Does Identity-Theft Protection Really Work?

Victims of data breaches are usually offered identity-theft-protection services, but even the companies that promise to safeguard your identity are far from infallible.

  Security experts and the government have suggested that signing up for a identity theft protection program is not enough to safeguard customers' identity. Security experts and the government have suggested that signing up for a identity theft protection program is not enough to safeguard customers' identity.   (National Journal)

Perhaps your data was compromised in a high-profile data breach at a health insurance company, or you were one of the unlucky victims of the Target or Home Depot hacks. Or maybe you got a letter in June from the Office of Personnel Management, years after you quit your last government job.

If you landed in any of these unfortunate categories — and it's not unlikely that you did, given the sheer scale of some of these data breaches — your consolation prize probably looked something like a free termed subscription to a credit-monitoring and identity-fraud-protection service.

The government in June paid about $20 million to offer the 4.2 million current and former federal employees affected by a data breach with 18 months of protection services from CSID. According to CSID President Joe Ross, almost a million people took the government up on the offer — an astronomical uptake rate compared to average enrollment rates after most private-sector breaches.

But for a service that is often presented as a remedy for breaches that expose sensitive information, credit monitoring and identity-theft protection is far from a panacea.

The programs CSID and its competitors provide range from simple credit monitoring to robust identity-theft protection. The suite of services the government purchased for OPM hack victims in June was "the whole kit and caboodle," according to a spokesman for CSID, and included public-records and loan monitoring, a program that monitors shady corners of the Web to see if clients' personal information is being traded or sold, and $1 million in insurance from damages in the event of identity fraud.

Eric Warbasse, senior director of financial services and breach response at LifeLock, touted the utility of fraud-protection programs in an interview earlier this month. "Enrolling in a service or services that include remediation as a backup in the event that somebody is impacted — has their taxes filed fraudulently, for example, something that would never show on a credit report — is a wise decision regardless of whether or not you're part of the OPM breach," Warbasse said, referring to programs that help victims restore the integrity of their identities after an incident of fraud.

But security experts and the government have questioned the utility and security of these services, suggesting that signing up for a protection program is not enough to safeguard customers' identity.

The Federal Trade Commission last week took legal action against LifeLock over data-security practices the agency said do not adequately protect consumer information.

The FTC alleged that LifeLock violated the terms of a 2010 settlement, in which the company paid $12 million over claims that it was falsely advertising the security and robustness of its service.

Concerns about the company's practices were raised also by a whistle-blowing executive last year and by Experian, a credit-reporting agency, in 2008.

Costis Toregas, associate director of the Cyber Security Policy and Research Institute at George Washington University, said the allegations of security shortcomings are not new. "It doesn't surprise me, because we know that companies whose job it is to secure data are themselves vulnerable," said Toregas.

"Am I shocked and surprised that I found gambling going on in the back room? No," Toregas continued. "Everything is hackable. They should be very, very careful of their promises."

LifeLock says it disagrees with the FTC's decision and will fight the new allegations in court. "Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any member's data being taken," the company said in a statement.

Just one day before the FTC's charges were announced, lawmakers from the House Energy and Commerce Committee sent a letter asking the Government Accountability Office to study the "usefulness and adequacy" of offering ID-theft-protection services to hack victims.

The bipartisan group who signed the letter asked the GAO to answer questions about taxpayer cost and the state of service providers' security standards.

House Minority Whip Steny Hoyer said Monday that identity-theft monitoring may never be enough to protect individuals who lost sensitive personal info. The 21.5 million victims of an OPM data breach announced earlier this month had their names, addresses, and Social Security numbers compromised, and 1.1 million individuals had their fingerprints stolen.

"There may be some things we can't compensate for," Hoyer said.

That said, victims of data breaches who are offered months or years of free identity-theft-protection services should take advantage of it, said Toregas.

"Never look at a gift horse in the mouth," he said. "For sure, accept it. But do not think that that is adequate."

Toregas advises breach victims to learn about cybersecurity practices, change their online lifestyles to manage risk, and always operate under the assumption that their personal information has been stolen at least once.

"Breaches have nothing to do with computers," he said. "They have everything to with your life. They have everything to with your career, with your credit, with your happiness, with your ability to get on an airplane and not to be arrested for a different identity, and so on."

This article was corrected to reflect the fact that Home Depot, not Best Buy, was affected by a data breach.