Out-Law Analysis | 17 Feb 2017 | 3:57 pm | 5 min. read
Providing credit monitoring services can help reduce the reputational damage that businesses can suffer when customer data is compromised in a cyber attack, and it has also been shown to help reduce the level of fine that businesses may face for that data breach.
Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series.
We previously looked at which people are typically behind cybersecurity breaches and the methods they use, what the common vulnerabilities are and what good IT security looks like, and how the legal landscape and regulatory fines are changing. We have also assessed the rising threat of ransomware and looked at how businesses may be able to seek protection afforded by legal professional privilege, and what they need to consider when working with criminal authorities. Here we look at the advantages of engaging credit monitoring after a breach.
What is credit monitoring?
The purpose of credit monitoring is to help detect credit-related fraud and identity theft. The monitoring service typically alerts affected individuals to changes in their credit report or score. Such services are commonly offered to customers affected by a large scale breach, owing to the increased likelihood of customer information being abused after such an incident.
Companies providing credit monitoring will typically alert the consumer to important activity such as credit applications or inquiries, new accounts and other changes to an individual's credit history. In the UK, the 'big three' credit agencies all offer this service, together with some smaller bureaus.
Some of the larger providers are also able to offer notification services to affected or potentially affected customers, for example contacting them by post or email, together with call centre support and credit monitoring across multiple jurisdictions.
The actual credit monitoring services tend to be similar to or the same as those offered to the market on a subscription basis, but is funded by the business that is breached or its insurer, should cover extend to this.
Is credit monitoring necessary?
It is important to note that these services provide monitoring, not prevention. Credit monitoring will not protect an affected individual from encountering phishing emails or further online scams, and cannot of itself prevent an individual being targeted by identity thieves. However, the alert to an individual to changes in their score may enable steps to mitigate the impact of any misuse of their information.
When considering whether this is something to offer in the event of a breach, it is important to consider the geographical limitations of any provider. The credit bureaus of central Europe operate in a very different manner to those of the UK and the US. Providers have varying international reach, with service offerings in Europe tending to be limited primarily due to the limited data held by credit agencies in those jurisdictions, as compared to the data held by those services available on the UK and the US.
The return on investment in providing credit monitoring is predominantly the maintenance of a customer’s brand loyalty. The affected customer may benefit from peace of mind in the perception that such a service is available, even if it is not taken up. Should any customer accept such a credit monitoring offering, it may be that that offering is enough to retain that customer, or may even be enough to prevent that customer from considering any further claim.
As public perception increasingly focuses on how companies respond to major breach events, and as the reality of the incoming mandatory data breach notification under the General Data Protection Regulation (GPDR) begins to take hold, credit monitoring offerings could become even more valuable to the protection of corporate reputation.
How much does credit monitoring cost?
Credit monitoring services tend to be scaled by both volume and complexity. The nature of your customer base may dictate the geographical reach required. The scale or extent of the breach event and the breadth of impact may dictate and services to be offered. The nature of your customer base may also dictate whether email or letter would be preferable as a notification process, and the demands of that customer base may require more in the sophistication of the monitoring services on offer. The customers of a high-end supermarket may demand more in the breadth of monitoring and support than the customers of a lower-end supermarket, for example.
Various pricing models are available. Some of the more advanced offerings will price the service according to the actual take-up of those services. If two million customers are affected in an attack, and only 20% of those affected take-up the offer, the charge will be for those 400,000 customers only. Alternatively, the service may be priced by the total number of customers you wish to offer the services to.
At high volumes the cost of the notification process could be around £1 per customer, with call centre support at a similar pricing level. The credit monitoring services tend to be impacted by the geographical limitations mentioned earlier, with prices on the continent lower that those in the UK or US due to the limited information available. Within the UK or US prices range depending on the sophistication of the monitoring to be offered, ranging from a matter of pounds per customer to in excess of £50 per customer. Smaller volumes may incur higher costs per customer.
In a breach affecting millions of customers it is not inconceivable that, even with an anticipated take-up rate of 10 to 20%, the cost of such services could run into the millions of pounds.
Credit monitoring can help you with the ICO
The UK's data protection authority, the Information Commissioner's Office (ICO), sometimes issues monetary penalty notices to organisations that are responsible for serious breaches of the Data Protection Act. Most of the fines it has issued have concerned failings in data security.
The ICO has, when issuing one such monetary penalty notice previously, looked favourably on the offer of credit monitoring to customers affected by a data breach. The ICO, when assessing whether to issue a penalty and what level of fine to impose, considered the offer of credit monitoring to be a mitigating factor in the breach.
In early 2015 a travel insurer was fined after its website was hacked and financial information extracted. The data controller provided a dedicated response team and free credit monitoring services for six months, which were considered to be mitigating factors.
Under the current ICO regime, where fines are limited to £500,000, there is a financial decision to take as to whether the cost of offering any credit monitoring might exceed its mitigating factor to any fine. However, businesses considering the numbers should bear in mind the value that such an offering can bring to their corporate reputation. Fines of up to €20m or 4% of the annual global turnover of businesses, whichever is highest, could be levied under the GDPR. The cost-benefit trade-off in offering credit monitoring should prompt businesses to seriously consider those services in future as a result.
Philip Kemp is an expert in cyber risk at Pinsent Masons, the law firm behind Out-Law.com.