Breach Preparedness , Breach Response , Data Breach
Because Breached Businesses' 'Take Your Security Seriously'(euroinfosec) • December 12, 2018 Equifax's 2017 data breach notification to 148 million AmericansOh, that glorious moment of anticipation, when you receive a missive that offers to provide you with one year of free identity theft protection and monitoring services.
See Also: Five Steps to Masterminding an Effective Security Awareness Program
"The security of your data is important to us," such communications so often read.
Of course, such offers come only one way: From breached organizations that have lost control of your personal data. As a bonus, consumers may have never even been aware that a company was buying, selling, trafficking, storing or otherwise handling their personal data, and have no recourse to prevent it from doing so (see: 'Data & Leads' Site Disappears After Data Exposure Alert).
Another bonus: Consumers whose personally identifiable information was exposed face the potentially perpetual risk of having their personal details used against them for the rest of their lives by fraudsters. Every such incident may result in an individual having to spend tens or hundreds of hours, none of it compensated, attempting to communicate with banks or card issuers to reverse charges or fix credit reports because of damage done by criminals.
In return, many businesses now offer one year of "free" identity theft monitoring services (see: Cynic's Guide to the Equifax Breach: Nothing Will Change).
Call me pedantic, but rather than saying it's free, "prepaid" would be more accurate, because the service is hardly free from having strings attached, including the pre-existing fact of your personal data having already been mishandled by a business that doesn't work for free.
In so many cases, if the security of your data was as important to breached organizations as they now belatedly claim, they wouldn't be subsequently paying a third party to watch your accounts for signs of fraud. Instead, they would have previously invested in the people, processes and technology that they needed to have stopped your data from having been stolen in the first place. That's the kind of "free" protection of which I'd like to see more.
How to Show You Care
Some businesses' signs of "security caring" are more galling than others. Take credit reporting agency Equifax, which in 2017 lost personally identifiable information for 56 percent of all U.S. adults because of its poor oversight, patch management, password and other substandard information security practices.
Equifax then offered its breach victims free identity theft monitoring via its own service, thus in effect giving the data broker who lost so many people's data access to even more of their data. If there was any justice, all breached businesses should at least be forced to pay someone else to provide such a service.
Unusually, however, that eventually came to pass, when Equifax last month announced to U.S. breach victims who had signed up for the prepaid service that unless they opted out, it would be renewing their credit monitoring for one year, not with Equifax but instead via a service offered by its competitor Experian, as cybersecurity journalist Brian Krebs first reported.
In August, consumer rights group Identity Theft Resource Center surveyed 880 U.S. Equifax data breach victims, and found that 59 percent of them had signed up for free credit monitoring with Equifax, and that 44 percent of them all were still using it.
When data breach victims sign up for a fraud-monitoring service from a business that lost control of their personal information, however, in many cases they're also signing away their right to join subsequent class-action lawsuits or other court actions.
Both Equifax and Marriott included such arbitration clauses for any victims who signed up for such services. But facing criticism and the threat of legal or legislative action, both subsequently backed off (see: Marriott: Breach Victims Won't Be Forced Into Arbitration).
Still, any business outside the financial services sector remains legally allowed, as part of their "free" identity theft monitoring terms and conditions, to force breach victims to accept arbitration.
Monitoring, Not Preventing
With so many breached organizations now offering U.S. breach victims one year of prepaid identity theft monitoring, it's important to ask: Do such services do any good, or go any way to actually repairing the damage that has occurred?
Consumers' best bet remains to use credit freezes to attempt to block identity thieves outright.
Even so, many consumer rights groups recommend signing up for identity theft monitoring services, if they're offered for free.
But it's important to note that while such services are billed as being preventive, they won't stop fraud outright. Identity thieves can still walk into a bank and use your stolen Social Security number to try to sign up for a loan in your name. Still, many ID theft monitoring services are designed to help spot when fraud has occurred and help consumers recover.
Good News, If You're in Europe
Some consumers have better privacy rights as well as protection for those rights than others. In the EU, the General Data Protection Act gives privacy watchdogs the ability to impose massive fines on organizations that violate Europeans' privacy rights (see: Marriott Mega-Breach: Will GDPR Apply?).
Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) - whichever is greater. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.
But wait, there's more: EU privacy watchdogs can also revoke an organization's ability to process Europeans' personal data. Imagine the effect that might have on Equifax or Facebook, both of which have previously been fined for pre-GDPR privacy violations by the U.K. Information Commissioner's Office.
Republicans Ask: Is It Useful?
Since the Web came along, however, Congress has failed to pass any law that would improve privacy protections for Americans.
Congress has even failed to pass a law that would provide mandatory notification of data breaches to Americans. Instead, all 50 states have filled in the gaps, with California leading the way.
Historically, Republican members of Congress routinely block any suggested new data breach notification or privacy laws. And a report on the Equifax breach by Republican members of the House Oversight Committee this week continued in that vein. For example, to increase transparency for consumers, it said that data aggregators should be required to show consumers what data they hold on them. But it did not recommend that consumers be given the right to request that their personal data get deleted (see: Equifax Breach 'Entirely Preventable,' House Report Finds).
The Republican-authored report did call into question the efficacy of identity theft monitoring services, especially as wielded by breached businesses, including Equifax, which as it notes "offered free credit monitoring and protection services for one year to any consumer who requested it."
The report calls on the U.S. Government Accountability Office to review the efficacy of identity theft monitoring services. "A variety of opinions were provided to the committee about both the value of credit monitoring services and the recommended length of time the protection should be provided," it says.
Accordingly, GAO should "examine the effectiveness of current identity monitoring and protection services and provide recommendations to Congress," it says. "In particular, GAO should review the length of time that credit monitoring and protection services are needed after a data breach to mitigate identity theft risks."
Breach Victims' Exposure Goes to 11
Breaches, however, have gotten so bad that it's not clear if any new breach is putting individuals at any greater risk, given the amount of personal data that's already being bought and sold on cybercrime forums. "Every American person should assume all of their data is out there," Elvis Chan, a supervisory special agent with the FBI who specializes in investigating cybercrime, tells the Wall Street Journal (see: An FBI Update on Fighting Against Russian Election Meddling).
Hence the push for GAO to review identity theft monitoring services seems especially timely. GAO has previously proven its cybersecurity acumen in the data breach sphere, including its must-read postmortem into the failures that led to the Equifax breach, the findings of which were cited in the ICO's own breach probe (see: Building an Effective Enterprisewide Security Program).
Next stop: Identity theft monitoring. "This GAO study would help clarify the value of credit monitoring services and the length of time such services should be maintained," the House report says. "The GAO study should examine alternatives to credit monitoring services and identify additional or complimentary [sic] services to enhance the protections offered by credit monitoring services."
Wouldn't it be interesting if the GAO found that breached organizations should be required to make "free" such services to breach victims in perpetuity?