The Importance of Identity Protection Beyond Credit Monitoring
1. Before the Aftermath:
The Importance of
Identity Protection in the
Age of the Data Breach
Brought to you by:
by Generali Global Assistance
2. 1
The majority of consumers have personally
been victims of a data breach or know
someone who has been affected - with most on
the receiving end of a letter containing similar
language as in the above. Data breaches
are rampant throughout every conceivable
industry – retail, financial, education,
healthcare and government – touching nearly
all aspects of everyday life. After all, everyday
life for many people includes shopping for
groceries, paying bills, going to school, or
visiting a doctor. This means that the odds are
not exactly in our favor for avoiding a data
breach on any given day. This white paper from
Generali Global Assistance (GGA) explores the
chronology of a data breach, focusing on its
impact to consumers, what (if any) restitution
they can expect, and how credit monitoring
alone fails to effectively secure personally
identifiable information (PII) in the aftermath.
Consumers recall all too well when retail giant
Targetreportedamassivebreachthatoccurred
at their stores between November 27 and
December 15, 2013. With the frenzy of holiday
shopping in full swing, this couldn’t come at a
worse time for Target or its customers. Nearly
40 million customer records were stolen that
included credit and debit card data, and 70
million shoppers had personal information
compromised that included their names,
addresses and phone numbersi
.
Unfortunately, data breaches are the “new
normal” and likely will be for the foreseeable
future. The Identity Theft Resource Center
(ITRC) reports that in 2015, there were 781
tracked data breaches in the U.Sii
. - the second
highest year on record since 2005, when the
ITRC began tracking breaches. This number
could even be under-inflated as it doesn’t
include other data breaches that may have
gone undetected or unreported. GGA’s internal
data shows that the number of customers
affected by data breaches has increased over
40% every year since 2011. Figure 1 illustrates
a sampling of the wide range of industries
impacted by data breaches, which have
compromised millions of data records.
The Limits of Legislation
Given the frequency, severity and magnitude
of data breaches, one would assume that
there is a uniform federal standard to which
businesses must adhere. Quite the contrary:
there is no federal legislation in place that
comprehensively addresses data breaches
– leaving many questions as to the laws that
govern them (or lack thereof). Current laws
are in place in 47 states as well as in the
District of Columbia, Guam, Puerto Rico, and
the Virgin Islands that require businesses
who experience a security breach to notify
affected consumersiii
. The details of these laws,
however, vary widely by state – including
what is considered an appropriate method of
notification (e.g. first-class mail or telephone)
or what the time period should be for issuing a
notification. Progress notwithstanding, there is
much left to debate as to the level and amount
of credit monitoring that businesses should
legally have to provide their customers.
“Dear valued customer, we regret to inform you that your personal
information may have been compromised. We are providing this
notice and outlining some steps you may take to protect yourself and
sincerely apologize for any inconvenience or concern this may cause.”
Data Breach
An incident or violation in which sensitive,
protected or confidential data is copied,
transmitted, viewed, stolen or used by
an individual unauthorized to do so. This
data can include personally identifiable
information (PII) like names, addresses, or
Social Security numbers; hospital or physician
records; school/university records; payment
card data; log-in credentials and much more.
3. 2
As it stands today, businesses who experience
data breaches must rely on their individual
state’s laws to determine what type of
information triggers a consumer notice as well
as the content and timing and any restitution
measures. Companies with customers in
multiple jurisdictionsiv
are left with the
difficult task of interpreting the multitude of
inconsistencies between state laws. Should
a company with nationwide operations
experience a breach, this means that nearly
50 laws – all different – may apply to the same
breach. This creates confusion and frustration
for both businesses and consumers alike,
with each side seeking to define and interpret
requirements and expectations.
For years, advocates have attempted to pass
bills to form a national standard but none have
been signed into law. One such example is The
Data Security and Breach Notification Act of
2015
v
, a bipartisan effort intended to address
the nation’s growing data security threats
and challenges. However, sentiment is mixed
regarding the benefits of having federal laws
and regulations around security breaches.
Despite the benefits of having one federal law,
there are state laws already in existencevi
;
California, for example offers far better
protection. Should the proposed 2015 bill pass,
these state laws could be undermined. The
Federal Communications Commission (FCC)
has recently instituted new privacy policiesvii
relating to telephone, broadband Internet,
cable and satellite user information which
could likewise be superseded.
