Identity Theft Services Inefficient at Addressing Data Breach Risks, Watchdog Says

The Government Accountability Office is doubling down on its recommendation that Congress reconsider the identity theft insurance it requires federal agencies to offer after data breaches.

In 2017, the office recommended Congress should let agencies determine the right amount of identity theft insurance coverage. GAO renewed the recommendation this week after new findings further suggest that identity theft services do not effectively alleviate all data breach risks that victims face.

GAO reviewed documentation and conducted interviews with academic, consumer, government and industry experts to “evaluate issues related to consumers’ options” to address potential harm from data breaches. The agency found that there’s limited information around actually assessing said options.

“We did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services encounter fewer instances of identity theft or detect instances of financial or other fraud more—or less—rapidly than consumers who take steps on their own,” the report said. “Views of experts varied, but most said identity theft services have limitations and would not address all data breach risks.”

The agency noted that, despite the inefficacy of these services, public and private entities that experience breaches will sometimes offer them complimentary and the government is mandated to do so.

“As of November 30, 2018, the Office of Personnel Management (OPM) had obligated about $421 million for a suite of credit and identity monitoring, insurance, and identity restoration services to offer to the approximately 22 million individuals affected by its 2015 data breaches,” the report said. “As of September 30, 2018, about 3 million had used the services and approximately 61 individuals had received payouts from insurance claims, for an average of $1,800 per claim.”

The agency further added that entities don’t necessarily offer identity theft services to protect consumers, but instead do so in an effort to reduce their own liabilities.

The findings, according to GAO, demonstrate that the government and private companies should work to implement options that can help prevent data breaches from happening before they actually do. The agency recommended that Congress permit agencies to determine the appropriate coverage levels for identity theft insurance and noted that legislation requiring agencies to offer certain levels is both costly and unnecessary.

GAO offered other options that may help prevent fraud including free credit freezes, setting fraud alerts and reviewing credit reports, financial statements and other accounts.