Identity Theft Services:
Services Offer Some Benefits but Are Limited in Preventing Fraud
GAO-17-254: Published: Mar 30, 2017. Publicly Released: Mar 30, 2017.
Multimedia:
-
PODCAST: Identity Theft Services
Audio interview by GAO staff with Lawrance Evans, Director, Financial Markets and Community Investment
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-8678
evansl@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
Identity theft services offer some benefits but have limitations.
- Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users, but it does not prevent such fraud or address existing-account fraud, such as misuse of a stolen credit card number. Consumers have alternatives to credit monitoring, including requesting a low-cost credit freeze, which can prevent new-account fraud by restricting access to the consumers' credit report.
- Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites, but its effectiveness in mitigating identity theft is unclear.
- Identity restoration seeks to remediate the effects of identity theft, but the level of service varies: some providers offer hands-on assistance, such as interacting with creditors on the consumer's behalf, while others largely provide self-help information, which is of more limited benefit.
- Identity theft insurance covers certain expenses related to the process of remediating identity theft but generally excludes direct financial losses, and the number and dollar amount of claims has been low.
These services also typically do not address some types of threats, such as medical identity or tax refund fraud.
Various factors affect government and private-sector decision making about offering identity theft services, and federal guidance related to these services could be improved. In the federal sector, legislation requires certain agencies to provide identity theft services. For example, legislation requires the Office of Personnel Management (OPM) to provide these services to individuals affected by its 2015 data breaches for 10 years, as well as provide $5 million in identity theft insurance. However, this level of insurance coverage is likely unnecessary because claims paid rarely exceed a few thousand dollars. Requirements such as this could serve to increase federal costs unnecessarily, mislead consumers about the benefit of such insurance coverage, and create unwarranted escalation of coverage amounts in the marketplace. The Office of Management and Budget (OMB) has guidance on agencies' response to data breaches, but this guidance does not address the effectiveness of these services relative to lower-cost alternatives, in keeping with OMB's risk management and internal control guidance. Further, OPM provided duplicative identity theft services for about 3.6 million people affected by both of its 2015 breaches, and OMB has not explored options to help federal agencies avoid potentially wasteful duplication. In addition, contrary to key operational practices previously identified by GAO, OPM's data-breach-response policy does not include criteria or procedures for determining when to offer identity theft services, and OPM has not always documented how it chose to offer them in response to past breaches, which could hinder informed decision making in the future. In the private sector, companies often offer consumers affected by a data breach complimentary identity theft services for reasons other than mitigating the risk of identity theft, such as avoiding liability or complying with state law.
Why GAO Did This Study
Private-sector and government entities that experience data breaches often provide affected consumers with identity theft services, which typically include credit monitoring, identity monitoring, identity restoration, and identity theft insurance. In response to data breaches in 2015, OPM awarded two contracts obligating about $240 million for identity theft services.
GAO was asked to examine issues related to identity theft services and their usefulness. This report examines, among other objectives, (1) the potential benefits and limitations of identity theft services, and (2) factors that affect government and private-sector decision-making about them. GAO reviewed products, studies, laws, regulations, and federal guidance and contracts, and interviewed federal agencies, consumer groups, industry stakeholders, and eight providers selected because they were large market participants.
What GAO Recommends
Congress should consider permitting agencies to determine the appropriate coverage level for identity theft insurance they offer after data breaches. OMB should analyze the effectiveness of identity theft services relative to alternatives, and should explore options to address duplication in federal agencies' provision of these services. OPM should address in its breach-response policy when to offer these services and should document its decision-making process. OPM agreed with GAO's recommendations to the agency.
For more information, contact Lawrance Evans at (202) 512-8678 or evansl@gao.gov.
Matter for Congressional Consideration
Status: Open
Comments: As of May 2018, Congress had not enacted legislation for which our Matter for Congressional Consideration would be applicable.
Matter: In the event that Congress again requires an agency to provide affected individuals with identity theft insurance in response to a breach of sensitive personal data, Congress should consider permitting the agency to determine the appropriate level of that insurance.
Recommendations for Executive Action
Status: Open
Comments: No executive action taken as of June 2018.
Recommendation: The Director of the Office of Management and Budget should, to the extent feasible, conduct an analysis of the effectiveness of the various identity theft services relative to alternatives, and revise OMB's guidance to federal agencies in light of this analysis.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Open
Comments: No executive action taken as of June 2018.
Recommendation: The Director of the Office of Management and Budget should explore options to address the risk of duplication in federal agencies' provision of identity theft services in response to data breaches, and take action if viable options are identified.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: In September 2017, OPM issued a "Breach Response Plan," which includes basic considerations and processes to be used when determining whether OPM should offer identity theft services in response to a data breach.
Recommendation: The Director of the Office of Personnel Management should incorporate criteria and procedures for determining whether to offer identity theft services into the agency's data-breach-response policy.
Agency Affected: Office of Personnel Management
Status: Closed - Implemented
Comments: In September 2017, OPM issued a "Breach Response Plan," which includes instructions for documenting key agency decisions made in response to a breach, including decisions related to providing identity theft services.
Recommendation: The Director of the Office of Personnel Management should implement procedures that provide reasonable assurance that significant decisions on the use of identity theft services are appropriately documented.
Agency Affected: Office of Personnel Management
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Dec 20, 2018
Information Security:
Significant Progress Made, but CDC Needs to Take Further Action to Resolve Control Deficiencies and Improve Its ProgramGAO-19-70: Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Dec 18, 2018
-
Information Security:
Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against IntrusionsGAO-19-105: Published: Dec 18, 2018. Publicly Released: Dec 18, 2018.
Dec 6, 2018
-
Cybersecurity:
Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat InformationGAO-19-114R: Published: Dec 6, 2018. Publicly Released: Dec 6, 2018.
Nov 13, 2018
-
Information Security:
OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain OpenGAO-19-143R: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Sep 17, 2018
-
Cybersecurity:
Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners' Protection of Borrower InformationGAO-18-518: Published: Sep 17, 2018. Publicly Released: Sep 17, 2018.
Sep 7, 2018
-
Data Protection:
Actions Taken by Equifax and Federal Agencies in Response to the 2017 BreachGAO-18-559: Published: Aug 30, 2018. Publicly Released: Sep 7, 2018.
Sep 6, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-622: Published: Sep 6, 2018. Publicly Released: Sep 6, 2018.
Jul 31, 2018
-
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
