From the U.S. Government Accountability Office, www.gao.gov Transcript for: Data Breaches Description: Data Breaches have affected hundreds of millions of Americans. GAO explores what we can do to better protect ourselves. Related GAO Work: GAO-19-230: Data Breaches: Range of Consumer Risks Highlights Limitations of Identity Theft Services Released: March 2019 [ Background Music ] [ Anna Maria Ortiz: ] It's important that companies use strong data security practices so that criminals can't access this information in the first place. [ Matt Oldham: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. The number of people who may have had sensitive information compromised in large-scale data breeches is in the hundreds of millions. Whether it's a hotel chain, email provider, dating service, credit bureau, or the federal government, we've seen different areas breeched and the information at stake could be your social security number, account information, or passwords. I'm with Anna Maria Ortiz, a Financial Markets and Community Investment director at GAO. And she led a report looking at the aftermath of these data breeches. Thank you for joining me, Anna Maria. [ Anna Maria Ortiz: ] Thank you for having me. [ Matt Oldham: ] So, what can someone expect if they have been affected by a data breech? [ Anna Maria Ortiz: ] Entities that experience a data breech often offer affected consumers access to commercial identity theft services. Credit monitoring's the most well-known. It's usually packaged with a suite that includes identity monitoring; insurance restoration services. Victims of the OPM data breech, in particular, have been offered 10 years of access to these commercial services. Congress mandated OPM provide these. In the private sector, GAO found that it's become industry standard to offer about one year of these services. [ Matt Oldham: ] And so do these services work? [ Anna Maria Ortiz: ] GAO's previously reported that companies don't tend to provide these services because they're effective. They do so to protect their reputation or to reduce liability. In fact, GAO found that there's no independent evidence of the effectiveness of these services. That is, whether or not consumers who have these services experience more or less fraud than those who don't have these services or detect that fraud more or less quickly than those who just self-monitor their accounts. [ Matt Oldham: ] And up to this point we've been talking about some of the financial risks. Are there any other areas of concern? [ Anna Maria Ortiz: ] Consumers who experience these breeches may be subject to increased risk of reputational harm or embarrassment. They may find that someone tries to steal their tax refund. You could experience medical identity theft, where someone uses your information to access care. And then your access to care and insurance could be complicated in the future. And finally, some have even suggested that these large data breeches are the work of state-based actors who could use this information for espionage or blackmail. [ Matt Oldham: ] I'm a federal employee, of course as you are, and I'm resigned to the fact that, you know, my information is probably out there somewhere after the OPM data breech in 2015. And when you say that we've been offered 10 years of identity security services, what about the criminals who just wait for the first day after that 10 years? What can be done about that? [ Anna Maria Ortiz: ] Right. Once this information is out there we can't get it back. And for better or worse these commercial identity theft services are not designed to protect against fraud in the first place. There are a couple of key steps that consumers can take in response to a data breech. In addition to common sense monitoring of your own accounts, your credit reports and your insurance statements, you should consider taking advantage of free federal assistance at FTC's identitytheft.gov website. And you should consider taking out a credit freeze or a fraud alert. A credit freeze will prevent one type of fraud, new account fraud, by keeping a criminal from opening an account in your name. And a fraud alert compels creditors to verify your identity before they issue a loan in your name. Congress recently passed legislation making credit freezes and fraud alerts free for all consumers and a lot easier to use than they previously were. [ Background Music ] [ Matt Oldham: ] So it sounds like once your data has been stolen, there is not much you can do to get it back into safety. But things like credit freezes could help Americans protect themselves from the effects of identity theft. Anna Maria, do you have any recommendations for Americans to better protect themselves? [ Anna Maria Ortiz: ] Consumer groups that we spoke with recommended that Americans take advantage of freely available federal assistance, such as the services available at FTCs identitytheft.gov website. At identitytheft.gov there's information including breech-specific information. That is, depending on what type of information was exposed in a data breech, what you should do to protect yourself. If you're a victim of identity theft, identitytheft.gov will help you to develop a target of recovery plan and even pre-filling out forms that you'll need to restore your identity. Consumer groups we spoke with also recommended that if someone is offering you commercial identity theft services at no cost to you, you might consider taking advantage of them, particularly if they include individualized identity restoration services. [ Matt Oldham: ] So finally, what do you believe is the bottom line of this report? [ Anna Maria Ortiz: ] The key takeaway of our report is that there's no one solution that's going to protect against all potential risks of data breeches. Consumers should take advantage of freely available alternatives, such as credit freezes and fraud alerts. If they've been victims of identity theft, they should consider using the resources at identitytheft.gov to help them recover from that theft. At the end of the day, a lot of this information is out of consumer's control. So it's important that companies that hold our sensitive personal information use strong data security practices so that criminals can't access this information in the first place. [ Matt Oldham: ] Anna Maria Ortiz is a Financial Markets and Community Investment director at GAO, and she led a report looking at what options are available to consumers if they've been involved in a data breech. Thank you for your time, Anna Maria. [ Anna Maria Ortiz: ] Thank you. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. [ Background Music ] [ Matt Oldham: ] For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.