After the breach: Should you enroll in ID or credit monitoring services?
By Lisa Bertagnoli | Published: October 23, 2014
If you've been the victim of a security breach, there's good news. Many retailers whose databases have been hacked are offering credit monitoring or identity protection services to affected customers.
They're doing it of their own volition; no states require affected companies to offer such services to customers. Forty-seven states, however, do require companies to notify customers of a security breach, and in late September, California beefed up its law a bit. The amended law, which takes effect Jan. 1, 2015, requires companies that offer ID protection to offer it for 12 months, and for no cost.
Whether to sign up or take a pass is a question that, sooner or later, most consumers will have to ponder. The number of security breaches has topped 600 this year alone -- up more than 25 percent over 2013 -- and that figure climbs daily. This year's retail victims include Home Depot, Kmart, Sears, Staples, Jimmy John's, SuperValu and Neiman Marcus.
A study released this fall commissioned by Experian, the credit bureau, showed that 75 percent of respondents had sensitive information lost, stolen or otherwise compromised. Still, only one-third of respondents accepted offers of protection services.
Naysayers said it was too much of a "hassle" to sign up, or even take simple DIY measures such as changing passwords, explains Becky Frost, senior manager, consumer education for Experian's ProtectMyID, which offers ID protection services. Despite the proliferation of breaches, there's an "it won't happen to me" attitude, Frost says. "People aren't aware of this until it happens to them or their friends or family."
That kind of mindset can be dangerous. But experts say there are other reasons you might want to consciously forgo identity protection. Depending on what you sign up for, monitoring services can prevent full-out identity theft, or simply duplicate steps you can take on your own.
Types of services
It's worth sorting out the differences between the services on offer.
- Credit monitoring. Credit monitoring services monitor activity for at least one of the Big Three credit bureaus -- Equifax, Experian and TransUnion -- to make sure new lines of credit or collection accounts aren't being added to your credit record without your knowledge. After Target's data breach during the 2013 holiday shopping season, the retailer offered a year of free credit monitoring to affected customers through ProtectMyID, which tracks Experian reports.
- Identity protection or identity monitoring. These services go further than credit monitoring. Providers have access to criminal databases, DMV records and other resources that mere mortals do not, says Eva Casey Velasquez, president and CEO at the Identity Theft Resource Center, a nonprofit based in San Diego, California. They may use complex analytics to search for fraudulent activity and monitor suspicious Social Security number usage. AllClearID, the service Home Depot is offering to affected customers, is an identity monitoring service.
Detection, not prevention
If you're thinking of using one of these services, keep in mind that they don't prevent fraud; they spot it and send alerts so users can resolve issues before minor problems explode into expensive, time-consuming messes. "They're really about detection," says Velasquez.
Signing up for a free service requires submitting sensitive information, such as a Social Security number. (To quell fears, Home Depot is giving participants the option of enrolling over the phone.) Once enrolled, you'll get email alerts if the service detects unusual activity. You can then work with fraud experts to resolve issues.
Worried that you will begin to be charged without warning after a year is up? Be sure to ask before enrolling. AllClearID says it does not automatically re-enroll users when the free period expires. Instead, users get an email asking if they want to continue receiving the service for a charge.
So, the question remains: Sign up, or take a pass?
It depends on what's been stolen. If it's simply a credit card number, closing the account will usually suffice, says Velasquez. She adds, though, that for companies hit by hackers, you may not know what's been taken. "It's hard for them to know right away what's been compromised ... These forensic reviews take time."
If you think your Social Security number may have been stolen and an ID protection service is being offered, then accept it. ID protection services, Velasquez says, "can do things you can't do yourself" or that would be extremely expensive to do on your own, she says. She recommends accepting free credit-monitoring services for a year: "Nothing bad could come from that," she says.
Not everyone agrees. Monitoring services aren't immune from data breaches themselves. "There aren't any assurances," says Heather Bearfield, principal at Marcum LLP, a Boston-based accounting and advisory services firm.
Bearfield, who heads the firm's national technology assurances services practice, thinks that might be the reason for the low participation in free services: "People are nervous about giving their information to another party."
For her, accepting or declining an offer is a personal choice. Consumers can monitor their own credit, as federal law requires each of the Big Three bureaus to supply consumers with a free credit report each year. Timed right, you could get a free credit report every four months.
That said, self monitoring takes work. Participating in free monitoring, or even signing up for a service, "is another means of outsourcing your life," Bearfield says. "A lot of people outsource a lot of their lives today."
Don't want to sign up for ID protection or credit monitoring? Consider taking these steps to protect your information:
- Use credit cards, not debit cards. Debit cards "don't have the same protection as a credit card; there's a much smaller chance you'll be getting your money back," says Bearfield.
- Be careful where you use mobile devices. Buying online from an unsecured location, say a coffee shop with free Wi-Fi, could allow a thief to snag your data.
- Check your credit card usage. Bearfield suggests going online weekly to check statements and make sure there's no malicious activity.
- Check your credit reports. You can access them for free at AnnualCreditReport.com.
- DIY credit card arbitration: You may be able to opt out – Consumers can preserve their right to go to court instead of private arbitration in many cases by going through and opt-out process ...
- CFPB rule: Consumers should be able to band together and sue – Banks, GOP oppose measure that would end "mandatory arbitration" clauses that prevented class-action suits ...
- Bluesnarfing is newest card fraud at gas pumps and ATMs – With a skimmer and Bluetooth technology, fraudsters can sit nearby and intercept your payment transaction details ...