Stop the credit monitoring madness!

You’ve seen headline after headline on data breaches. Then, shortly thereafter you see the obligatory, and often perfunctory, statements like the ones below (actually excerpted from recent public breach notification messages):

- If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially
impacted customers.

- For extra assurance, we will offer free credit monitoring services for everyone impacted.

I am in no way castigating any company that steps ups and tries to do the right thing by its customers; I applaud that. That’s what a great company does. I do, however, question the value of epidemic-like, knee jerk reactions of providing identity theft services/credit monitoring for everything and anything that smells like a data or security breach.


* We lost your package. Have some credit monitoring!
* A box containing your monthly statements fell off of our truck. Have some credit monitoring!
* Your bill arrived in the mail without the envelope hermetically sealed. Have some credit monitoring!
* We accidentally told your ex-spouse your new address with the replacement spouse. Have some credit monitoring!


I kid, of course. But it is a de facto ‘best' business practice that if anything comes close to appearing that a customer’s data is compromised, a company throws free credit monitoring at the customer. The problem is that, for most scenarios, credit monitoring does little or nothing to remediate the situation. In fact, all it really does is placate a customer who feels as though they should receive ‘something’ for their troubles, and gives the appearance that the company is contrite (and of course mitigate some legal liability). In the situation where real personal and sensitive data elements (Name, address, social security number, tax returns, etc) are compromised, then the absolute right thing to do is offer identity theft services to prevent further harm to an individual’s financial integrity. But if, say, a debit card number is lost or stolen, or if a credit card is lost or stolen, what does credit monitoring actually do for the person? As far as I can tell, nothing. Can you open another credit or revolving account at a department store with a debit card as the only valid form of ID? Not that I’m aware of? Does credit monitoring prevent the thief who stole your credit card from continuously using it? Don’t think so.

What should the company do? I vote to immediately cancel the the cards in question and reissue them ASAP to the customer; refund any amounts that are patently fraudulent; apologize for the inconvenience; and thank the customer for their continued business Those actions to me effectively mitigates the existing and future risks to the customer. And doesn’t add to the hysteria.

An informal poll of my peers on the popularity of identity theft / credit monitoring services amongst their customers indicates that less than 10% of the offers actually get used. So, greater than 90%(!) of the customers who are offered the service, don’t activate it - not don’t use the services, but actually do not call up the credit company and turn on the service! Why? I suspect that in this age of breaches we as customers have gotten so many notification letters with identity theft offers that we have either enrolled five times over already and don’t need a sixth service. Or the once valued-service is now nothing more than a commodity to be tossed aside as casually as the letter that accompanies it. Or, we have become so desensitized to the threat that any level of effort to enroll in one of these services is effort better spent playing Candy Crush or watching Shark Week. Since almost every financial institution makes you 100% whole on any fraudulent charges as long as you report the charges in a timely manner, you may at worst suffer a little anxiety when you first see that charge for a big screen TV (that was subsequently returned for cash) on your ‘new' instant charge from Best Buy.

So can we all do ourselves, including customers, a favor? Let's save the offer of identity theft/credit monitoring services for when it is actually warranted? Let’s spend the time and money on efforts that will make all truly safer: upgrading encryption technologies, migrate to chip & PIN cards, deploy tokenization, stronger access controls…the list goes on. How to fund it all, you ask? Think of the savings on stamps from not having to mail all those offer letters!