CFA Revises Best Practices for Identity Theft Services
Print

Version 2.0 Addresses New Trends and Issues in the Identity Theft Service Marketplace

11/17/15

Today Consumer Federation of America (CFA) released Best Practices for Identity Theft Services Version 2.0, updating the guidance that it originally issued in 2011 to encourage for-profit identity theft service providers to follow responsible practices. “We revised the best practices to address new trends and issues that have arisen in the identity theft service marketplace and strengthen some of the original provisions,” said Susan Grant, CFA’s Director of Consumer Protection and Privacy. “With security breaches and identity theft cases so much in the news, it’s important for purchasers of these services to understand what they’re getting and for consumers to be treated fairly.”

The revised best practices call for identity theft service providers to:

·         Clearly and completely disclose all costs and other material terms before asking consumers to pay and obtain consumers’ affirmative consent to the terms before charging them.

·         Clearly disclose the terms of free trial offers, which are frequently used to solicit consumers to try identity theft services for a limited period of time after which they will be charged unless they cancel, and provide simple mechanisms for consumers to cancel.

·         Provide clear, easy-to-find, explanations about credit scores when they offer them as part of their programs and not misrepresent the nature of those scores.

·         Only share consumers’ financial account and Social Security numbers with third parties to the extent that it is necessary to provide the requested services or as required by law.      

·         Obtain consumers’ express affirmative consent to provide their personal information to third parties for marketing purposes.

·         Refrain from charging consumers for credit reporting and monitoring services if they are unable to deliver those benefits and offer those consumers the option of canceling if the delivery problems cannot be resolved. 

There is also a new section in the best practices about data breach services. Businesses, government agencies, and organizations often purchase identity theft services to help individuals whose personal information they hold if that information is breached. Under the best practices, identity theft service providers that seek to sell breach services to such entities should clearly explain the benefits and limitations of their programs and how the features may help breach victims. The data breach provisions also limit the collection, sharing and use of victims’ personal information to that which is necessary to provide the breach services and address how identity theft service providers should approach soliciting those individuals to purchase services after the breach services end.

These revisions were developed in consultation with CFA’s Identity Theft Service Best Practices Working Group, which includes Call for Action; Consumer Action; Mari Frank, Esq.; Privacy Rights Clearinghouse; AllClear ID; Experian; EZShield Fraud Protection; ID Analytics; ID Experts; IDT911; Intersections Inc.; Kroll; Merchants Information Solutions; and Zander Identity Theft Services. Some companies that participated in the revision process are not listed because they are still reviewing the final document and will be added to the list on CFA’s www.IDTheftInfo.org website at a later date. CFA also received informal input from representatives of some government agencies.

“Today’s online consumers unfortunately are exposed to the risk of ID theft and data breaches. There are many ‘identity theft services’ that market themselves as a response to this uncertainty,” said Linda Sherry, director of national priorities at Consumer Action. “These services offer preventative credit monitoring and/or clean-up assistance for victims of identity theft. CFA’s Best Practices for Identity Theft Services, now featuring a new section about data breach services, and the checklist for consumers,  encourage awareness for companies and consumers about what these service can—and can’t—do.”

“We commend the CFA for its unrelenting work in protecting consumers. The implementation of these guidelines will further enhance the image of the identity theft monitoring industry and provide greater customer satisfaction,” said Johan Roets, COO of Intersections Inc. and President of Identity Guard®.

“Identity theft protection is an essential element of consumer protection and remediation following a data breach,” said Michel Bruemmer, Vice President of Consumer Protection for Experian. “That’s why Experian participates in the coalition led by CFA to continually improve best practices for the industry.” 

“Unfortunately, the data breach world has gone from lost laptops and misplaced thumb drives to State sponsored hacking and organized crime. It is more important than ever for consumers to be educated and armed with the proper tools to help protect their privacy and identity. We strongly support this effort to identify and communicate the industry’s best practices to help in this effort,” said Bob Gregg, CEO, ID Experts.

“We applaud the CFA working group’s effort to define industry best practices, and in particular, the new guidelines designed to protect the privacy of data breach victims,” said Bo Holland, Founder & CEO, AllClear ID.

“As a major provider of identity and data risk management solutions for insurance, financial institutions and employee benefits organizations, we’re committed to supporting the revised best practices so companies can choose the best identity theft service provider for their customers,” said Matt Cullina, CEO of IDT911. “Adhering to a higher standard service is a core value at IDT911 and part of our mission to help companies strengthen their customer relationships.”

“We are pleased that the companies in the working group support the Best Practices for Identity Theft Services,” said Ms. Grant. “They are leading by example.” Noting that some of the new best practices may take time for companies to implement, Ms. Grant said, “I am encouraged that we’re continuing to move in the right direction.”

The best practices and other resources concerning identity theft, including Nine Things to Check When Shopping for Identity Theft Services, are available on CFA’s www.IDTheftInfo.org website.