Why “Active” External Data Privacy Mitigation Post-Breach is Superior to “Passive” Credit Monitoring

Question:  What’s worse than having to inform your customers, investors, and business partners that their sensitive data has been compromised due to a data breach you were seemingly unable to prevent? 

Answer:  Sending them a canned letter explaining the scope of the breach and offering some toothless and ineffectual “credit or identity monitoring” service that only serves to alert them when their personal data – which you allowed to be stolen – has been used to steal from them or perpetrate some other criminal activity.

This reactive and entirely passive strategy for addressing the fallout subsequent to a data breach is seemingly the sole, standard response for victimized organizations (and their customers) in use today.  Want evidence of the fact?  Simply visit a search engine and search for “data breach letter template”.   Nearly every single US state government offers a sample letter providing organizations in their state with stock messaging organizations can use to alert residents when their data has been compromised.  You’ll also find a plethora of law firms offering the same free template as a precursor to a pitch to retain their services when the inevitable lawsuits arise.  Data breaches happen with such regularity that the language used to alert victims has become boilerplate!

The Federal Trade Commission, states’ Attorneys General, insurance companies, legal documents retailers, colleges and universities, hospitals and healthcare providers, and of course, the hundreds of solution providers who’ve popped up to deliver post-breach clean-up services – a growing cottage industry – all appear in the returned search results with a “breach letter template”. 

In every letter template, you’ll find a placeholder where the breached organization is directed to include the name and information of the credit and identity monitoring service.  That is, if the breached organization is making such paid service available to the thousands or even millions of victims in the wake of their breach.  Some do not even pay for these services.  Instead, simply providing the contact info for the top three credit reporting agencies alongside links to free online credit reports where victims can monitor their own profiles for suspicious activity.    

If it seems that there is really no other strategy for addressing the violated privacy of individuals – exposed through no fault of their own by the inadequate protection of their PII at the hands of an organization they entrusted with their information – it’s because there isn’t any other strategy.  Why do all organizations simply agree that securing the proverbial barn door after the horses have been allowed to escape is the best and only response?  And why do consumers take this insulting and ineffective consolation lying down?  Most importantly, what can any organization do to provide an active (not to mention ACTUALLY EFFECTIVE) mitigation strategy to its victimized customers in the wake of a breach?

This paper explores how a focus on active management of external data privacy (EDP) after a breach is a superior strategy for rectifying the betrayal of trust experienced by those who’ve been victimized by a data breach.  Moreover, this document will also shed light on how active EDP management applied preventatively to any workforce dramatically reduces the potential for data breaches in the first place.  And how employing this type of solution preempts the need to produce a response post-breach by dramatically blunting the risk. 

It bears note that there are scores of practices in use to prevent data breaches under the broad heading of cyber security. For many organizations, some of these practices aren’t deployed until after they’ve suffered a breach. This graphic from IBM and the Ponemon Institute does a good job of cataloging these practices and the respective impact each provides on the cost of a data breach. Yet, the glaring exclusion from this list is ANY activity dealing with external data privacy. Worse, the best case scenario only reduces the cost of a data breach by approximately 10% instead of actively preventing one in the first place.

In a perfect world, organizations would engage external data privacy management as a facet of their broader cybersecurity ecosystem, negating the probability of breaches.  While many are beginning to understand the new attack surface and awakening to the imperative of actively managing external data privacy, the preponderance is yet to act.  Like so many other preventative solutions, it is hard to recognize the imperative until after suffering the pain of victimization in terms of cost, reputational damage and loss. 

So, while we strongly urge all organizations to embrace EDP policies before being hacked, it will likely still not be embraced all at once.  Yet, we can certainly illustrate how and why deploying an active EDP management solution in the wake of any breach is functionally superior to the passive practice of “a letter and credit monitoring” currently en vogue.  And perhaps after being brought to these best practices by circumstance, others will learn by witnessing these examples and take proactive, protective measures before the are themselves breached.

What’s the Point of Credit Monitoring Services?’

