After acknowledging a breach that may have exposed the personal and financial data of more than 143 million Americans, credit bureau Equifax began offering potential victims a year of free TrustID credit monitoring.
It’s a familiar breach response, and experts say it’s wholly inadequate.
The TrustID package includes scanning suspicious websites for your Social Security number, preventing third parties from accessing your credit report, and insuring you against identity theft. Equifax competitor Experian is offering similar services for a fee, while competitor TransUnion is offering one for free. The three companies collectively have files on more than 200 million Americans and issue more than 3 billion consumer reports each year, according to the Consumer Finance Protection Bureau.
“As long as we continue to use Social Security numbers for verification, we have a long-term problem that will never go away.”—Alisa Chestler, head of data protection, privacy, and cybersecurity, Baker Donelson
At first glance, TrustID and similar credit-monitoring services might appear to offer comprehensive protection from identity theft. But experts say consumers affected by breaches of financial data need more than those services provide—and for much longer than a year.
“Credit monitoring does not protect you from identity theft; it only reports if somebody opened credit in your name,” says Stephan Brisard, a marketing director at antivirus software maker ESET.
“It’s great for letting you know when something is off, so that you can take action with the bureaus to contest a line of credit opened,” he says. “But it’s not enough security by itself.”
To ensure optimal protection against identity fraud, experts recommend regularly monitoring financial transactions, beefing up password security, implementing two-factor authentication, and using encrypted communications for exchanges of sensitive data. They also stress being vigilant about how and with whom personal information is shared—and monitoring credit well beyond a year after a breach.
Like people diagnosed with diabetes, who have to continuously monitor their blood sugar levels, breach victims need to “indefinitely” monitor their credit, Brisard says.
“The data that was exposed during the breach will never be safe again,” he says.
READ MORE ON DATA BREACHES
How to deal with Equifax and our ‘broken’ credit protection system
What to do when you’re caught in a data breach
Special report: How data brokers slice up your private life
Parallax Primer: How to protect your payment apps
Businesses can buy ‘cyberinsurance.’ Why can’t you?
New data breach notification bills favor businesses, critics say
Businesses to FTC: Get out of consumer data security
“When you add the size and scope of a breach like Equifax, cybercriminals will easily to be able to use or sell your information long after the initial year has passed,” says Risa Pecoraro, vice president of product research and development at identity theft solutions company CyberScout.
“As long as we continue to use Social Security numbers for verification, we have a long-term problem that will never go away,” adds Alisa Chestler, head of law firm Baker Donelson’s data protection, privacy, and cybersecurity practice.
Credit-monitoring packages aren’t going to dig you out of an identity theft hole, either, cautions Steven Weisman, a law professor at Bentley University and publisher of scam alert site Scamicide.
“The trumpeted million-dollar policies are never paid to consumers because the policies merely compensate the customer for the cost of contacting creditors and fixing the mistaken information,” he says.
“Most credit-monitoring services don’t provide a complete avenue” to prevent identity theft, Brisard adds. Many victims “still need to freeze their credit.” While a credit freeze makes it impossible to complete big purchases like cars, homes, or even new iPhone contracts, it’s more effective than simple monitoring.
“It’s not foolproof, as hackers could use even a short window of unfreeze time to apply for credit on your behalf fraudulently, but when your credit is frozen, you and nobody else can apply for credit,” he explains. “So any request would simply be denied, as the credit file would not be accessible by any lender.”
That’s not to say consumers shouldn’t take advantage of a free credit-monitoring service.
“The big advantage is that if an account is opened in your name (associated with your credit file), you will receive a notification,” says Clifford Neuman, director of the Center for Computer Systems Security at the University of Southern California. “The service can be extremely beneficial in helping you to detect identify theft in its very beginning stages.”
But closely examine contract details before agreeing to them, Pecoraro advises. “You need to understand what you’re really getting.”
And understand that protecting yourself from identity theft and credit fraud isn’t a passive year-long endeavor.