Jul 22, 2019

What can you or your business do to mitigate risk once personal data has been stolen?

Personal data is one of the most powerful things a bad actor can steal and one of the most devastating things for an individual to lose. Fraudsters with access to someone’s personally identifying information (PII), such as financial accounts and Social Security numbers, can open lines of credit and claim tax refunds in that person’s name. Meanwhile, state actors can take advantage of stolen personal data to support espionage efforts.

The Department of Justice’s Bureau of Justice Statistics estimates that about 26 million people (10% of the population age 16+) experienced some form of identity theft in 2016. Of those victims, 17.7 million people experienced losses totaling $17.6 billion dollars. Since then, hundreds of millions were exposed in two major data breaches—one at consumer reporting agency Equifax and one at Marriott International’s Starwood guest registration database . With so much personal data entrusted to third-party entities, there is no guarantee that personally following data security best-practices will secure PII from identity thieves.

In 2015, the Office of Personnel Management (OPM) suffered two separate data breaches that exposed the personal information of more than 22 million people. A March 2019 Government Accountability Office (GAO) study analyzed the agency’s response to this data breach and further looked at the effectiveness of options available to consumers to reduce the risks of harm from identity theft.

As of November 30, 2018, OPM had allocated $421 million to offer the following identity theft services for the potential victims of these data breaches:

  • Credit monitoring, which tracks credit reports and alerts individuals to potentially fraudulent activity
  • Identity monitoring, which tracks public records and the “dark web” for an individual’s PII
  • Identity restoration services, which provide a range of services to recover from identity theft
  • Identity theft insurance, which reimburses identity theft victims for certain costs associated with identity restoration

Of these options, experts interviewed during the production of the March 2019 GAO report, highlighted the limitations of credit and identity monitoring, especially if not offered for free or at low cost. These experts considered identity restoration services much more valuable, especially if offered as hands-on, one-on-one assistance, while identity restoration services that mainly direct victims to self-help information are much less useful. In the context of the OPM breach, 3 million, of the 22 million affected by the breach (13%), have taken advantage of these services. Additionally, 27,000 identity restoration cases have been resolved and only 81 identity theft insurance claims have been submitted. Despite these limitations, private firms offering these services represented a $2 billion industry in 2018.

Ultimately, the GAO report recommends various forms of self-monitoring to mitigate harm from identity theft, such as checking credit reports annually, monitoring financial statements, and reviewing explanation-of-benefits statements from health insurers to detect instances of identity theft. Credit freezes and fraud alerts are also recommended for victims of identity theft as tools to prevent new account fraud.

Some state agencies are working on the other end of identity theft, by employing analytic solutions that help identify cases of ID theft. ASR’s RevHub Fraud Firewall helps state and local tax agencies stop tax refund identity theft once someone’s personal data has already been stolen, and ASR has developed advanced analytic models to combat medical identity theft. These innovative, analytics-based solutions limit potential damage to the victim and soften the blow of a data breach.

To learn more about how ASR can help your organization put a stop to ID theft and fraud, contact us here.