How Much Credit Monitoring Are You Entitled to After a Data Breach?

Given all of the big-name data breaches that have occurred during the past few years, there’s a good chance your personal or payment information has been compromised.

There’s also a chance you’ve been offered some type of identity protection, usually in the form of free credit monitoring, by the company that suffered the breach. But how much (and what type of) protection are they legally required to provide?

Well, chances are, the answer is zero.

The Laws of Data Breaches

There are laws requiring that companies who experience a breach notify affected consumers. The specifics of how and when varies by state, but “the general requirement is written notification usually by regular mail,” Scott Christie, a Newark-based partner at McCarter & English, said. “Many statutes say if there is an exceptionally large number of victims you can notify in an alternative means, which can be electronic mail or notification by the main page of your website.”

Some state laws require that you notify state law enforcement or attorneys general as well — and generally before consumers are told of the breach so notifications don’t compromise a potential investigation, Christie said.

But virtually no stipulations exist that address consumer restitution following a breach. Earlier this year, Connecticut updated its laws to mandate companies provide credit monitoring following one, but, beyond that (and a failed attempt to do so similarly in California), there’s nothing stipulating how companies should compensate consumers post-hack.

Still, “more and more companies, because they are worried about being sued, are offering monitoring as a standard,” Eduard Goodman, Chief Privacy Officer at IDT911, said.

It’s “sort of as a public relations effort more than anything else,” Christie said.

Why Isn’t Credit Monitoring Required?

Coming up with some sort of federal standard regarding data breach restitution would be tricky, Goodman said, since not all of them are mitigated by the same types of fraud protection.

Credit monitoring, for instance, won’t help you spot the types of fraud that a payment breach would leave you vulnerable to, since it doesn’t regularly monitor the affected consumers’ credit card or debit card accounts. In fact, in those instances, providing free credit monitoring could actually could be detrimental, Goodman said, since the service provides a “false sense of security to a consumer” and could lead them to believe they don’t have to check their bank statements.

It can be hard to pin down how much monitoring should be provided post-breach for similar reasons.

There are “low-risk situations where a year is more than enough,” Goodman said. These situations would include when a company was robbed and had employee laptops stolen — in that case, the thief is probably more concerned with selling the merchandise than any data that’s on it. But there are situations where a year’s worth of credit monitoring (a company go-to in many data breach situations) won’t provide adequate protection either, he said. (If your Social Security number is compromised, for instance, you’ll need to monitor your credit well into the foreseeable future, since that bit of personal information can be used for many things and can’t be changed as easily as a credit card number.)

How Can I Protect Myself?

Suing for further restitution post-breach is not fairly common — or successful — since, given how data-driven our society is, it can be difficult to tie any identity theft to one particular incident. “As a result, it’s hard for defendants to show damage” and win, Christie said.

That’s not to say that consumers are left completely without recourse. Class-action lawsuits do pop up when companies do nothing after a breach, Goodman said. And if you find yourself dealing with a company that doesn’t seem to care at all, you can file a complaint with the Better Business Bureau — or, perhaps even more pointedly, your state’s attorney general.

“All of them have investigators who look into these respective cases and they will seriously investigate them,” Christie said.

You should also do your own due diligence and keep a close eye on any accounts that may have been compromised. If you have reason to believe your personal information fell into the wrong hands, you should also monitor your credit (and possibly consider a credit freeze, which can be free to victims in many states.)

You can monitor your credit on your own by pulling your free credit reports each year on AnnualCreditReport.com and checking your credit scores for free each month on Credit.com. Signs your identity has been stolen include sudden, unexplained drops in your scores, new credit accounts you yourself didn’t open and equally mysterious credit inquiries.