A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part discusses what employers should look for when considering whether to offer identity-theft related services, such as credit monitoring, following a breach.
There are a number of different services that employers consider offering to employees following a breach of employee data. Many employers don’t fully understand the difference between identity-theft service offerings. Unfortunately, the fact that different service providers use different terms to describe identity theft services and products, and the existence of misinformation in the marketplace (sometimes produced by industry members that have a vested interest in selling one type of product over another), makes it difficult for many employers to educate themselves about what options exist and which products or services may be the most appropriate to offer in a particular situation. The net result is that too many employers inadvertently jump to the conclusion that one type of product – like credit monitoring – should be offered in connection with every type of data breach. The following provides a summary of each of the main types of identity theft services:
- Credit report. A “credit report” is a report generated by a credit reporting agency (e.g., Equifax, Experian, or Transunion) that summarizes information maintained by those companies about an employee. That information typically includes where the employee lives, how often the employee pays his or her bills, whether the employee has been sued, and which financial institutions have accounts related to the employee. An employee can review their credit report to determine if all financial accounts that have been opened in the employee’s name are valid. By law, an employee has a right to obtain a credit report from each of the credit reporting agencies at no cost at least once a year by either visiting annualcreditreport.com or contacting the credit reporting agencies directly. As a result, some employers decide that it is not necessary to pay a third party to provide their employees with a credit report when the report itself is most likely free to the employee.
- Credit monitoring. While a credit report provides information about financial accounts that were opened in the past using the employee’s name, it does not help the employee determine if a bad actor uses the employee’s information to open a financial account after the credit report is run. “Credit monitoring” refers to a service where a third party monitors the employee’s credit report for any indication that a new financial account has been created. If an account is created, the credit monitoring company notifies the employee and asks the employee to determine whether the new account is legitimate (i.e., created by the employee) or fraudulent (i.e., the result of identity theft). There are a number of different companies – including the credit reporting agencies themselves – that offer credit monitoring services. If an employer decides to offer credit monitoring to employees they typically must select whether the monitoring will look at a single credit reporting agency (e.g., Equifax) or all of the main credit reporting agencies (e.g., Equifax, Experian, and Transunion). The former service is typically referred to as “single bureau” monitoring; the latter is typically referred to as “triple bureau” monitoring.
- Identity restoration services. “Identity theft restoration services” describe resources that are offered by third parties to assist employees with rectifying a fraudulently opened account or other forms of identity theft (e.g., fraudulent tax filings under the employee’s name). That assistance might include a case manager or consultant who the employee can call to understand the implications of a fraudulently opened account. The case manager can provide direction and guidance to the employee concerning how to close the account, notify a financial institution of the fraud, and/or ask credit reporting agencies to correct a credit report to accurately reflect information about the employee. Employers that consider offering identity theft restoration services should investigate the specific services that a service provider will offer. Among other things, an employer may want to ask (1) whether consultants will offer to obtain a power of attorney from the employee so that the consultant can directly liaise with financial institutions and/or the government to fix a fraudulent account, (2) whether consultants are trained to handle the full range of issues that may arise in connection with identity theft, (3) whether employees will be assigned a specific case manager for continuity, or will be required to re-call a hotline each time they have questions or require assistance, and (4) whether case managers/consultants receive commissions for directing employees to utilize a specific product or service (e.g., enroll in credit monitoring, obtain a credit report, etc.)
- Identity theft insurance. In the event that an employee is unable to close a fraudulently opened account, or is unable to reverse actions taken by an identity thief, they may experience financial loss or need to retain an attorney to protect their interests (or defend the employee against creditors). “Identity theft insurance” refers to an insurance product that is designed to either compensate an employee for such losses, or defend an employee (i.e., provide an attorney) if a creditor attempts to collect funds related to a fraudulently opened account. Often companies that offer identity theft insurance as part of a bundle of identity theft services are not insurance companies themselves and are merely providing an insurance policy that has been negotiated with an underwriter. Employers should request a copy of the actual insurance manuscript that relates to the offering (not merely a summary of benefits) and review the policy to better understand: (1) what benefits will be provided to their employee, (2) what deductibles, if any, the employee may have to meet, and (3) what coverage exclusions exist.
Determining which identity theft service to offer in connection with a particular breach can be complicated and depends heavily on the type of breach that occurred. To better help you understand which services are appropriate the following chart cross-references types of services with the type of data that may have been impacted in a particular breach:
In addition to understanding which services “match” the type of data impacted, employers must also consider the different ways that identity theft service providers charge for their products. Some providers use a “redemption model,” by which they charge employers only for the number of employees that redeem an offer of identity theft services. Other providers use a “capitated model,” by which they charge employers for the number of employees to whom an offer of identity theft services is made, regardless of whether the employees redeem the offer.
While redemption pricing appeals to many employers because they will not have to pay for unused services, the per employee price using the redemption model can be as much as 50 times greater than the per employee price using a capitated model. More importantly, the redemption model can make it difficult for an employer to budget for a security incident as the true cost of the service will not be known until the employee enrollment period closes – which may take several months.
TIP: While some employers err on the side of providing employees with the full range of identity theft services following a breach, receiving services that don’t “match” the data breach can confuse many employees and lead them to incorrectly believe that they are at risk for the types of identity theft that the service is designed to mitigate; not the types of identity theft that may flow from the breach itself.