One year ago, information giant LexisNexis revealed that hackers stole data on about 310,000 of its customers. As compensation, the company offered all those victims a year's worth of a free credit- monitoring service.
But only 18,000 consumers -- just shy of 6 percent of those affected -- took the company up on the offer, a surprisingly low acceptance rate for a pretty valuable gift.
Credit monitoring, which lets consumers look up their credit report any time they want and provides e-mail alerts any time a new account is being opened, can cost $200 a year. While it's not a service I would pay for, I would jump at it if offered to me for free -- particularly if I knew my personal information had just been stolen.
LexisNexis' experience is not unique. Last year some 60 million people had their identities exposed because of some kind of data leak, and almost all of them were offered free credit monitoring. But in case after case, a tiny percentage of consumers signed up.
While the notice letters informing them that their data has been compromised are compelled by law, the offer of free credit monitoring is not. It is the de facto penance companies perform after a data leak, a gift from companies meant to alleviate the wrong that had been done.
ChoicePoint, which last year revealed it had accidentally sold 145,000 dossiers on U.S. consumers to criminals, says only 10-15 percent of victims called in response to a warning letter. About half of those who called signed up for free monitoring.
Citibank send nearly 4 million letters to consumers last year after a data backup tape was lost in transit to a credit bureau. Only about 135,000 consumers -- or less than 4 percent -- signed up for free credit monitoring, the company says. Wells Fargo, which experienced several data losses, said it had a "relatively low" response to its offer.
Why the reluctance?
The critical question is: Why? After all, free monitoring is the only tangible compensation consumers receive after becoming data loss victims. Why would they consistently thumb their nose at such a perk?
At a recent conference I attended, consumer advocates from major financial and Internet companies lamented that sometimes it's impossible to get consumers to do anything to protect themselves. They can't get be bothered to read brochures, to take a few minutes to educate themselves about fraud or even to sign up for free products.
I think it's a fair point. Ultimately, consumers need to take responsibility for their own protection. But there are plenty of potential explanations outside sheer laziness or disinterest.
Beth Givens, executive director of the Privacy Rights Clearinghouse, says that many consumers whose data was leaked probably didn't read the disclosure notice because they thought it was junk mail. (In fairness to LexisNexis, the firm went to the extraordinary and expensive step of manually pasting real stamps on its letters - rather than run them through a postal meter -- to get the attention of recipients.)
Others may not have read all the way through the notice to get to the point where the free monitoring was offered, Givens said.
"People are accustomed to ignoring pieces of paper with a lot of dense print on them," she said. "My guess is a very small percentage of those who received the letters actually read the letters. Or they may have read them so quickly they missed the part where it said you get (credit monitoring) for free. You have to be a pretty careful consumer to realize this is something you should read."
Consumer confidence an issue
Some victims were probably scared off by the sign-up process, which could require divulging a Social Security number. After all, who wants to fork over personal information to a company that's just lost it?
Larry Ponemon, who operates the research firm The Ponemon Institute, found in a recent survey that 1 in 9 adult Americans received a data-loss disclosure notice last year. But most recipients told his firm they spurned free credit monitoring -- in many cases because they did not trust the company that was making the offer.
"More than half of the respondent group who were offered credit-monitoring services was suspicious about the 'free' offer," Ponemon said. "Many respondents told us that they thought this was likely to be a gimmick that would ultimately cost them in the future. Others refused out of principle, and didn't want their goodwill to be purchased. "(They) were simply angry with the organization that reported the breach and did not want to accept any tokens or gifts."
Victims demonstrated a greater willingness to accept a cash payout, Ponemon said. In one instance, consumers more readily accepted a $10 credit to their phone service than an offer of free credit monitoring, he said.
Credit bureau Equifax Inc., one of the firms that offers free monitoring on behalf of companies that have leaked data, has in the past year created a swat team to deal with such breaches. The company has so far offered credit monitoring to customers affected by leaks at more than 100 companies, including LexisNexis, and Equifax's Steve Ely said one-third of all its credit-monitoring customers received the service as the result of a security breach.
Acceptance rates on the rise
Levy said last year, most consumers did reject the offers made by companies like LexisNexis. But acceptance rates are on the rise, he said, as more consumers become familiar with the importance of their credit reports.
Also, leaks by companies with more tech-savvy consumers tend to result in more sign-ups -- in some cases as high as 30 percent. A month ago, Fidelity reported a laptop with 200,000 records of Hewlett-Packard employees had been stolen. Ely said the sign-up rate after that incident was "significantly higher" than the LexisNexis rate.
What to make of this? I've always thought credit monitoring was a good idea, particularly for anyone who has reason to suspect they are a victim of recent identity fraud. But I've been reluctant to recommend it because I firmly believe consumers shouldn't have to pay for access to their own data.
In a case of a good result from a bad incident, data leaks have given millions of consumers a chance to use the services for free, and it's too bad more of them haven't signed up. Looking at your credit report is a bit like finding an old photo album in your grandmothers' house -- it's an intriguing walk down memory lane. As long as no one asks for your credit card number -- and you're sure you're not paying for it -- you should accept an offer of free credit monitoring when it comes your way.
On the other hand, it's understandable that more consumers haven't signed up. There have been some questionable presentations, which seemed more like marketing than a mea culpa. For example, Wells Fargo was criticized for offering its own credit-monitoring service after data leaks.
Not a perfect tool
And it's important to know that credit monitoring, while an effective tool, will not pick up every incidence of ID theft. It does little to alert consumers whose Social Security numbers are the only thing stolen, discussed previously in this blog. And it wouldn't ring any alarm bells for ID theft that doesn't involve financial theft, such as using someone's else's identity to escape arrest.
Finally, it doesn't include the most powerful tool consumers have been given to stop ID theft -- a credit freeze. Freezes allow consumers to lock up their credit report so it's impossible for a criminal to open a new account in their name. More than a dozen states now allow freezes, but they are spendy – a freeze can cost between $50 and $100 a year. In a perfect world, victims of a security breech would get an offer of a free credit freeze, and perhaps in some cases would have their credit reports automatically frozen to prevent theft and be given the opportunity to unfreeze their credit at their will.
While I have spoken to companies who I believe are trying to sincerely do the right thing after a data leak -- and I do think consumers bear some responsibility for reading their own mail -- more still needs to be done to protect victims. Something's wrong when only 5 percent sign up for the only service they are entitled to as compensation for the loss of their personal information. More should be done to make it right.