“My company’s had a data breach, now what?”
With more than 630 data breaches in the U.S. from Jan. 1 through Aug. 31 of this year, according to the Identity Theft Resource Center, this question is becoming increasingly common.
Twenty-sixteen is on track to exceed the total of 780 breaches the center recorded in 2015, which could put millions of individuals at risk of identity fraud.
“Data breach” encompasses a broad range of incidents in which personal information may have been compromised, including hacking, accidental disclosure, skimming, insider theft, lost equipment and careless disposal of documents.
When companies, organizations or government agencies experience a data breach that may have exposed people’s personal information, one of the many issues they must address is how to help those affected. Identity theft service providers can assist companies in many of these instances.
The Consumer Federation of America (CFA) made a checklist to help companies determine whether identity theft services are needed. CFA also offers suggestions on how to choose an identity theft service provider.
The checklist is aimed at any company, agency or organization that holds or transmits personal information—as many financial advisors and firms do.
“With financial advisors, if they have things like people’s Social Security Numbers—which are the keys to unlocking their identities and which can be used for many fraudulent purposes; not just opening up new accounts in somebody’s name but attaining government benefits, employment; housing—the problems that could result from a breach could be very serious and very complicated to resolve,” Susan Grant, director of Consumer Protection and Privacy at CFA, told ThinkAdvisor.
“That’s a situation where you would want an identity theft service that monitors a lot of different kinds of databases and also monitors the web to see if people’s Social Security Numbers are being offered for sale on websites that specialize in that,” she added.
Grant stressed that while it’s easy to resolve problems with unauthorized charges to credit cards or debits, data breaches can lead much trickier situations.
“I can imagine that with other kinds of accounts the clients of financial advisors might have—whether it’s different kinds of bank accounts or stocks or bonds or annuities or whatever they may be—if somebody can use the stolen information to get into those accounts, it could really wreak havoc and be a problem that would be more than the breached victim could easily resolve themselves,” Grant said.
Here are the CFA’s seven questions that financial advisors can ask themselves to better prepare for the consequences of a data breach:
1. What are identity theft service providers?
The CFA defines identity theft service providers as companies that provide a range of services which typically include alerting individuals about potentially fraudulent use of their personal information, mitigating the damage, and/or helping victims recover from identity theft.
“Identity theft services typically alert people about possible fraudulent use of their stolen information and help them recover from fraud if it occurs,” Grant explained. “These monitoring and recovery features vary widely from company to company and can be tailored specifically for a particular breach situation.”
2. Is it a good idea to retain an identity theft service provider before a data breach occurs?
The CFA suggested companies should consider having identity theft services lined up in advance in case of a data breach rather than shopping for those services in the midst of one.
According to the CFA, companies may also be able to save money by pre-negotiating for future identity theft services.
3. How do you know whether identity theft services are necessary if a breach occurs?
Whether identity theft services are necessary in the event of a data breach depends in large part on the types of personal information involved and the circumstances in which the breach occurred, according to the CFA.
Most states have data breach notification laws, some of which require offering identity theft services in certain breaches, and there are also federal laws that may apply. The CFA said these laws vary in terms of the types of entities that they cover and what triggers a requirement to provide notice, and to whom.
“One good rule of thumb is if you are required by law to notify people of a data breach, it’s a good idea to consider providing these kinds of services,” Grant said.
4. What features of identity theft services should you look for to help breach victims?
Identity theft service providers offer a variety of services and features. The CFA said companies interviewing identity theft service providers should describe the types of information that have been or could be compromised and ask the providers what features would best meet the needs of those affected. They will need to have a thorough understanding of the situation to determine the specific features companies may want to offer.
Other general questions to ask include: Are services available 24/7? Is there a toll-free number with live operators? What response times will the provider commit to? Can the service handle multiple languages? If monitoring is provided, how quickly are alerts sent? Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?
5. What other kinds of assistance might identity theft services provide in breach situations?
Some identity theft service providers will help companies respond to a breach, including writing and/or sending the notifications to those affected by the breach. The CFA said identity theft service providers may also be able to help companies handle calls and emails asking for general information about the breach. Providers may also provide companies with advice about FAQs and other helpful information for their website.
“Keep in mind that you should never rely solely on advice from an identity theft service provider; always consult with legal counsel on the wording of breach notifications and other steps that you should take in response to the breach,” according to the CFA.
The CFA suggested retaining an attorney that specializes in helping organizations respond to breaches.
6. How can you find reputable identity theft service providers?
According to the CFA, an insurer, lawyer or consultant that works with a company to deal with breach situations may have suggestions for identity theft service providers to use.
“Be aware that there are many organizations that offer ‘ratings’ for identity theft services,” the CFA warned. “Some of them are independent and impartial, others are ‘pay-to-play.’ Ask the identity theft service providers that you are considering for references from clients they have served in similar breach situations.”
The CFA also recommended checking the identity theft service provider’s complaint records and ratings with the Better Business Bureau.
7. What else should you think about when considering contracting for identity theft services?
“As with any business contracts, you’ll want to make sure that the services are clearly described in your provider agreement and the terms accurately reflect your expectations,” according to the CFA’s suggestions.
The CFA also said companies may want to consider including provisions that address whether and in what manner the identity theft service provider may solicit the breach victims to buy services during the contract period and/or purchase services once it ends.
— Related on ThinkAdvisor: