Companies are not required to offer services to consumers whose information was involved in a breach. Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/ or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). If you do offer one of these services a 2014 California statute prohibits you from charging the consumer for them.
Although most consumers believe that credit-related services should be offered following a breach, many (if not most) data breaches do not involve information that could be used to open a credit account. As a result credit-related services often do not protect consumers from any harm that might result from the breach that triggered the offering.
Click here to view image.
$0.25 - $2.00
Approximate cost of one year of credit-related services depending upon the number of impacted individuals, the type of information breached, and the services offered.
What to think about when evaluating a credit-related service:
- Will the credit monitoring company attempt to upsell enrollees? If so, will recipients of the free service perceive that it is not, in fact, free?
- Will the credit monitoring company market additional products or services to enrollees? If so, will recipients of the service perceive that their privacy has been violated?
- Will the credit monitoring company allow other companies to cross-market products to enrollees?
- Is the credit monitoring service permitted to retain information about enrollees after they stop providing service?
- Has the credit monitoring company provided the organization with adequate assurance (and indemnifications) if the information that you provide to them (e.g., customer lists, lists of impacted consumers, or list of impacted employees) itself becomes breached?
- Are you indemnified if the credit monitoring company’s products are alleged to be unfair or deceptive?
- Are you indemnified if the credit monitoring company is negligent in providing monitoring services?
- Have you been given a copy of all materials, including marketing materials, enrollment terms, insurance contracts, etc., that relate to the service being offered so that you know what your customers/employees will be seeing?
- What service level guarantees are provided for how quickly enrollees will be able to reach the credit monitoring company?
- Has the credit monitoring company received any complaints, either from regulators or consumers, about its product offering or service?