protected personally identifiable information (PII).

It is worthy of note that some 45 States have data breach notification laws, and many also have adopted standards for remediation of potential damage to the affected individuals, there has so far been no action taken to adopt a federal standard that would supersede these widely divergent State requirements.

For professionals engaging in identity theft risk management activities, as well as holders of protected data, this report provides an excellent survey of the playing field among the providers of post-breach identity theft services. The value of this information goes far beyond applications to government entities, and may even serve as a platform for the adoption of an integrated set of standards in the future.

Primary - http://www.gao.gov/assets/690/683842.pdf
Secondary - https://www.ibisworld.com/industry/identity-theft-protection-services. html
(Subscription Required for this "Market Research Report on Identity Theft Protection Services")
Javelin Strategy & Research, Identity Protection Direct-to-Consumer Services Reach $1.4B in a Year Ridden with Data Breaches (April 2015), accessed September 21, 2016

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info
Yan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

ICFE eNEWS is available FREE upon request by visiting the ICFE's Web site and filling out the contact form, selecting "Yes" for "Add to Mailing List." Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

ICFE - Institute of Consumer Financial Education - ICFE.info - 619.239.1401