As data breaches have proliferated, the companies that suffered the data losses have faced more scrutiny.
One such company, International Business Machines Corp., is drawing both praise and criticism for its response to a
IBM hired Kroll Inc., a Marsh & McLennan Cos. Inc. unit, to provide fraud monitoring and identity restoration after several of its data tapes went missing.
The service IBM chose offers credit monitoring but not a credit report, a staple of the credit bureaus' top-selling services. Though Kroll's service, in addressing nonfinancial identity theft, offers more than one can get through credit monitoring alone, the absence of a credit report has been noticed by those affected by the exposure.
"This is more than just credit monitoring," said Fred McNeese, an IBM spokesman, in an interview. "In the event that the loss was linked to credit theft, then it's working with Kroll to restore a person's identity."
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said most companies put little thought into nonstandard fraud monitoring services.
She said IBM made a good pick in Kroll. "Credit restoration is very labor-intensive," and getting a credit report is not, she said.
If consumers are more concerned about credit reports, they "just don't know where the value is," Ms. Litan said. "I would much rather have credit-restoration services." It "looks to me like IBM is being very progressive."
Critics of the Armonk, N.Y., company include George Jenkins, one of the people whose data was on the missing IBM tapes. Mr. Jenkins maintains a blog called I've Been Mugged that examines IBM's response to the breach. His
Mr. Jenkins, who said he has not made up his mind on the merits of Kroll's service, said in an interview that a credit report is a necessity.
Even though "credit restoration is even more valuable" when consumers have limited options to prevent misuse of their data, the basics are still important, he said.
"Most people don't know the difference between a data breach, a fraud alert, and a credit freeze," he said. "It's a topic most consumers don't want to think about."
Mr. Jenkins has signed up on his own for the Profile Protect credit monitoring service from Discover Financial Services LLC of Riverwoods, Ill., which gives him a credit report, but he said most consumers would not want to sign up for two separate services.
"A consumer's going to want one good source to help them," he said. "I want to go to one place and see all of this at once."
IBM's Mr. McNeese said, "I just can't comment on why we didn't think that [a credit report] was necessary, but we believe that the program that we got out there is really the way to go."
Mr. Jenkins said companies should offer more than just a year's worth of monitoring, because fraud is still possible after that.
"It should match the risk period based on data exposure," he said. "The risk period is not one year. … In my mind, it's far longer than one year."
Brian Lapidus, the senior vice president of Kroll's fraud solutions unit, said that a consumer's case is not closed until the consumer is satisfied, even if that means going beyond the term the company hired Kroll for.
"That investigator is your investigator for the life of your case," he said. Mr. Lapidus would not discuss Mr. Jenkins' blog.
Fidelity National Information Services Inc.'s card processing unit, Certegy Inc., took a different approach when it
Renz Nichols, Certegy's president, said he wanted to address concerns about data security without spending too much.
"We're really just trying to give the consumer the visibility into what their accounts are," he said. "We got basically the vanilla version" of what Experian offers, Triple Alert, which does not include credit reports.
Certegy did not consider identity theft insurance or other extras. "Since we're bearing the cost of this, that was a very important factor," Mr. Nichols said.
Nonetheless, Certegy was able to do more on its own because of the nature of its business, he said.
"We're the ones holding the checks at the end of the day anyway," so the company can more closely inspect those accounts for fraud, Mr. Nichols said. Certegy is likely to spot fraud before consumers do, he said.
Tim Olsen, a vice president of business development for Experian, of Costa Mesa, Calif., said that though many companies consider his company's cheaper services, most buy its most expensive and full-featured product.
Most are willing to shell out more money because "a breach incident is very serious and is treated as such," Mr. Olsen said. "It's not just about the data, it's about people."
The bureaus have also been selling services to corporate customers that go beyond what they sell to consumers. A company can ask Experian to handle its mailings or take phone calls on the specifics of a breach incident, he said.
Dodge McFall, the senior vice president of personal solutions at the Atlanta credit bureau Equifax Inc., said those extras are growing in popularity.
"More clients are more comfortable turning over more of those things so that the consumer or the employee has as good an experience as possible," he said.
Equifax and Experian executives said most customers choose their most full-featured services.
Ms. Litan said that the typical company lacks the planning needed to make effective decisions after a data breach.
"Most companies are in a crisis management mode," she said. "They want to get rid of the problem."
Cost is also a factor, she said. "It's not like they're looking for the cheapest service, but they're not looking for the most expensive either."
