Credit Monitoring and Identity Theft Protection After a Major Hack
When major data breaches occur, the initial reaction from the media and the public is outcry. For good reason, too. It seems there is no organization with an online presence that is free from the threat of hackers. And it’s not just companies, if someone has entered their personal info online anywhere, they’re susceptible.
And when the emotional outcry calms, both the company and the individuals impacted are left trying to regroup. There is a great deal of tension at work here, because in many of the situations it can be difficult to gauge who is at fault and for what.
What Kind of Companies are Getting Hacked?
While there are certainly organizations that we would hope have iron clad security, what history has already demonstrated is that none seem to be immune from the reach of hackers.
Target was hacked in late 2015, and the retailer came under criticism for waiting four days to notify the public that they had been breached. Not only that, but while they originally reported that the information of 40 million customers had been taken, they later confirmed the number could be as high as 110 million customers.
Even more dramatically, when Equifax — one of the three main credit reporting companies — was hacked in 2017, they waited six weeks to disclose the information of the hack that impacted nearly half the U.S. population, and nearly everyone with a credit card. Several executives sold stocks before the information was public and impacting stock prices. Not only that, it was revealed that they had been hacked only a couple months prior, and they knew of a flaw in their security preceding the major hack, which could have been patched.
Afterwards, a New York Times opinion piece entitled “Get Rid of Equifax” seemed to capture the attitude of frustrated consumers. Bryce Covert’s piece argued that credit bureaus aren’t accountable to public pressure and thus shouldn’t be allowed to operate as privatized entities. Instead, she argued, it should be a public registry that stores the information.
And sure, that would keep individuals from making up the bottom lines of companies that don’t have their best interest in mind. But, ultimately the scary reality would remain.
Consider: The IRS lost upwards of 700,000 social security numbers, addresses, and incomes in the spring of 2015. The California DMV would neither confirm nor deny a possible credit card hack that may or may not have occurred between August 2013 and January 2014. And perhaps most concerning of all, in June 2015, the Department of Defense had to notify 4 million current and past federal employees that their personal information may have been taken.
The Federal Trade Commission (FTC) works to ensure that companies follow through on their security and privacy policies and that they are not negligent in their care of personal data. The problem is that while the theory is solid–they only store the information they have to, and they do so in a secure manner–the execution is clearly lacking.
It’s easy to see that nearly any company can fall victim to hackers.
How to follow-up after a data breach.
While one would hope that a company that leaks your data is responsible for compensating an individual for their loss, this is unfortunately not the world we live in. Instead, especially in a situation such as the Equifax breach where those impacted were not customers who had entered into an agreement with the company, it is largely up to the impacted parties to respond and protect themselves.
So if a breach does occur wherein your information may have been compromised there are two tiers of action that need to be taken.
First, determine if you were impacted. Often companies that have been breached set up a free website aimed at helping individuals ascertain if they’ve been affected. Even if they don’t provide that much help, they will usually be able to provide at least some qualifying formation, such as the dates or actions on the part of the customers (like filing by mail instead of electronically) that have put them at risk.
Then, understand what data has been compromised. Not all hacks are created equal, and credit card fraud isn’t the same as identity theft.
- If a company in an industry like retail has had information stolen it likely will consist of credit card numbers and contact info. Credit card fraud is much easier to spot and to stop than full-blown identity theft. The first line of defense in this instance is monitoring your accounts for unrecognized or unauthorized purchases.
- If you are unsure whether you’ve been impacted, you can place a fraud alert on your card, which require extra verification for use. Or, a credit freeze stops lenders from being able to pull your info, so if someone tried to apply for loan or the like, they’ll be thwarted. But it doesn’t stop existing lines of credit from being used, and depending on where you live, it may not be free. As soon as a card is lost or stolen, report it to the company and get a new card.
- If your driver’s license number or your social security number has been stolen, you have some heavy lifting ahead of you. In both instances you should report it to local law enforcement. If your SS card has been stolen you need to contact the Social Security Administration and work with them to resolve the issue. You can also check to see if someone has used your SSN by looking at your Social Security Statement. Be prepared for the expectation that you will have to prove that the discrepancies were made by someone else.
