Analyst Questions the Value of Fraud-Monitoring Services in Wake of Data-Breaches

The number of companies caught in data breaches exposing consumers' credit, debit and bank account numbers is growing, but the best way to make amends to customers is not yet clear.

The damage to companies' public reputations and consumer trust is just one casualty (see related story).

Taking action to help block consumer identity theft and fraud is another top concern in the wake of data breaches. Increasingly, companies that experience breaches are moving to reassure their audiences by making fraud-monitoring services available for free to affected consumers after publicizing the attack.

Affected customers typically receive a letter from the company that experienced a breach explaining what happened and that the customer's personal financial information could be at risk. The company then invites such customers to opt to receive free fraud-monitoring services for a year.

That trend is helping to drive new business for CSIdentity Corp., an Austin, Texas-based company that provides online global fraud-detection services.

CSID's technology monitors criminal Web pages, chat rooms, bulletin boards and other online forums for compromised personal information. When the technology detects trading or selling of personal information online, the firm notifies the affected individuals and provides instructions on how to protect and restore their identity.

Sony Corp. tapped CSID in August to provide its customers with global fraud-monitoring services following a data breach of the PlayStation network that exposed tens of millions of accountholders' personal information, Joe Ross, CSID president, tells PaymentsSource.

And Strategic Forecasting Inc., an Austin-based global intelligence and security company known as Stratfor, on Dec. 29 announced it is offering its customers 12 months of free global fraud-monitoring services in the wake of a December website breach. Hackers taking credit for that breach said they planned to expose 75,000 names, email addresses and credit card numbers of Stratfor customers.

CSID requires companies signing up to provide the service to pay only for those customers that opt in to receive the fraud-monitoring. "Only 15% to 20%" of consumers typically agree to receive the service after receiving a letter, Ross estimates.

Ross theorizes the consumers are not concerned about their direct liability if their credit or debit card account information is stolen. "They figure they're covered," he says.

Business demand for CSID's services is on the rise, Ross says.

But at least one analyst questions the value of such services.

Most consumer fraud-monitoring services "don't provide a whole lot of protection" for consumers whose card or bank account data are exposed, Avivah Litan, Gartner vice president and distinguished analyst, tells PaymentsSource.

"Mainly what you get from a fraud-monitoring service is notification if someone takes out a loan of some kind in your name and that data touches a credit-bureau file," Litan says. "It doesn't let you know if your credit card was stolen or used, and in most cases the consumer is not liable anyway."

In an online survey Gartner conducted in August involving 3,000 U.S. adults, 13% of respondents said they would take advantage of a free fraud-monitoring service if it were offered to them in the wake of a data breach.

Financial-services companies and banks "generally" have data-breach response plans in place, but about 95% of companies that are not in financial services and handle credit card and bank-account information lack such plans, Litan estimates.

"Eventually, we expect to see legislation emerge nationally that will require companies to take better precautions and guard against data breaches, and put data-breach recovery plans in place, but we are a long way from seeing that on a widespread basis," Litan says.