Is Post-Breach Credit Monitoring Useful? Lawmakers Ask GAO to Review

Following the mammoth hack of employee records at the Office of Personnel Management, lawmakers want the Government Accountability Office to review the effectiveness of credit-monitoring and identity-theft protection services being offered to federal employees and victims of similar breaches in the private sector.

The use of such services, which monitor credit histories and alert customers to fraudulent activity carried out in their names, has become routine as the number of data breaches in both government and the private sector has ratcheted up.

“Questions have been raised, however, about the usefulness and adequacy of credit-monitoring services in protecting victims’ credit following a breach,” Reps. Fred Upton, R-Mich., and Frank Pallone, D-N.J., wrote in a July 20 letter to Comptroller General Gene Dodaro, the head of GAO. Upton and Pallone are the chairman and ranking member, respectively, of the House Energy and Commerce Committee. Four other members of the committee also signed the letter.

Some credit-monitoring services don’t monitor all three major credit bureaus, experts say, “while criminal knows to apply for credit at all three bureaus,” according to the letter.

“Experts have also questioned whether one to two years of credit monitoring offers sufficient protection since cybercriminals can use stolen personal information many years after monitoring services have expired,” the lawmakers wrote in the letter.

The letter asks GAO to review how the federal government evaluates the “success and effectiveness” of post-breach fraud-protection services and if any federal agencies are involved in evaluating these services.

Lawmakers also want to know if the “use of these services and the information they compile create further vulnerabilities for the disclosure of personal information,” and if there are any regulation governing third-party data sharing by identity-protection companies.

Some federal employees impacted by the OPM breach told Nextgov last month they were forgoing signing up for the free services over fears their personal data would be misused by private companies providing the post-breach services.

All told, information on nearly 22 million federal employees, contractors and, potentially, their families was exposed in two related hacks of OPM files.

OPM has contacted most of the 4.2 million people affected by a hack of personnel files disclosed June 4 by the agency. Affected employees have been offered 18 months of free credit morning and identity-theft protection, through a $21 million contract with a company called Winvale, and its subcontractor CSID, which is actually conducting the outreach. CSID representatives say the company does not share or re-sell customer information.

About 20 percent of those eligible for free credit monitoring have signed up, according to OPM.

However, OPM hasn’t even started the process of tracking down those affected by the second, far larger hack of background investigation data to offer similar services.

OPM’s handling of post-breach services has been beset by criticism, including concerns about bogged-down call centers and poor customer service as well as complaints by federal employee unions that the 18 months of free service is too skimpy.