Forbes magazine produced an analysis of the “best credit monitoring services” for March 2024.  For the purposes of definition, we’ll quote Forbes Advisor directly as they answer the defining question, “What is credit monitoring?”  They write, “Credit monitoring is a service that tracks activity on a consumer’s credit reports and alerts them of any potential issues. Subscribers receive alerts for suspicious activity like new accounts and large changes to balances that may be the result of identity theft or other fraud. These services also include credit score updates, tracking and simulations to help consumers better manage their credit profiles.”  This is what many organizations pay for on behalf of their customers whose PII has been stolen by a data breach.

Does Credit Monitoring Service Help Prevent Identity Theft and Other Fraud?

As a protective or prophylactic measure, credit monitoring is a patently absurd proposition.  The time to prevent being a victim of a crime is not after a crime has been perpetrated.  Rather, prevention by definition occurs before a crime can be perpetrated against you.  Credit monitoring services may help one get a head start on reversing the worst effects of having one’s identity stolen.  But the threat actors in possession of a social security number and other PII will have already opened a bogus credit card or taken out a fraudulent loan in a victim’s name by the time it shows up on their credit report and is flagged by a credit monitoring service.   Alerted to unauthorized activity, one may be able to squash the fraudulently opened new accounts, but the threat actor still has the stolen PII and can continue to use it to malevolent ends. There are countless ways stolen PII can be used in the commission of criminal activities. 

Does Credit Monitoring Service Provide Better Visibility to Help Prevent Future Victimization?

The answer here is also no.  For several reasons.  First, as a backward facing methodology, the monitoring of credit activity – as noted earlier – is effective only after stolen financial information is used in the commission of fraud.  But more importantly, these services are only focused on monitoring activity as reported to the three leading credit reporting agencies – Equifax, Transunion and Experian. 

These three agencies alone are only a tiny fraction of the available sources of personal data that are routinely used by threat actors to generate social engineering and other attacks that fuel the epidemic of data breaches. 

Offering credit monitoring service to victims of a breach completely overlooks the more than four thousand Data Brokers and tens of thousands of People Search Sites that sell the personally identifiable information of hundreds of millions of individuals on a daily basis.  If a contrite organization truly wanted to do something to remediate their failure to protect sensitive customer data, they’d offer service to help scrub these thousands of exposures from data brokers and people search sites for all those exposed by their breach.  They’d also apply the same preventative effort to their own workforce and the relevant employees of their third-party partners.  This would demonstrate a truly effective method for ensuring a far lower probability of further additional breaches.

Stolen PII is routinely resold on the dark web.  There, threat actors can pair it with additional PII they source from Data Brokers, People Search Sites, Social Media Sites and even free, public information sources to generate highly targeted attacks on victims’ workplaces.

In addition, data brokers purchase so-called “credit headers” from credit reporting agencies. Information on a credit header generally includes a person’s name, Social Security number, address, phone numbers, and birth date.  So, this sensitive personally identifiable information is in fact readily available for purchase.  Simply enrolling in credit monitoring service does little to ensure against future victimization.

Moreover, the three large credit reporting bureaus themselves are not immune to data breach.  In fact, they are a prime target for threat actors expressly because they are a repository of the PII of hundreds of millions of people.  This is why one of the big three reporting agencies – Equifax – was itself breached in one of the largest data breaches in history.  Hackers in that case gained access to the entire data profiles of more than 146 million people.  Equifax agreed to a settlement with the Federal Trade Commission which included paying $300 million for credit monitoring services provided through its competitor, Experian! 

Associate professor of cybersecurity policy at Tufts University Josephine Wolff remarked, “I understand why Experian gets that contract. On the other hand, I think it kind of feeds this industry that is really not helping anybody except for the large credit bureaus.”

Monitoring credit only identifies what a threat actor has successfully done with one’s breached and stolen personal information.  This leaves the victimized individual to clean up a huge mess.  It does not actively prevent one’s data from being used in the commission of a crime. 

Is Credit Monitoring Service a Good Value?

