Fri, Aug 2, 2013

Credit Freezes Are Great for Victims of Identity Theft, Not Data Breaches

The recent California Attorney General report on data breaches in 2012 not only shed light on the specifics of the breaches that occurred in the state last year, it also offered advice to breached organizations that must comply with breach notification laws. One interesting piece of advice was this: “Companies and agencies should offer mitigation products or provide information on security freezes to victims of breaches involving Social Security numbers or driver’s license numbers.” The report goes on to say that these losses expose consumers to new account fraud, an increasingly common crime, and that credit monitoring and freezes can limit this risk to consumers.

Credit monitoring can be a valuable offering to someone impacted by a data breach; however, it is curious to offer credit freezes as an alternative to purchasing credit monitoring services for those affected. Offering a blanket recommendation to place a credit freeze for every breach victim, regardless of circumstance, and with no other counseling available is not appropriate.

A credit freeze is essentially like placing a lock on your credit file, in effect making your report/score available only to those with whom you currently have a credit relationship. A freeze has to be placed by the consumer with each of the credit reporting agencies (CRAs) separately. Then, the consumer receives a personal identification number (PIN) from each CRA to temporarily lift the freeze, making the credit report available to potential creditors, employers, etc. The consumer incurs fees for placing, and in some cases lifting, a freeze, but these fees vary by state, age of the consumer, and status as an identity theft victim.

For example, in California the regular fee at all three CRAs for placing a freeze is $10 per CRA, and another $10 per CRA for a temporary lift. In all cases, permanent removal is free. Victims of identity theft can place a freeze for free, but they must submit a police report or Department of Motor Vehicles investigative report that shows their report of the identity theft.

In rel="noopener noreferrer" 2008, Kroll shared comments with the Federal Trade Commission in response to their call for comments on credit freezes. Even at that time, our experiences in assisting consumers clearly showed the strengths and weaknesses of the credit freeze as a tool to impede identity theft in general, it was a very effective tool for those who had already experienced recurrent credit-related identity theft, but consumers who were not identity theft victims were deterred by the expense, confused by the process, and restricted in their ability to freely purchase items on credit.

Many consumers don’t understand the differences between a credit freeze and a fraud alert with a fraud alert, a creditor can see your data has been flagged and, in theory, should take steps to verify that you are the party applying for credit. Assuming it was not you applying, the call will alert you that someone tried to get credit using your identifiers. With a credit freeze, no one can access your data, so there is no mechanism in place to tell you someone attempted to use your information to apply for credit.

Unlike a fraud alert, a credit freeze cannot be placed with all three CRAs with one request  the consumer must contact all three and obtain three unique PINs one from each CRA. It doesn’t help the consumer to place a freeze with just one credit agency if a lender only uses one of the three for a credit check, it may not be the one where you placed a freeze and in that case, an identity thief could still obtain credit in your name.

These points also illustrate the fact that a breach victim is not the same as an identity theft victim depending upon the breach circumstances, it is likely that they do face a heightened level of risk, but this does not necessarily equate the risk faced by those who are already identity theft victims. Unless the risk is imminent, breach victims are usually better served to take steps to monitor and safeguard their information, and to remain vigilant to the signs of identity theft.

Further, many states (California included) already require breached organizations to disclose a consumer’s right to place fraud alerts and credit freezes in addition to other required notification information. If an organization does not do this, they are likely in violation of state breach notification laws. But blanket recommendations for credit freezes place undue burden upon consumers whose identifiers may not be in any immediate jeopardy.

Of course, many consumer advocates like the credit freeze and believe it is a good option for breach victims. Let us know what you think is a credit freeze a good choice? Or does it go too far?

By Kroll Editorial Team

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.