A recent survey conducted by the Pew Research
Centerviii
reports that “91% of adults agree or
strongly agree that consumers have lost control
over how personal information is collected
and used by companies.” The million dollar
question is how to help empower consumers
amidst the great absence of federal legislation.
Since no two data breaches are exactly alike,
they cannot be mitigated by the same types
of protection. This makes it complicated to
create a federal regulatory standard that
best protects consumers. Without guidelines
to follow in the wake of a data breach, in
somewhat of an obligatory gesture, many
businesses find themselves extending offers of
free credit monitoring to their customers. But
what exactly does this free credit monitoring
really provide?
Free Credit Monitoring: Check
the Fine Print
Along with their customers, the companies
affected by breaches also suffer devastating
consequences. While the biggest impact to
a business is largely financial, regaining and
rebuilding customer trust over the long-term
can be a challenge. At first glance, offering
free credit monitoring services seems to
demonstrate a company’s care and concern
Healthcare
Education
Retail
Financial
Government
Service
Banking
Insurance
Technology
Media
Others
26.9%
16.8%
15.9%
12.5%
9.2%
3.5%
2.8%
2.6%
1.6%
1.4%
6.8%
Figure 1: Industries affected by data breachesix
Healthcare
Education
Retail
Financial
Government
Service
Banking
Insurance
Technology
Media
Others
26.9%
16.8%
15.9%
12.5%
9.2%
3.5%
2.8%
2.6%
1.6%
1.4%
6.8%
4. 3
– a noble first step and token of goodwill.
However, upon closer inspection, these appear
to be more of a regulatory ‘check box’ for
businesses conducting damage control instead
of providing true protection for the consumer.
Paige Schaffer, President and COO of Identity
and Digital Protection Services at GGA, agrees:
“Proactive and robust risk mitigation goes
far beyond just credit monitoring. What
really offers the most value to customers is
comprehensive identity theft protection that
includes education, protection, detection,
monitoring, alerts and full-scale resolution.”
While free credit monitoring may provide
a “feel-good” measure to help consumers
through their initial distress, it’s far from
a complete solution. In reality, standalone
credit monitoring does little more than alert
consumers of suspicious activity involving
their credit files; it does not track fraudulent
credit or debit card charges or help prevent
other identity theft-related activity. Moreover,
these credit monitoring services typically
include monitoring from just one of the three
major credit bureaus (Experian, Transunion
and Equifax). This means that potential
identity fraud can get missed.
To illustrate, when a fraudulent new credit
account is opened, it may only show up on
one report. Once spending activity begins, the
account will eventually be captured on the
other two reports if the company reports to all
three credit bureaus – not all do. The problem
is the lapse in time from when an identity
thief initially opens a fraudulent account and
the subsequent activity that’s reflected later
on, if at all. A fraudster could easily apply for
multiple accounts prior to them being reported
across all three bureaus. Consumers who only
receive monitoring from one bureau could be
exposed to several months’ worth of damage
to their credit before they’re even aware of it.
Perhaps most concerning is the fact that many
free credit monitoring services are only offered
for six months to a year – some for just three
months.Tomanyunsuspectingconsumers,one
year can seem like a long time. In the context
of identity theft, however, one year is woefully
insufficient. A consumer’s compromised Social
Security number, for example, can be used in
many ways and cannot be changed as easily
as a credit card number. Data breaches can
leave behind a path of destruction that lasts
for years, sometimes forever.
In response to a cyberattack that involved the
hacking of sensitive PII that included Social
Security numbers, a major health insurer
provided not one but two years of credit
monitoring for its policyholders. Two years
may appear generous but isn’t nearly long
Figure 2: Breach methods observed from 2005 to April 2015ix
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
5. 4
enough, as savvy criminals will hold on to
information for years and wait until people
become less vigilant. Some organizations
provide the additional option to maintain
credit monitoring after the free period is over,
but often with strings attached. In the above
case, policyholders were given the option to
keep their credit monitoring but only as long as
theyremainedmembers.Buriedfurtherwithin
the fine print of the terms and conditions was
language requiring those members who chose
extended monitoring to: 1) accept arbitration
to settle any disputes (which had to take place
in a specific city and state) and 2) agree to give
up their right to sue the company.
