The Government Accountability Office recently released a report that analyzed the results as well as the relative effectiveness of the identity theft services, including insurance, provided to victims of data breaches and other forms of digital compromise.
The report is entitled, "Range of Consumer Risks Highlights Limitations of Identity Theft Services," and it largely reiterates the GAO's 2017 assertion that the identity theft insurance provided to agencies in the wake of a data breach were both unnecessary and largely ineffective. The findings also included a conclusion that credit monitoring, identity monitoring, and identity restoration services were of questionable value. The GAO recommended that Congress should explore whether government agencies should be, or indeed are, at present, legally required to offer victims of federal data breaches any of the services examined in the report.
At the center of the report's finding was $421 million set aside by the Office of Personnel Management for the purchase of a suite of identity protection products and services following the 2015 data breach that exposed extremely sensitive personal information of 22 million individuals. According to the report, the "obligated" money expended was largely squandered.
"3 million had used the services and approximately 61 individuals had received payouts from insurance claims, for an average of $1,800 per claim... GAO's review did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services were less subject to identity theft or detected financial or other fraud more or less quickly than those who monitored their own accounts for free..." To be clear, there is a jump in logic here. Just because the GAO was unable to find data to support these services does not mean the services are ineffective. In fact, it could just as easily be that the services work.
Then there was the GAO's observation that, "The services also do not prevent or directly address risks of nonfinancial harm such as medical identity theft." When millions of Social Security Numbers have been exposed, prevention of identity theft is purely aspirational. Frankly, this assertion would not pass muster with the FTC, since it is actually frowned upon to suggest that any service provider can prevent identity theft. The goal is awareness and targeted action, and medical fraud, in particular, is an area where detection is, at best, difficult and resolution is often complicated and requires professional assistance.
While the report raises an important point, it is too limited in scope to pinpoint it effectively. Not all identity theft services are the same. Those offered by the OPM to victims of its massive breach may or may not have been ineffective, but if they were, mostly likely it was because they were inadequate to the task or "mis-underestimated" during on-boarding, not because they're unnecessary. In other words, it's not a question of how much money changed hands, it's how those funds were spent.
In the case of the services offered to victims of the OPM breach, the results do look damning: 61 paid insurance claims out of 3 million service users is the kind of figure unworthy of rounding error status. The above result must not, however, be mistaken for a demonstration of why identity theft insurance isn't useful, but rather should be understood as a real-life metric of the usefulness of the specific plan provided, and the applicability of that's plan provisions to the majority of the individuals covered by it.
Consider this counterpoint: If the services provided worked, little to no insurance payments would be necessary. (See above.)
Rather than scrapping the requirement, policies should either be expanded to cover more of the expenses associated with identity theft (there are many), or they should prioritize more robust monitoring tools and full identity fraud remediation solutions with the funds available.
Lack of Participation
Another issue raised by the report is participation on the part of those affected by data breaches. According to data from OPM, only 13 percent of those affected took advantage of the services made available to them--at least as of September 30, 2018. While the number may seem low, anecdotally it's not really. Regardless, the question remains: Were those services made available in an accessible way that encouraged action on the part of users?
History suggests that paltry participation figures are due in no small part to a lack of awareness among consumers of the dangers posed by the exposure of personal information and the often free (to the consumer) availability of products and services that help manage the damage. Workplace education in this area is lacking, for sure, but that alone doesn't explain it. Beyond breach fatigue, a larger factor may be lack of confidence in or clarity about the services provided--and that is an issue that belongs to vendor selection, because it's their job to make clear what's at risk and how the proffered solutions can help.
As described elsewhere in the report: Organizations that offer services, don't do it based on what should be the pivotal question here: "how effective these services are." Instead, "some base their decisions on federal or state legal requirements to offer such services and the expectations of affected customers or employees for some action on the breached entities' part." If the standard is to offer a certain amount of protection, they do that. Does it matter what kind? Can it be a generic? That's the crux of the matter here.
Spoiler alert: It matters what service provider you choose. If you take nothing else away here let it be this: identity protection services and insurance are useless in a low-information environment. Indeed, if the service provider doesn't produce an ocean of content that explains to users why they need to use the services, then it's probably not right for mass allocation.
Data breaches have become so commonplace and the threat of identity fraud so widespread that token offerings to those affected are increasingly viewed as a B.S. attempt at better optics while a company is in disaster mode. A vicious cycle ensues: lack of confidence in a breach response leads to lack of participation in identity theft protection offered, and lack of participation is used to justify offering less comprehensive protection--all while identity theft incidents and data breaches increase.
The GAO report raises many salient points about the services offered in the wake of data breaches. The current legislation and its requirements for both identity theft protection services and insurance can rightly be viewed as an expensive boondoggle with little to show when it comes to actual results, but the conclusion of the GAO--to pull back instead of getting the right services in place to protect against future breaches and assist their victims when they can't be avoided--is worrisome.
We need to focus now more than ever on high-information, robust solutions that provide greater protection as well as more guidance and assistance--not less.