Skip to main content
Image
Photo of Committee panel

E&C Dem Leaders Ask GAO to Evaluate Effectiveness of Post-Breach Services in Protecting Consumer Data

August 30, 2017

Washington, D.C. – Energy and Commerce Committee Democratic leaders sent a letter to the Government Accountability Office (GAO) today urging the agency to go further in evaluating whether credit monitoring services used by private and public entities in response to data breaches provide effective consumer protection. The letter was signed by Ranking Member Frank Pallone, Jr. (D-NJ), Digital Commerce & Consumer Protection Subcommittee Ranking Member Jan Schakowsky (D-IL), and Oversight & Investigations Subcommittee Ranking Member Diana DeGette (D-CO).

The GAO recently reported that after data breaches, private companies offer consumers services for reasons independent of the effectiveness of the services, such as to avoid liability or to offer consumers "peace of mind," even in cases where the services offered did not necessarily address the risks associated with a particular breach.

"A popular response to these breaches has been to provide affected consumers with credit monitoring services. However, questions remain about whether purchasing and providing credit monitoring for customers is the optimal way to respond to data breaches," the three lawmakers wrote to GAO. "In particular, we are concerned that the popular response may reflect factors unrelated to the actual protection of breach victims and reliance on these products after the breach may result in consumers being lulled into a false sense of security."

The GAO also found that the Office of Management and Budget's (OMB) guidance to agencies on preparing for and responding to breaches of personally identifiable information does not address a service's effectiveness and may not fully reflect the most useful and cost-effective options agencies should consider in response to a breach.

In their letter, the three Democratic leaders request that GAO's investigation answer several questions including:

  • Which of the existing solutions provide reasonable protections for breach victims using criteria GAO deems appropriate? For example, are particular solutions more effective than others or more cost-effective?
  • What additional options not currently being used or considered are potentially feasible?
  • While credit cards continue to be stolen, other information such as the detailed background checks of federal employees are becoming more common. What are the recent trends in breaches or information theft?
  • To the extent that GAO identifies effective post-breach solutions and obstacles that impede their use, what can the federal government and the private sector do to make these solutions easier to leverage?

A copy of the letter to GAO is available here.