To read the full 70-page report, click HERE
Why GAO Did This Study
Private-sector and government entities that experience data breaches often provide affected consumers with identity theft services, which typically include credit monitoring, identity monitoring, identity restoration, and identity theft insurance. In response to data breaches in 2015, OPM awarded two contracts obligating about $ 240 million for identity theft services.
GAO was asked to examine issues related to identity theft services and their usefulness. This report examines, among other objectives, (1) the potential benefits and limitations of identity theft services, and (2) factors that affect government and private-sector decision-making about them. GAO reviewed products, studies, laws, regulations, and federal guidance and contracts, and interviewed federal agencies, consumer groups, industry stakeholders, and eight providers selected because they were large market participants.
What GAO Found
Identity theft services offer some benefits but have limitations.
• Credit monitoring helps detect new-account fraud (that is, the opening of new unauthorized accounts) by alerting users, but it does not prevent such fraud or address existing-account fraud, such as
misuse of a stolen credit card number. Consumers have alternatives to credit monitoring, including requesting a low-cost credit freeze, which can prevent new-account fraud by restricting access to the consumers’ credit report.
• Identity monitoring can alert consumers to misuse of certain personal information by monitoring sources such as public records or illicit websites, but its effectiveness in mitigating identity theft is unclear.
• Identity restoration seeks to remediate the effects of identity theft, but the level of service varies: some providers offer hands-on assistance, such as interacting with creditors on the consumer’s behalf, while others largely provide self-help information, which is of more limited benefit.
• Identity theft insurance covers certain expenses related to the process of remediating identity theft but generally excludes direct financial losses, and the number and dollar amount of claims has been low.
These services also typically do not address some types of threats, such as medical identity or tax refund fraud.