Organizations are not generally required to offer services to consumers whose information was involved in a breach.¹ Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., notification when new credit accounts are opened), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds).  If you do offer one of these services a 2014 California statute and a 2015 Connecticut law prohibit charging consumers for them.

Although many consumers believe that credit-related services should be offered following a breach, many (if not most) data breaches do not involve information that could be used to open a credit account.  As a result, credit-related services often do not protect consumers from any harm that might result from the breach that triggered the offering.  In addition, some courts have viewed offers of credit-related services that an organization makes as a gesture of goodwill as an acknowledgement (at least at the pleading stage in litigation) that consumers’ credit is, in fact, at risk.²  While that fallacy can be ultimately rectified in litigation, it may prevent a company from obtaining early exit through a motion to dismiss and instead force them to develop a record in order to file an early motion for summary judgment.

What to think about when evaluating identity theft related service providers:

1. What specific services will you be offering to consumers?  Do those services “match” the type of data loss that occurred?   If not, might it cause consumer confusion?
2. Will the service provider attempt to charge consumers to upgrade the offering (i.e., upsell)?  If so, will recipients of the free service perceive that it is not, in fact, free?
3. Will the service provider allow other companies to cross-market products to enrollees?  If so, will recipients of the service perceive that their privacy has been violated?
4. Is the service provider permitted to retain information about enrollees after they stop providing service?
5. Has the service provider given adequate assurance (and indemnifications) if the information that you provide to them (e.g., customer lists, lists of impacted consumers, or lists of impacted employees) itself becomes breached?
6. Are you indemnified if the service provider’s products are alleged to be unfair or deceptive?
7. Are you indemnified if the service provider is negligent in providing monitoring services?
8. Have you been given a copy of all materials, including marketing materials, enrollment terms, insurance contracts, etc., that relate to the service being offered so that you know what your customers/employees are being provided?
9. What service level guarantees are provided for how quickly enrollees will be able to reach the credit monitoring company?
10. Has the service provider received any complaints, either from regulators or consumers, about its product offering or service?

1. Connecticut is the first state to require a company to offer an affected individual credit monitoring if the affected individual’s name and Social Security Number are involved in a breach.

2. See, Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. July 20, 2015).

3. Ponemon Institute, The Aftermath of a Mega Data Breach: Consumer Sentiment, (April 2014), http://www.ponemon.org/local/upload/file/Consumer%20Study%20on%20Aftermath%20of%20a%20Breach%20FINAL%202.pdf.

4. Id.

5. Romanosky, et al, Empirical Analysis of Data Breach Litigation, 11(1) Journal of Empirical Legal Studies June 1, 2012), http://www.econinfosec.org/archive/weis2012/papers/Romanosky_WEIS2012.pdf.

[View source.]