From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Identity Theft Services  

Description: Audio interview by GAO staff with Lawrance Evans, Director,
Financial Markets and Community Investment 

Related GAO Work: GAO-17-254: Identity Theft Services: Services Offer
Some Benefits but Are Limited in Preventing Fraud

Released: March 2017


[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and
information from the U.S. Government Accountability Office. It's March
2017. Private sector and government entities that experience data
breaches often provide identity theft services to their consumers, to
help lessen the potential damage. For example, the Office of Personnel
Management awarded two contracts, worth about $240 million, for identity
theft services after their data was breached in 2015. A team led by
Lawrance Evans, a director in GAO's Financial Markets and Community
Investment team, recently reviewed the usefulness of identity theft
services. Sarah Kaczmarek sat down with Lawrance to talk about what they
found. 

[ Sarah Kaczmarek: ] So you hear a lot about just different privacy
breaches in the news and things. And, you know, it really has me
wondering what happens when people's data are breached. What are some of
identity theft services that get offered to folks? 

[ Lawrance Evans: ] Right. Good question. You know, we've had the Target
breach. We've had Home Depot. We've had OPM. And what happens is, when
folks lose this personally identifiable information, a number of things
could happen. A person could take that information and secure credit.
They could do other things with it that would complicate your life. And
so, what you see in the marketplace is a basket of goods, usually sold
as a package. And there are four major types of services that fit in
that basket: credit monitoring, you know, which will monitor your
credit, let you know if a new account has been created. There's identity
monitoring because you might find your information on some black
website, and folks will purchase it and do illicit things with it. There
is insurance that covers you for the out-of-pocket expenses you might
incur to restore your identity and other types of identity restoration
type of packages. 

[ Sarah Kaczmarek: ] And with these packages, are they things that
consumers sign up and pay for, or who's covering the cost of this? 

[ Lawrance Evans: ] Good question. And it cuts both ways. Sometimes, in
response to a data breach, a breached individual will be offered the
services for free. Either the government or the private sector entity
will pay for it. But customers also engage the market directly and will
purchase these services. 

[ Sarah Kaczmarek: ] You've mentioned a lot of different kinds of
services. Do they actually protect people's identities? 

[ Lawrance Evans: ] That's the $240 million question. I say $240 million
because that's what OPM paid for these services. They don't actually
protect you from identity theft. Now they offer some benefits. Those
benefits will depend on the service, the individual, and the specifics.
But by and large, they're in the realm of monitoring and restoring, not
prevention. The only way to truly protect yourself in the credit space
is to put a freeze on your account or a fraud alert.

[ Sarah Kaczmarek: ] That's definitely some good advice. So with these
services, are there just some areas that they don't cover at all? 

[ Lawrance Evans: ] That's right. So, and we've see some new emerging
threats that pose real problems. For example, medical identity theft. So
this is when I use your personal information to secure medical services
or to submit claims fraudulently. And you can see how that might be
problematic for you, if you are allergic to a drug that I'm not and you
show up to the hospital unconscious, and you may get that drug. 

[ Sarah Kaczmarek: ] That's a really shocking example. So let me ask
you, how do companies and the government decide what services they're
even going to offer? 

[ Lawrance Evans: ] Yes. Now it gets very complicated here. In the
private sector space, these decisions seem to be made without a
consideration of whether or not they actually mitigate the risks. So
they may want to show concern for the individual. They may want to
minimize litigation risks, or it's become the industry standard, so they
offer it. And sometimes, we often converge on solutions that aren't
optimal. In the government space, sometimes law dictates what a agency
must do. Outside of that, different agencies have different policies and
procedures. It could vary by the type of the breach. There is guidance
that's provided by the Office of Management and Budget, but that
guidance is not specific and it doesn't include a consideration of the
effectiveness of the service. So let me show you how that plays out.
When you look at the OPM data breach that impacted over 22 million
people, two breaches. So OPM didn't have policies and procedures in
place to dictate how to offer the services or to decide whether or not
to offer the services, and there was no assessment of effectiveness when
they did it. And they didn't document how they made a decision. 

[ Sarah Kaczmarek: ] And with that one, did they offer coverage that
seemed like the right size fit for that breach that had happened or was
it too much coverage? 

[ Lawrance Evans: ] Well, you know, it's difficult, to Monday morning
quarterback. I know it was an unprecedented situation for OPM. They had
to make the decision fast. But one could go back and start to ask about
why other alternatives weren't offered, and that's where it gets pretty
tricky. And because there was no documentation on the decision-making,
it's left to speculation. 

[ Sarah Kaczmarek: ] Now we covered a lot of different issues and
possible concerns so far, and I know your report did make some
recommendations. So what did you have to say there? 

[ Lawrance Evans: ] Right. So the recommendations were all in the realm
of let's make sure that we're spending tax dollars efficiently. 

[ Sarah Kaczmarek: ] So this is such an important issue, an area for
consumers. What do you see as the bottom line here for folks? 

[ Lawrance Evans: ] The bottom line, I would say, is caveat emptor, let
the buyer beware. When you're thinking about these services, you should
think about whether they actually mitigate the issues that you want to
resolve. You should ensure that you've looked at all the alternatives,
especially the low-cost and free alternatives, some of which can
actually prevent certain types of identity theft. And the government
ought to be doing considerable due diligence before it nudges people
toward products and services.

[ Background Music ]

[ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the congressional
watchdog, the U.S. Government Accountability Office.