ABetterWaytoEnsureIdentity
Protection
Personally identifiable information (PII) can
be likened to the pieces of a jigsaw puzzle,
with fraudsters attempting to fill in the missing
pieces. As identity thieves become savvier,
it’s more critical than ever to stop them from
completing the whole ‘picture’. While nothing
and no one can totally prevent identity theft
from occurring, a comprehensive identity
protection solution most effectively mitigates
its risks. Indeed, even the most conscientious
consumers can overlook suspicious activity;
many simply do not have the time or expertise
to devote to fully safeguarding their identities
on a regular basis. Just as automobile and
medical insurance offer security in the event
of an unforeseen accident, identity protection
provides consumers with protection before,
during and after a breach.
Prevention is the important foundation to full-
scale identity protection. When evaluating
identity protection providers, consumers
should seek out those that offer educational
resources and best practices. Digital privacy
protection software that includes anti-phishing
and password protector tools is also helpful in
protectingagainsthackersandblockingthreats
from malicious websites - allowing consumers
to use the internet without worry. Other
preventive measures like opt-out services help
to reduce pre-approved credit card offers and
other methods that thieves employ to steal PII.
While credit monitoring is important, it is
just one component of identity protection.
Credit monitoring only flags activity on credit
reports, meaning other types of identity theft
will go undetected (e.g. when bank account
information or a Social Security number is
exposed.) Identity monitoring, on the other
hand, focuses on identity – alerting consumers
when their PII is being used in ways that
typically don’t appear on credit reports, such
as when new utility accounts or payday loans
have been opened. Consumers who receive
standalone free credit monitoring as a result
Healthcare
Education
Retail
Financial
Government
Service
Banking
Insurance
Technology
Media
Others
26.9%
16.8%
15.9%
12.5%
9.2%
3.5%
2.8%
2.6%
1.6%
1.4%
6.8%
Figure 3: Record-type combinations compromisedix
Healthcare
Education
Retail
Financial
Government
Service
Banking
Insurance
Technology
Media
Others
26.9%
16.8%
15.9%
12.5%
9.2%
3.5%
2.8%
2.6%
1.6%
1.4%
6.8%
6. 5
of a data breach should be aware of the limited
protection they are likely receiving. Only a
full identity protection solution provides both
identity and credit monitoring and will include
the option for credit tracking across all three
credit bureaus - ensuring quick and seamless
notification of fraudulent activity and the
prevention of potentially spiraling damage.
Most consumer activity takes place on the
mainstream World Wide Web (also known
as the Surface Web) which is comprised of
traditional websites and social networks and
indexed by popular search engines like Google.
Advanced identity monitoring services will
also scour the farthest regions of the Internet,
which includes the deep and dark web, for
suspicious activity. The deep web is said to
comprise about 90% of the internet and can
only be accessed by conducting a search that is
within a specific website. The dark web is not
indexed by search engines and is accessible
only with the help of anonymizing software.
In particular, the dark web is where cyber
criminals conduct illegal activity such as the
buying or selling of personal information and
credit cards.
Identity protection companies who have the
experience and capability in monitoring the
deep and dark web may offer this higher
level of identity monitoring, including the
technology that continuously scans for current
andpotentialthreatsbeforetheysurface.These
services could include internet surveillance to
proactively compare a consumer’s PII and the
data they enter into a monitoring dashboard
against data that has been compromised.
Advanced identity monitoring will also detect
any compromised credentials that may be
linked to malicious breaches and underground
infiltration.Consumerscanreceivealertsalong
with next steps for them to take, including the
option to speak 24/7 with a live resolution
specialist, to help ensure that their personal
information stays personal.