Unfortunately, the aftermath of a breach rarely comes with clarity. Virtually always there is a waiting game during which one just has to wait and see if anything goes awry in relation to their accounts.
There are two different types of services that stand to help safeguard an individual’s information.
- Often, companies offer those who may be affected free access to, at the minimum, credit monitoring. Credit monitoring is exactly what it sounds like, it monitors your credit and alerts you when there are any changes to your score or the related information.
- Identity theft protection alerts you when any of your personal information is utilized. Different companies offer a different array of services, but in general, the idea is that identity theft protection is more far-reaching than credit monitoring and looks at everything from when your information is used for social media to loan applications.
If you are indeed the victim of a hack, a credit repair company may be just what is necessary. Depending on the company, they will be able to resolve errors on your report as well as coordinate with lenders, debt collectors, and credit card company to bolster your record.
After a major hack, one of the most popular questions is whether or not you can sue. Class action lawsuits virtually always pop up after major hacks; they are initiated by a lawyer on behalf of consumers impacted. If the courts decide that individuals impacted should be compensated, you are not required to do anything to be covered. However, if you participate in a class action then you are ineligible to ever sue as an individual, and you may be limited in terms of applying for an amount of compensation that exceeds the sum that the lawsuit ends up securing for individuals.
The truth is that even those who successfully wait out the long, slow process of suing a major company for damages and win are very rarely compensated in any substantial way.
To date, the largest settlement ever for a data breach was the $115 million paid by Anthem Inc., the largest U.S. health insurance company. That money went to cover two years of credit monitoring and up to $50 in cash for those who already have credit monitoring.
Fifty dollars for something that can irreversibly alter the quality of one’s life. It’s difficult not to raise an eyebrow. The main thing is to pay attention: keep an eye on your accounts so that at the first sign of foul play you can respond.
What is the legal obligation of a company that has leaked personal information?
Here’s where things get sticky. When a consumer enters information on a website, they’re almost always required to agree to the terms and conditions and that agreement essentially means that the company has the right to store the info. So when the data is stolen, that company must be able to prove that they were doing every possible thing in their power to prevent it. Unfortunately, that means that credit card fraudsters and identity thieves are rarely caught or made to face punishment, since most resources and attention is focused on prevention, and recovery.
In the case of a financial institution like Equifax, there are both state and federal laws at work to ensure that the company was not negligent in their responsibility of protecting consumer information. Equifax is under pressure from congress; in a letter from Democrats on the Energy and Commerce Committee the members wrote, “Your company profits from collecting highly sensitive personal information from American consumers. It should take seriously its responsibility to keep data safe and to inform consumers when its protections fail.”
They’re also facing an investigation by the Federal Trade Commission and The Consumer Financial Protection Bureau, the former seems to be looking more specifically at what happened during, and the latter at the way Equifax responded afterwards.
So there are certainly regulations in place that impact how major companies are conducting business, and yet it’s interesting to ponder whether the trend in data breaches is only about the inevitable nature of things or if it is also about the consequences to the businesses themselves.
Robert Hackett of Forbes notes, “If you dig into the financial performance results of companies hit by some of the world’s most notorious, disclosed data breaches, a disturbing fact will strike you: They don’t seem to cost all that much.”
If companies see the repercussions of leaking data as mere operating costs, it seems unlikely that we will see any major shift in the trend of data breaches. Especially given the fact that in the case of a credit monitoring company like Equifax, there’s very little ability on the part of consumers to collectively push back in any satisfying way. And as a pillar of the American financial system, it’s doubtful that the FTC or the CFPB will cause them to modify their behavior in a noticeable way.
Those who fare best after a hack are those who are proactive about taking the steps that they can to protect their information. It should be based on a breach-by-breach case (Isn’t that cringe-inducing?), so if a company is offering a service, and you trust them with more of your information, go for it. But, if you are going to be even more uncomfortable trusting them instead of a bringing a third-party into the situation, then don’t.
The modern consumer isn’t totally up a creek without a paddle, the question is whether or not that paddle is sufficient to help the affected actually make it back to solid ground.
Image Source: https://depositphotos.com/
This post was updated September 29, 2017. It was originally published October 3, 2017.