Complementary identity protection services (IDPS) have long been a staple of post-breach damage control as compromised organizations repair their reputation with customers. Last year, data breaches accounted for 1 out of 5 active IDPS subscriptions – a proportion that is unlikely to fall any time soon. Done well, these services can offer real protections to breach victims. Done poorly, identity protection offerings provide a false sense of security, at best. Breach victims are left without protection, ID protection firms appear ineffectual, and the breached entity is left with an even more tarnished reputation.
Payment card breach (e.g. Target)
Major fraud threats: Counterfeit card fraud, e-commerce fraud
Key IDPS features: Existing account monitoring, black market monitoring
Early payment card breaches were a perfect example of this mismatch. Following the Target and Home Depot breaches, victims were offered identity protection services which included credit monitoring, fraud insurance, and resolution assistance. Alone, these services are ill-suited to protect against fraud on existing accounts. Credit monitoring may detect a change in balance on a credit card, but will notice nothing until the balance is already reported to the credit bureaus, usually at the end of the statement. Consumers already have strong protections against credit and debit liability under Federal Reserve regulations E and Z. Resolution of card fraud is usually handled by the issuer with minimal consumer hassle.
After card breaches, the core features relevant that should be offered to victims are:
- Existing account monitoring. By monitoring transaction activity for suspicious purchases, identity protection services can go above and beyond the security offered by financial institutions – alerting breach victims to suspicious activity that is not detected by issuer systems. Ideally, this will be supplemented with an array of customizable alerts so that subscribers can define what they consider to be suspicious activity – setting the boundaries as tightly as they deem prudent.
- Black market monitoring. This can alert victims that their information is being bought and sold in criminal networks, allowing them to secure their account before fraud occurs – possibly having their card reissued or temporarily disabled. This particular solution deserves note because it can provide visibility into an area where consumers have no ability to monitor on their own.
More information on the best IDPS features to match against different fraud threats can be found in our 2016 Identity Protection Services report.