The last key part of an identity protection
program is resolution, which many companies
do not provide for their customers who are
affected by a data breach. In the event that
identity theft occurs, the benefits of having full-
scale identity resolution are many. Certified
resolution specialists will work 24/7 to help
victims restore their identities providing
assistance with affidavit submission, creditor
notification/follow-up, credit freezes, fraud
alert placement and other services. Some
will act on behalf of the victim, if authorized,
to deal with creditors and can help navigate
the intricacies of identity theft involving legal
matters or the Internal Revenue Service. These
services not only provide personal and expert
assistance to victims during their critical time
of need but also save them valuable time and
resources. Most major identity protection
providers will offer identity theft insurance,
2K
1K
0
PII Health Financial
+ PII + PII card
Health Payment Credentials
+ PII
Education Financial
+ PII
PII +
+ health
+ PII
payment
Financial
card
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
2K
1K
0
PII Health Financial
+ PII + PII card
Health Payment
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
Credentials
+ PII
Education Financial
+ PII
PII +
+ health
+ PII
payment
Financial
card
2K
1K
0
PII Health Financial
+ PII + PII card
Health Payment
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
Credentials
+ PII
Education Financial
+ PII
PII +
+ health
+ PII
payment
Financial
card
2K
1K
0
PII Health Financial
+ PII + PII card
Health Payment
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
Credentials
+ PII
Education Financial
+ PII
PII +
+ health
+ PII
payment
Financial
card
2K
1K
0
PII Health Financial
+ PII + PII card
Health Payment
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
Credentials
+ PII
Education Financial
+ PII
PII +
+ health
+ PII
payment
Financial
card
2K
1K
0
PII Health Financial
+ PII + PII card
Health Payment Credentials
+ PII
Education Financial
+ PII
PII +
+ health
+ PII
payment
Financial
card
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
Figure 4: Top 10 record-type combinations compromised versus breach methods usedix
7. A People-First Partner in Protection
In 2003, Generali Global Assistance (GGA) was one of the first companies to provide identity theft resolution
services in the U.S. and today is a leading provider of identity protection services, proudly protecting millions
of identities from the growing threat of identity theft. GGA has protected our clients and their customers
for over 50 years. As the pioneer of the assistance concept, it is our core DNA to assist customers in the
most dire and difficult of circumstances. Customer service is not just a philosophy – it’s our culture.
Our Identity and Digital Protection Services business unit was named the 2016 Gold winner in the Stevie
International Business Awards - Customer Service Department of the Year. This is the fourth consecutive
year that GGA has been the recipient of a Stevie Award, with four awards for excellence in the Customer
Service category and one for innovation in customer service technology. We go the distance to ensure
customer care, including several “do it for you” resolution services not offered by other identity protection
companies.
We stand ready to provide hands-on assistance to minimize the distress consumers face when confronted
with identity fraud, wherever life takes them. Our comprehensive 360° approach mitigates the risks of
identity fraud and provides the true value of protection, resolution and peace of mind.
GGA, formerly Europ Assistance in the U.S., is based in Bethesda, MD, and has
been a leader in the assistance industry since its founding in 1963. GGA is a
division of the multinational Generali Group which, over 185 years, has created
a presence in more than 60 countries with over 76,000 employees.
which covers the reimbursement of expenses
related to the recovery process like lost wages
and legal fees.
As long as there is identity theft and the world
continues to become increasingly connected,
consumers must be their own best advocate.
Keeping up with the latest string of data
breaches is dizzying. Having a proactive and
on-going identity protection solution already
in place alleviates the need for consumers to
continually brace themselves for yet another
incident, allowing them to go about their daily
lives as normally as possible. GGA’s Schaffer
stresses the importance of having a proactive
identity protection plan to businesses who are
equally concerned about the threat of data
breaches: “Implementing a comprehensive
program for employees and/or customers goes
a long way to help a company mitigate their
financial and reputational risks.” A trusted
identity protection provider who can address
the “full circle of identity theft” will give
consumers – and businesses – the valuable
peace of mind they need to stay ahead of the
aftermath in today’s age of the data breach.
Sources
i
https://corporate.target.com/article/2013/12/import-
ant-notice-unauthorized-access-to-payment-ca
ii
Identity Theft Resource Center (ITRC), http://www.
idtheftcenter.org/ITRC-Surveys-Studies/2015data-
breaches.html
iii
National Conference of State Legislatures (NCSL),
http://www.ncsl.org/research/telecommunica-
tions-and-information-technology/security-breach-no-
tification-laws.aspx
iv
http://thehill.com/blogs/congress-blog/judi-
cial/248978-businesses-need-a-preemptive-feder-
al-law-on-data-breach
v
https://www.congress.gov/114/bills/hr1770/BILLS-
114hr1770ih.pdf
vi
California Data Breach Report, https://oag.ca.gov/
sites/all/files/agweb/pdfs/dbr/2016-data-breach-re-
port.pdf
vii
Federal Communications Commission (FCC),
http://transition.fcc.gov/Daily_Releases/Daily_Busi-
ness/2016/db0401/FCC-16-39A1.pdf
viii
Pew Research Center, http://www.pewresearch.org/
fact-tank/2016/01/20/the-state-of-privacy-in-america/
ix
http://www.trendmicro.com/cloud-content/us/
pdfs/security-intelligence/white-papers/wp-analyz-
ing-breaches-by-industry.pdf