"My company's had a data breach, now what?"
With more than 630 data breaches in the U.S. from Jan. 1 through Aug. 31 of this year, according to the Identity Theft Resource Center, this question is becoming increasingly common.
Twenty-sixteen is on track to exceed the total of 780 breaches the center recorded in 2015, which could put millions of individuals at risk of identity fraud.
"Data breach" encompasses a broad range of incidents in which personal information may have been compromised, including hacking, accidental disclosure, skimming, insider theft, lost equipment and careless disposal of documents.
When companies, organizations or government agencies experience a data breach that may have exposed people's personal information, one of the many issues they must address is how to help those affected. Identity theft service providers can assist companies in many of these instances.
The Consumer Federation of America (CFA) made a checklist to help companies determine whether identity theft services are needed. CFA also offers suggestions on how to choose an identity theft service provider.
The checklist is aimed at any company, agency or organization that holds or transmits personal information—as many financial advisors and firms do.
"With financial advisors, if they have things like people's Social Security Numbers—which are the keys to unlocking their identities and which can be used for many fraudulent purposes; not just opening up new accounts in somebody's name but attaining government benefits, employment; housing—the problems that could result from a breach could be very serious and very complicated to resolve," Susan Grant, director of Consumer Protection and Privacy at CFA, told ThinkAdvisor.
"That's a situation where you would want an identity theft service that monitors a lot of different kinds of databases and also monitors the web to see if people's Social Security Numbers are being offered for sale on websites that specialize in that," she added.
Grant stressed that while it's easy to resolve problems with unauthorized charges to credit cards or debits, data breaches can lead much trickier situations.
"I can imagine that with other kinds of accounts the clients of financial advisors might have—whether it's different kinds of bank accounts or stocks or bonds or annuities or whatever they may be—if somebody can use the stolen information to get into those accounts, it could really wreak havoc and be a problem that would be more than the breached victim could easily resolve themselves," Grant said.
Here are the CFA's seven questions that financial advisors can ask themselves to better prepare for the consequences of a data breach:
1. What are identity theft service providers?
The CFA defines identity theft service providers as companies that provide a range of services which typically include alerting individuals about potentially fraudulent use of their personal information, mitigating the damage, and/or helping victims recover from identity theft.
"Identity theft services typically alert people about possible fraudulent use of their stolen information and help them recover from fraud if it occurs," Grant explained. "These monitoring and recovery features vary widely from company to company and can be tailored specifically for a particular breach situation."
2. Is it a good idea to retain an identity theft service provider before a data breach occurs?
The CFA suggested companies should consider having identity theft services lined up in advance in case of a data breach rather than shopping for those services in the midst of one.
According to the CFA, companies may also be able to save money by pre-negotiating for future identity theft services.
3. How do you know whether identity theft services are necessary if a breach occurs?
Whether identity theft services are necessary in the event of a data breach depends in large part on the types of personal information involved and the circumstances in which the breach occurred, according to the CFA.