Dealing with Data Breaches

October 4, 2016

pic-techData breaches are an increasing threat for businesses of all sizes. If you have a breach that exposes the personal information that you hold about your customers or employees, what should you do to help them? Should you hire an identity theft service provider? If so, how should you choose one? Consumer Federation of America, a nonprofit association of consumer organizations and agencies, has created a checklist, “My company’s had a data breach, now what? 7 questions to ask when considering identity theft services,” to help you make these decisions. This is not meant to be legal advice, however – always consult with an attorney about how to respond to a data breach.

Identity theft services typically alert people about possible fraudulent use of their personal information, mitigate the damage, and/or help victims recover from identity theft. The features of these services vary and can often be customized to fit particular breach situations. One basic question to ask is whether the service will provide information to the breach victims about how to reduce the potential damage that may result – for example, by changing their account numbers and passwords, monitoring there accounts online, and using fraud alerts, security freezes and other tools.

Businesses seeking to contract for identity theft services should ask the same questions about how they function that consumers shopping for such services would. Are they be available 24/7? Is there is a toll-free number with live operators? What will the response times be? Can they handle multiple languages? If monitoring is provided, how quickly are alerts sent and what are the options for receiving them? Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that are not resolved when the contract ends?

The checklist explains the different kinds of monitoring and fraud resolution that may be offered and what is most useful to the breach victims depending on the types of personal information that were compromised. How do you know if you need an identity theft service at all? A good rule of thumb is: if you are legally required to notify the victims of a data breach, consider providing these services. Some identity theft service providers can also assist you in writing and/or sending the notifications to those affected by the breach and handling general inquiries.

You may want to retain an identity theft service provider in advance to avoid the stress of having to select one in the midst of a hectic breach situation. Ask your insurance company if your coverage includes identity theft services. If it does, your insurer may provide a list of service providers. The checklist also provides other suggestions for how to find a reputable identity theft service.

As in any contract, you will want to make sure that the agreement clearly describes the services and the terms accurately reflect your expectations. You may want to consider including provisions that address whether and in what manner the identity theft service provider may solicit the breach victims to buy services during the contract period and/or purchase services once it ends.

Ultimately, the quality of the identity theft services you offer to data breach victims and the behavior of the service provider will reflect on you. Identity theft services may not be necessary in every breach situation, but if you decide to offer them, choose the services and features that will best fit the needs of those who may use it. You will find “My company’s had a data breach, now what? 7 questions to ask when considering identity theft services” on the homepage of CFA’s website.


** This article was contributed by Susan Grant, director of consumer protection and privacy at the Consumer Federation of America.