Identity theft is a terrible crime. Criminals use victims’ most sensitive information to perpetrate all manner of fraud, risking their financial, reputational, and even physical health. “When a criminal organization steals a million records, that makes the news, but when they steal an individual’s identity, it becomes personal,” Arlette Hart, FBI’s chief information security officer, said. “It affects lives. People feel violated in a way that you would never expect.”

A 2016 Javelin study found that identity fraudsters have stolen $112 billion in the last six years. And identity theft was the number-one consumer complaint to the Federal Trade Commission for 15 consecutive years through 2014 and remains a top concern, the agency reported. The high rate of complaints is no surprise, given that 41 million adults in the United States have had their identities stolen, according to a Bankrate survey.

Customers Come First: Tools of the Data Breach Trade

Privacy and security experts grasp the severity of identity theft; nearly 90 percent of respondents in ID Experts’ Customers Come First: Data Breach Response Survey agreed on the importance of providing free identity protection services to breach victims. For those who viewed identity protection services as important, more than half said it should be offered for two to more than 10 years. That’s because stolen data—depending on what it is—retains its value over time.

How Do I Protect Thee? Let Me Count the Ways

Identity theft is more than a stolen credit card. There are as many ways to commit fraud as there are types of identity. Stolen identities can be used to create new financial accounts, generate false identities, obtain medical care, and much more. In fact, there are at least nine forms of credit and identity theft, whose victims range from minors to employees to the deceased.

To protect breach victims against this complex crime, survey respondents rated different components of identity protection services:

  • Triple-bureau credit monitoring (75 percent) far outranked single-bureau credit monitoring (10 percent), suggesting that respondents understand the value of more complete identity protection.
  • Nearly 74 percent valued identity recovery services, a critical component for repairing the damage from identity theft.
  • Medical identity monitoring (41 percent) and dark Web monitoring (37 percent) were valued higher than reimbursement insurance (31 percent).
  • Credit scores (7 percent) and FICO scores (1 percent) ranked the lowest. A change in these scores alerts customers that a change has occurred, but they don’t say what that change was.
  • For healthcare breaches, twice as many respondents valued medical identity monitoring (90 percent) as did those who named triple-bureau credit monitoring (47 percent).

What You Can Do

With the inevitability of data breaches, businesses must build incident response into their cybersecurity strategy. Part of that response should include identity protection for breach victims—protection that addresses the risk associated with the data loss (i.e. financial, personal, medical data), rather than just offering credit monitoring, leaving victims to fend for themselves. Organizations should also ensure that customers have ongoing support, if needed, in the form of identity restoration services and consistently communicate the availability of those services to customers.

“It’s never pleasant for affected individuals who have reason to worry about, or actually experience, identity theft,” says Ted Augustinos, a partner at the international law firm Locke Lord. “An organization that provides timely and precise information about the compromise, and offers services to assist affected individuals in resolving their personal issues, usually finds that the organization’s reputation, enforcement profile, and litigation exposure are affected less severely by breaches than organizations that respond in ways that are inadequate or late, or both.”

Customers Come First: Tools of the Data Breach Trade