We Can Do Better Than Free Credit Monitoring After a Breach

Chris Lindsey, Application Security Evangelist, Mend.io

November 19, 2024

5 Min Read

Source: Anthony Brown via Alamy

Having a long career in cybersecurity doesn’t stop me from being included in the same data breaches and mass involuntary disclosures of consumer information as everyone else. And like everyone else, I probably have now collected enough years of “free” credit monitoring that some of it could be passed on to my kids upon my death — maybe there will be some left for my grandkids, too.

Not that credit monitoring isn’t helpful — one big benefit is the detection of data on the Dark Web, which has shed more light on the frequency of breaches. Through my free credit monitoring obtained after one breach, I have been notified about my data showing up on the Dark Web, indicating a new breach has occurred with a different company, long before the company notified me itself.

Last year, over a third of Americans experienced fraudulent charges on their debit or credit cards, email or social media account takeovers, or a fraudulent attempt to open a line of credit or take out a loan in their name, according to Pew Research Center.

Breaches don’t seem to be slowing down. Identity Theft Resource Center reports there were 78% more breaches in 2023 than the previous year. There are hundreds of millions of victims each year.

It certainly feels like no one cares. It’s true that stock prices do recover after a major breach, and they seem to be recovering faster each time. Wall Street must assume that consumers just don’t care that much, but I don’t see that continuing for long. Consumers might feel helpless, they might even feel hopeless, but they absolutely do care. If they start to take action, the economy will feel it.

Consider what might happen if most American consumers, concerned about the number of data breaches, decided to just take the simple action of freezing their credit. It would probably be healthier for the economy overall if the ability to borrow impulsively was removed, but it’s not “good for business” and could negatively affect several sectors — retail in particular — significantly. This is not unrealistic. Just a few years ago, freezing and unfreezing credit was a bit of a hassle. Today it takes only a couple minutes per credit bureau.

So maybe companies ought to treat disclosure victims a little better and do more to not create victims in the first place.

Below are some ideas.

Before a Breach

At the very minimum, companies that hold personal health information or personally identifiable information on databases that can be accessed from the Internet should have a bug bounty program. Bug-bounty programs allow freelance security researchers to earn money by “hacking” companies and responsibly disclosing the vulnerabilities they found in the process. Without a clear program, these researchers are not only not guaranteed any reward for doing the right thing, they also are not guaranteed safe harbor against legal action being taken against them.

It also makes sense for companies of at least a certain size to obtain and share security certifications. At present, these certifications are voluntary. Eventually, government regulation may change that. For now, however, industry regulation will need to take the reins. Businesses that rely in any way on freely available consumer credit, such as retail stores that offer store credit cards, should be especially on top of their security certifications and wary of working with third parties who aren’t.

After a Breach

The number of breaches should absolutely be lower than it is, but even with great security, breaches can and will still occur. What’s important after a breach is protecting the affected consumers and not insulting them.

The first thing businesses should do is step up their disclosure game and notify customers in a timelier manner that their data has been compromised. It took Change Healthcare six months to send me a notification letter informing me that I was included in their breached data, but I was already keenly aware that this had happened months earlier. What was the point of the delay?

Next, companies need to do more than free credit monitoring. Credit monitoring is valuable, but it’s reactive security on the consumer’s end. Giving victims access to free password management services as well would provide them with a proactive tool.

But companies giving out another relatively cheap service is likely not going to cause companies enough pain to force them into prioritizing security any more than they are now. Regarding those industry regulations, certification should be contingent on an agreement to pay victims directly in the event of a breach, something like $5 to $50 per person per event.

If the company has good security implemented and proof that proper controls were in place, then they would pay less. If an ostensibly reputable company that has been identified as compliant is found to be grossly negligent, then not only should that company have to pay a higher amount to each consumer, the certification body should also have to pay out to victims. This extra agreement would bolster the overall value that the certifiers provide because it prevents blind certification to any company willing to pay for it.

The sun is setting on companies getting away with being opaque, cheap, and slow to react after major breaches of customer data. Individual companies and entire industries alike must take responsibility for protecting customer data and doing the right thing when they fail.

About the Author

Application Security Evangelist, Mend.io

Chris Lindsey is a seasoned speaker who has appeared at conferences, webinars, and private events. Currently building an online community and creating a podcast series, Chris draws on expertise from more than 15 years of direct security experience and over 35 years of experience leading teams in programming and software, solutions, and security architecture. For three years, Chris built and led an entire application security program that includes the implementation of mature AppSec programs, including oversight of security processes and procedures, SAST, DAST, CSA/OSA, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.