I believe some major revisions are needed for post breach etiquette (if you do too, please sign this whitehouse.gov petition). While there have been some recent bills put forth, they have stalled in Congress before an upcoming election year and none of them promote the more effective approaches described in this blog post. The bills get bogged down by focusing on data privacy and data exchange, which complicates the state vs federal law debate. Instead, the president needs to lead the discussion with an executive order, as he did last year when he forced government agencies to better protect consumers with 'CHIP and PIN' credit cards. Like last year's executive order, it should focus on common sense services offered for breach victims:
- Within the first week after a notification of a data breach, a fraud alert should automatically be enabled on behalf of all affected customers. If the breach involves credit or core personal information (SSN, drivers license, financial, or health information), the option to enable an indefinite fraud alert should be offered for free without the requirement of waiting for an identity theft event.
- Any breach that involves core personal information entitles victims to complimentary credit freezes and thaws from all vendors indefinitely, without the requirement of waiting for an identity theft event. If there are processing costs associated with enabling these features at other companies, the company responsible for the breach shall be held liable.
- Any data breach involving core personal information requires a minimum of 5 years of free ID and credit monitoring service chosen by the consumer from a marketplace. If the consumer was previously the victim of a data breach, an additional 2 years of complimentary monitoring services will be added to their existing service.
- Build upon the Fair and Accurate Credit Transactions Act and redesign annualcreditreport.com to handle adding, removing, and thawing credit freezes and fraud alerts across all credit bureaus (Experian, Equifax, TransUnion, ChexSystems, Innovis, etc.).
Companies should default to protecting consumers immediately after a breach and make it easy for them to extend these protections going forward. The current requirement for a data breach victim to wait until they are also a victim of identity theft before offering these basic protections for free is archaic. It results in lost US worker productivity (time and billions of dollars) cleaning up the mess left after an identity theft event. The unregulated and costly fee schedules across states for enabling long term fraud alerts and credit freezes discourages victims from proactively protecting themselves. Due to the distributed nature of credit verification, centralizing fraud alerts and credit freezes in a government approved portal similar to annualcreditreport.com will remove another logistical obstacle for victims. Finally, offering ID and credit monitoring services are not the most effective methods to prevent identity theft and companies offering their own in-house or partnered services often have a conflict of interest. Instead, consumers should be able to choose their ID and credit monitoring service in an open marketplace, funded by the company at fault for the data breach.