The same Forbes article referenced earlier published the magazine’s top picks for “the best credit monitoring services”.  The providers nearer the bottom of the list offered services at zero cost which reveals the intrinsic value of this rather toothless option.  The freeware options all use monitoring as a loss leader to attract customers for other services and products they offer. 

The top choices offered by Forbes all offered monitoring services as part of a monthly subscription.  The top-rated choice is delivered by one of the three big credit reporting agencies itself – Experian.  This product’s subscription costs $300 for an individual and $420 for a family plan annually.  For the money the service includes FICO score alerts and monitoring of new credit inquiries, new accounts, large balance changes, credit utilization and other activity.  Other top-rated offerings according to the article fell in a range between $80 and $300 per year.

Notably, a company called ID Watchdog offers (for $425 annually) a program that includes identity theft insurance coverage in addition to the typical three reporting agency monitoring.  That subscription also delivered data breach notifications, block inquiry alerts, 24/7/365 customer support and an attractive mobile app to help users stay informed.  Certainly, more functionality for the money.  However, none of these bells and whistles are in any way effective as a preventative activity.  Adding identity theft insurance is yet another reactive remedy, only applicable after the damage has been inflicted on an unsuspecting individual.

In 2022 Cyber security validation firm, Cymulate published the Cymulate Data Breaches Study.  The global survey polled 858 senior decision-makers from North America, EMEA, APAC, and LATAM, across various industries, including technology, banking, finance, and government. The study revealed more than two-thirds (67%) of businesses suffer repeat cyber attacks within 12 months of an initial data breach.  Unsurprisingly, none of the steps taken and responses deployed by organizations in the wake of unauthorized intrusions into their information systems seem to be effective at protecting themselves from further attack.

In these instances, the victims of the initial breach are likely to be alerted that their data has been exposed a second time thanks to the monitoring services being provided to them as a result of the initial breach. For the significant capital outlay a breached organization makes to provide monitoring service to its victimized customers and partners, this only adds insult to injury – customers learning of their repeat victimization by the very same service they were provided to supposedly remediate the initial data privacy failure!

The value of these solutions as a good-faith illustration of concern and contrition is illusory at best.  It is a mostly performative action providing the appearance of care and a desire to repair trust between the breached organization and its victimized customers.  But when the inevitable next exposure occurs, the strategy backfires and twice-victimized customers wonder why they’ve been left unprotected yet again by the same organization.

Clearly, spending millions in performative actions after a data breach is not truly a cost-effective solution. 

What Other Steps Do Organizations Commonly Embrace Post Breach?

CPO magazine performed a breakdown of the different responses businesses generally tend to deploy in the wake of allowing their customers PII to be exposed in data breaches as determined by the Cymulate study. (It bears note that the Cymulate study did not reference credit reporting services at all.)  The reporting revealed 35% of breached organizations hire external security consultants.  12% hired public relations consultants to help smooth the damage to their reputation.  An additional 12% responded by terminating their existing security staff and 4% fired the executives in charge when the breach occurred.  A full 39% handle the response entirely with internal resources without hiring experts, PR people, or providing any monitoring services to those victimized in the breach.

Like paying for monitoring services for victims, none of these strategies – changing security staff, replacing executive leadership, engaging external security consultants, deploying expensive public relations – are in any way proactive.  None of them addresses the root of the challenge.  None of them makes even the most modest dent in the zettabytes worth of unsecured external data.  None of them is in any way effective at erecting a prophylactic layer to protect external data privacy.

The Case for Active External Data Privacy Management Instead

Too often, organizations are disinclined to take any action until after circumstances force them to do.  So, while Privacy Bee for Business routinely urges organizations to engage external data privacy protections using the Privacy Bee platform and associated solutions, many will still opt to have faith in their existing cyber security efforts to prevent data breaches.  Nearly all will fail.

Yet, this paper is about the choices facing organizations dealing with the aftermath of a data breach.  And while it is preferable to prevent one in the first place (an ounce of prevention being worth a pound of cure), the application of the Privacy Bee solution is still far superior to credit monitoring as a remediating effort. 

