Do Banks Need to Rethink Identity Protection Services?
Identity theft protection company LifeLock is coming under fire from the Federal Trade Commission for failing to adequately protect customers' credit card and bank account data, Social Security numbers and other sensitive personal information, among other allegations.July 22
The influential blogger says it's time for a national debate on the role Experian and other credit agencies play in protecting and consumers' identity and privacy.April 21
It's been a bad week for identity theft protection services.
First the Federal Trade Commission accused LifeLock of failing to secure customer data as it promised to in a 2010 agreement. (In a statement, LifeLock said it disagrees with the FTC's contentions and is prepared to take its case to court.) Then the credit bureau Experian, which is also a big provider of identity protection services, was hit with a class-action lawsuit for allegedly selling consumer records containing personally identifiable information to an identity thief. The data sales in question were conducted by a consumer data aggregator Experian acquired called Court Ventures. (An Experian executive said that due to the pending status of the litigation, it cannot comment.)
For the many banks that offer these companies' services to their customers, such incidents raise questions about the value of digital identity guard offerings.
"Frankly, this is a good thing because these services have lots of issues that needed to come to light," said Avivah Litan, vice president of Gartner. "Consumer data has been heavily compromised at many firms for a long time and cannot be relied upon for identity proofing anymore. Banks and others must use alternative and complementary solutions."
Identity protection services generally scan the web for signs of misuse of a customer's personal information and send alerts of suspicious activity.
Litan argues that they provide limited protection to consumers at risk and that some of the tasks they perform customers can do themselves for free. For instance, by law consumers can obtain free credit reports three times a year. They can also sign up for free credit monitoring from Credit Karma and Credit Sesame.
Eva Velasquez, president and CEO of the Identity Theft Resource Center, a San Diego-based nonprofit that helps consumers cope with identity fraud issues, acknowledges that consumers can do their own credit and identity monitoring, but notes that not everyone has the time and inclination to do so.
"I can give my dog a bath myself, or I can take her to a dog groomer," she said. "Just because I can do something for myself does not automatically mean it's not a legitimate service."
As a practical matter, most people who call the nonprofit for help can't afford identity protection services (LifeLock, for one, ranges from $10 to $30 a month).
"We tell people to practice good identity hygiene," she said. "If that means you want to consider delegating some of that responsibility to an ID protection company, that's where we start saying, read the fine print, make sure it meets your needs, make sure you understand what's covered and how their process works. If you have an ID theft issue, do they remediate the theft for you, or do they give you a plan that you use to remediate it yourself? If they have insurance liability coverage, look at what's covered. And make sure you understand you're paying the appropriate amount."
The center also encourages consumers to take action on their own: to check their credit reports, monitor their bank statements, shred documents containing personally identifiable information and be on the lookout for phishing attempts and scam websites.
Al Pascual, director of fraud and security at Javelin Strategy & Research, points out that free credit monitoring services are reactive.
"You're not going to find about [ID theft] until after it happens, so it's not so much about preventing it but detecting," he said.
The way some ID protection services monitor the Internet and the dark web for the buying and selling of customer information, on the other hand, is something customers can't do on their own and has value, he argued.
"If you know your personal information is being bought and sold, you can take steps to lock down your accounts and change passwords," he said. "You can be proactive and possibly prevent fraud."
And services like Early Warning work with banks and ID protection companies to monitor for new checking and savings as well as credit accounts taken out in customers' names in a way that credit monitoring services can't.
The Wrong Fix
Critics say the way banks typically offer identity protection services as a remedy to victims of data breaches is not helpful.
"They do nothing to protect consumers against the use of stolen credit and debit cards as a result of all the big celebrated breaches yet the typical enterprise response to such a breach is to offer potential consumer victims free credit monitoring and identity theft protection," Litan said.
Breached payment card information is the easiest type of ID theft to remediate because the consumer is not liable for the charges on it, particularly if it's a credit card.
"When Target said it would offer credit monitoring for the breach victims, it was not an appropriate remedy," Velasquez said. "It appears to us that they wanted to demonstrate their commitment to their customers, but it did kind of confuse things, because then people thought 'gosh, if my credit card is compromised, people can steal my identity.' That's not the case."
Consumers are also often offered free fraud resolution assistance in the wake of a data breach, which sounds better than it is. They can go directly to their card issuer for fraud resolution and don't need a third party.
"So you give people a false sense of security because you think you have to give them something," Pascual said.
The Freezing Alternative
The most effective thing consumers can do to deter identity fraud, Litan said, is put a freeze on their credit reports at the major credit bureaus (Experian, Equifax and TransUnion). This prevents creditors from pulling a customer's credit report and score unless the customer first unlocks it by providing a password. Because most credit applications require a credit check, thieves applying in the customer's name will get denied when the creditor can't check their credit.
"That's by far the most robust tool you have to help thwart financial ID theft and it can be a great resource for people who have been victims and need to lock down their credit, or for older people who aren't actively seeking credit," Velasquez said. However, she added, "it not only locks out thieves, it locks out you and it locks out legitimate merchants, if you're trying to apply for a home loan or purchase a car. You have to go through a process of thawing it and then refreezing it and there are fees involved."
Another drawback: consumers need their credit reports for other things, like getting a job. "People may be surprised at the number of times they have to turn this thing on and off," Pascual said.
Industry observers agree that identity theft services are not perfect, yet nothing is. "There's no panacea, there's no 100% solution," Pascual said. "There are types of ID fraud that are going to slip through every possible net. If a criminal gets your ID and applies for employment with it, there's no way for you to be aware of that."
And even the plaintiffs in the Experian case see value in ID theft services. One of their demands is that the credit bureau "provide quality credit monitoring and substantial identity theft coverage" to customers who might have been affected by the breach.