Identity Theft Services: Services Offer Some Benefits but Are Limited in Preventing Fraud
Highlights
What GAO Found
Identity theft services offer some benefits but have limitations.
- Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users, but it does not prevent such fraud or address existing-account fraud, such as misuse of a stolen credit card number. Consumers have alternatives to credit monitoring, including requesting a low-cost credit freeze, which can prevent new-account fraud by restricting access to the consumers' credit report.
- Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites, but its effectiveness in mitigating identity theft is unclear.
- Identity restoration seeks to remediate the effects of identity theft, but the level of service varies: some providers offer hands-on assistance, such as interacting with creditors on the consumer's behalf, while others largely provide self-help information, which is of more limited benefit.
- Identity theft insurance covers certain expenses related to the process of remediating identity theft but generally excludes direct financial losses, and the number and dollar amount of claims has been low.
These services also typically do not address some types of threats, such as medical identity or tax refund fraud.
Various factors affect government and private-sector decision making about offering identity theft services, and federal guidance related to these services could be improved. In the federal sector, legislation requires certain agencies to provide identity theft services. For example, legislation requires the Office of Personnel Management (OPM) to provide these services to individuals affected by its 2015 data breaches for 10 years, as well as provide $5 million in identity theft insurance. However, this level of insurance coverage is likely unnecessary because claims paid rarely exceed a few thousand dollars. Requirements such as this could serve to increase federal costs unnecessarily, mislead consumers about the benefit of such insurance coverage, and create unwarranted escalation of coverage amounts in the marketplace. The Office of Management and Budget (OMB) has guidance on agencies' response to data breaches, but this guidance does not address the effectiveness of these services relative to lower-cost alternatives, in keeping with OMB's risk management and internal control guidance. Further, OPM provided duplicative identity theft services for about 3.6 million people affected by both of its 2015 breaches, and OMB has not explored options to help federal agencies avoid potentially wasteful duplication. In addition, contrary to key operational practices previously identified by GAO, OPM's data-breach-response policy does not include criteria or procedures for determining when to offer identity theft services, and OPM has not always documented how it chose to offer them in response to past breaches, which could hinder informed decision making in the future. In the private sector, companies often offer consumers affected by a data breach complimentary identity theft services for reasons other than mitigating the risk of identity theft, such as avoiding liability or complying with state law.
Why GAO Did This Study
Private-sector and government entities that experience data breaches often provide affected consumers with identity theft services, which typically include credit monitoring, identity monitoring, identity restoration, and identity theft insurance. In response to data breaches in 2015, OPM awarded two contracts obligating about $240 million for identity theft services.
GAO was asked to examine issues related to identity theft services and their usefulness. This report examines, among other objectives, (1) the potential benefits and limitations of identity theft services, and (2) factors that affect government and private-sector decision-making about them. GAO reviewed products, studies, laws, regulations, and federal guidance and contracts, and interviewed federal agencies, consumer groups, industry stakeholders, and eight providers selected because they were large market participants.
Recommendations
Congress should consider permitting agencies to determine the appropriate coverage level for identity theft insurance they offer after data breaches. OMB should analyze the effectiveness of identity theft services relative to alternatives, and should explore options to address duplication in federal agencies' provision of these services. OPM should address in its breach-response policy when to offer these services and should document its decision-making process. OPM agreed with GAO's recommendations to the agency.
Matter for Congressional Consideration
Matter | Status | Comments |
---|---|---|
In the event that Congress again requires an agency to provide affected individuals with identity theft insurance in response to a breach of sensitive personal data, Congress should consider permitting the agency to determine the appropriate level of that insurance. | As of March 2024, Congress had not enacted legislation for which our Matter for Congressional Consideration would be applicable. |
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | The Director of the Office of Management and Budget should, to the extent feasible, conduct an analysis of the effectiveness of the various identity theft services relative to alternatives, and revise OMB's guidance to federal agencies in light of this analysis. |
OMB did not agree or disagree with this recommendation, but it has taken some steps to implement it. In June 2021, OMB noted that, according to the President's May 17, 2021, statement on American Rescue Plan Oversight, stolen identities of citizens is a concern, and in December 2021 OMB said it was working to provide guidance to agencies as they consider providing identity theft services to citizens. This action is a positive step, and according to the President's statement, OMB will work with a new Initiative on Identity Theft Prevention and Public Benefits to bring a whole-of-government approach to address the issue of stolen identities used to steal government benefits. However, it is not yet clear the extent to which these actions will include an analysis of the effectiveness of the various identity theft services related to alternatives. As of March 2024, OMB said it had no further update.
|
Office of Management and Budget | The Director of the Office of Management and Budget should explore options to address the risk of duplication in federal agencies' provision of identity theft services in response to data breaches, and take action if viable options are identified. |
OMB did not agree or disagree with this recommendation, but it has taken some steps to implement it. In June 2021, OMB noted that , according to the President's May 17, 2021, statement on American Rescue Plan Oversight, stolen identities of citizens is a concern and, in December 2021 OMB said it was working to identify improvements in federal agencies' provision of identity theft services. This action is a positive step, and according to the President's statement, OMB will work with a new Initiative on Identity Theft Prevention and Public Benefits to bring a whole-of-government approach to address the issue of stolen identities used to steal government benefits. However, it is not yet clear whether OMB will explore viable options to mitigate the risk of duplicative coverage of identity theft services as part of this effort, which would help OMB achieve its stated goal of reducing duplication across the federal government to improve efficiency and save taxpayer dollars. As of March 2024, OMB said it had no further update.
|
Office of Personnel Management | The Director of the Office of Personnel Management should incorporate criteria and procedures for determining whether to offer identity theft services into the agency's data-breach-response policy. |
In September 2017, OPM issued a "Breach Response Plan," which includes basic considerations and processes to be used when determining whether OPM should offer identity theft services in response to a data breach.
|
Office of Personnel Management | The Director of the Office of Personnel Management should implement procedures that provide reasonable assurance that significant decisions on the use of identity theft services are appropriately documented. |
In September 2017, OPM issued a "Breach Response Plan," which includes instructions for documenting key agency decisions made in response to a breach, including decisions related to providing identity theft services.
|