The purpose of any response to a data breach is two-fold.  One, to immediately illustrate to customers/partners harmed, that an organization is serious about restoring trust and protecting privacy.  And two, to deploy upgrades to existing security protocols to prevent future attacks.

For a cost-per-user that falls somewhere in the mid-range of costs to employ reactive, post-breach credit monitoring services, a breached organization can instead offer highly effective external data privacy management from Privacy Bee.  For consumers, Privacy Bee delivers a five-step process to guard against the ongoing exploitation of individuals’ privacy.  Even after their PII has been stolen as a result of a data breach.  The service proactively deletes an individual’s information from Data Brokers, People Search Sites and other locations on the internet where it is vulnerable to exploitation by hackers and threat actors. 

The Privacy Bee consumer product provides users with the ability to choose what companies and organizations they trust with their personal data.  Following a deep internet scan, the solution identifies all the exposures and the user can then select which companies they wish.

Then, Privacy Bee erects a preventative privacy shell for each user.  With 24/7/365 privacy monitoring to halt the sale of users’ PII by thousands upon thousands of Data Brokers, People Search Sites, marketing lists, etc.  The service manages the identification of exposed data, the data removal request process for all exposures identified and tracking of compliance to ensure removals are actually completed.

The solution also includes a powerful browser extension so that users can more securely surf the internet and mark favorite websites as “trusted” on an ongoing basis.  

This proactive solution is proven to dramatically reduce instances of fraud, scams, extortion, spam, identity theft, telemarketing and more.

Applying the Protective Privacy Shell Internally

The beauty of active management of external data privacy for large organizations is the extent to which the strategy prevents data breaches in the first place.  For an organization that has been breached, the Privacy Bee consumer product is – as this paper has illustrated – a superior alternative to credit monitoring.  Demonstrating to victimized individuals that your organization is serious about repairing trust and helping clean up the mess resulting from your organization’s inability to prevent breach of customer PII.

Yet, few would argue against the idea that preventing data breach in the first place is (or at least should be) the objective for all organizations.  Certainly, it is more cost effective to proactively protect the workforce of the organization from being targeted by Social Engineering attacks like Phishing/Spear Phishing, Smishing, Email Spoofing, Ransomware attacks and other increasingly popular attacks.  All of which rely primarily on unsecured external data to perpetrate.  Even covering a large enterprise with ten thousand employees using Privacy Bee for Business incurs significantly less expense than providing coverage to hundreds of thousands or even millions of victims subsequent to a data breach. 

Additionally, preventing such attacks from occurring helps keep an organization’s reputation intact.  It avoids rendering the organization the target of class actions and other lawsuits/penalties and untold costs associated with legal defense, public relations and staffing change costs.   

Privacy Bee for Business delivers a number of potent audits and scans like the External Data Privacy Audit and Privacy Risk Assessment which an organization can utilize at no cost.  Doing so provides immediate and eye-opening visibility into the level of risk an organization is exposed to by unsecured external data.  Once it becomes apparent the extent to which these risks and threats exist, the cost of applying the Privacy Bee for Business platform for all relevant internal resources (as well as for those within active third-party vendor organizations) is routinely seen as nominal. 

Moreover, the Privacy Bee for Business platform delivers many other features that protect data privacy and help demonstrate the organization’s dedication to privacy.  Vendor & Cookie Consent, Privacy Trust Badging and Consent Core represent best practices for privacy management at the forefront of the industry.  Several of these solution elements even provide a direct source of revenue back to the host organization!  (Read: Converting Cookie Consent from an Expense to a Profit Center for details on revenue generation)

Applying Privacy Bee for Business to your organization does so much more than prevent your customers from being victimized by breaches of your information system.  It also delivers strong executive protection and overall employee safety – especially important for high profile or polarizing industries.  Reducing physical threats, doxxing, identity theft and other threats.  It reduces HR poaching, telemarketing, spam and other productivity-busting, time-wasting nuisances.

Whether working to rectify a breach that has recently occurred or seeking to prevent your first (or next) breach, there is no better product on the market than Privacy Bee.  Learn more today!