The Government Accountability Office (GAO) said that information on the efficacy of identity theft insurance coverage is limited in a report yesterday, adding that it is unnecessary to mandate Federal entities to offer certain levels of identity theft services.
GAO was unable to find independent studies that measure the efficacy of commercial identity theft services, which private companies tend to offer for about one year after undergoing a data breach and the Office of Personnel Management (OPM) offered to its compromised constituents for 10 years after its 2015 breach.
The report said, however, that companies and agencies that typically provide these services–such as credit and identity monitoring or identity theft insurance–in the event of a data breach do so to protect their reputation and reduce liability rather than to provide effective consumer protection.
Data collected by hackers in data breaches can be compromised in multiple ways, so credit and identity monitoring have limited value, according to nine of the ten representatives from consumer groups that GAO interviewed.
GAO also found that only 13 percent of individuals compromised by the OPM data breach enrolled for its identity theft services. The office said that this, on top of the limited protection these services offer, should mean Federal agencies shouldn’t be required to offer identity theft insurance and that mandating these services could be costly.
“The $5 million per-person coverage limit mandated by Congress likely was unnecessary and might impose costs without providing a meaningful corresponding benefit,” GAO said. “Specifically, we noted that $5 million in coverage would increase federal costs unnecessarily, likely mislead consumers about the benefit of the product, and create unwarranted escalation of coverage amounts in the marketplace.”
Rather than require these services, GAO said that companies and agencies should focus their resources more in preventing breaches in the first place, and it said that consumers should pursue credit freezes and fraud alert if their information is compromised. GAO also recommended allowing agencies to decide the appropriate coverage level for identity theft insurance.