United States: Credit Monitoring Services: A How-To Guide

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.¹ Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer's credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them.

Although many consumers believe that credit-related services should be offered following a breach, many (if not most) data breaches do not involve information that could be used to open a credit account. As a result credit-related services often do not protect consumers from any harm that might result from the breach that triggered the offering. In addition, some courts have viewed offers of credit-related services that an organization makes as a gesture of goodwill as an admission by the organization that consumers' credit is, in fact, at risk.²

What to think about when evaluating a credit-related service:

1. Will the credit monitoring company attempt to upsell enrollees? If so, will recipients of the free service perceive that it is not, in fact, free?
2. Will the credit monitoring company market additional products or services to enrollees? If so, will recipients of the service perceive that their privacy has been violated?
3. Will the credit monitoring company allow other companies to cross-market products to enrollees?
4. Is the credit monitoring service permitted to retain information about enrollees after they stop providing service?
5. Has the credit monitoring company provided the organization with adequate assurance (and indemnifications) if the information that you provide to them (e.g., customer lists, lists of impacted consumers, or lists of impacted employees) itself becomes breached?
6. Are you indemnified if the credit monitoring company's products are alleged to be unfair or deceptive?
7. Are you indemnified if the credit monitoring company is negligent in providing monitoring services?
8. Have you been given a copy of all materials, including marketing materials, enrollment terms, insurance contracts, etc., that relate to the service being offered so that you know what your customers/employees are being provided?
9. What service level guarantees are provided for how quickly enrollees will be able to reach the credit monitoring company?
10. Has the credit monitoring company received any complaints, either from regulators or consumers, about its product offering or service?

Footnotes

1. Connecticut is the first state to require a company to offer an affected individual credit monitoring if the affected individual's name and Social Security Number are involved in a breach.

2. See, Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. July 20, 2015).

3. Ponemon Institute, The Aftermath of a Mega Data Breach: Consumer Sentiment, (April 2014), http://www.ponemon.org/local/upload/file/Consumer%20Study%20on%20Aftermath%20of%20a%20Breach%20FINAL%202.pdf.

4. Id.

5. Romanosky, et al, Empirical Analysis of Data Breach Litigation, 11(1) Journal of Empirical Legal Studies June 1, 2012), http://www.econinfosec.org/archive/weis2012/papers/Romanosky_WEIS2012.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.