Privacy vs. Identity Protection: What’s the Difference?

An employee’s home address, phone number, date of birth, or even how much money they make are all parts of their personally identifiable information (PII) footprint. When this PII falls into the wrong hands, it fuels a wide range of personal and corporate threats. 

Easily available PII on the open web increases the risk of threats from phishing emails and password attacks to harassment campaigns and identity theft.

Improving employee privacy is the only way to reduce this kind of PII risk. There are many different potential solutions for doing this. These include identity protection services, privacy protection programs, and other enterprise people protective solutions like dark web monitoring and reputation management.

However, with so many solutions, choosing one that fits your organization’s risk profile can be challenging. Below we compare the different programs available, paying particular attention to identity and privacy protection programs. 

What Are Privacy Protection Programs?

Workforce privacy protection programs monitor and remove executive and employee personally identifiable information (PII) from data broker sources. 

Data brokers are firms that scrape the web (social media, public sources, etc.) for information about individuals. They then compile this information into detailed profiles, which are sold to advertising agencies, insurance companies, government bodies, and other third parties willing to pay for it. 

Data brokers rarely carry out thorough background checks. This means that anyone—cybercriminals, disgruntled employees, activists.— can use and abuse employee and executive data. 

The information exposed by data brokers includes: 

• Names
• Dates of birth
• Addresses
• Phone numbers
• Family networks
• Email addresses
• Job titles
• Hobbies
• IP addresses
• Financial situations

Data broker results tend to rank highly on Google search results. So anyone who Googles an employee’s or executive’s name can gain access to some of their most sensitive details. 

As a way of keeping employee information away from data brokers, privacy protection programs provide two core benefits to enterprises:

1. They improve network security. Cybercriminals are increasingly personalizing their social engineering campaigns with information found online to trick employees into downloading malware or sharing sensitive data. Personal information can also help hackers crack passwords and spoof third parties. Recent examples include the Cisco data breach and the Twilio phishing attack. In the Cisco breach, attackers compromised an employee’s personal Google account, giving them access to the worker’s business credentials. In the Twilio attack, cybercriminals used phone numbers of employees and even their family members to craft a convincing phishing text message that gave intruders access to the company’s internal network.
2. They reduce the risk of employee harassment. Malicious individuals use personal data like phone numbers, home addresses, and family information to doxx, harass, and abuse employees and their families. More and more executives and employees value having their digital footprint monitored and removed continuously. 

What Are Identity Protection Programs?

Identity protection programs monitor employee credit reports and other personal information to detect abnormalities and issue alerts. 

Abnormalities identity protection programs may flag include:

• Changes to employee credit scores.
• Fraudulent credit accounts in employee names.
• Unauthorized credit card or loan applications. 
• Court records with crimes reported in employees’ names.
• Change of address requests.

Most identity protection programs can also help with identity recovery. For example, in the event of identity theft, an identity theft protection solution may send identity theft reports to credit bureaus in the affected employee’s name. Many services also provide insurance, covering at least some of the costs of repairing a stolen identity. 

However, identity protection programs are a bit of a misnomer because they can’t stop threat actors from stealing someone’s identity. They can alert employees when fraud happens, which might help them limit the damage done. But they don’t stop fraud from happening in the first place. 

Some identity theft protection services now also offer extra features, like dark web security monitoring and reputation management. 

Key Differences Between Enterprise-Level Solutions

At a Glance:

Privacy Protection: Privacy protection programs look for and remove employees’ and executives’ personal information from data broker sites like People Finder, ZoomInfo, and Acxiom. 

Information on these databases is available to everyone, from advertisers to cybercriminals to disgruntled individuals with whom an employee may have come into contact. Removing PII from data brokers therefore reduces the likelihood of personalized phishing campaigns, password hacking, spoofing attempts, harassment, and doxxing. It is a form of proactive protection.

Data brokers relist people’s information even after they opt out of their databases. The best privacy protection services monitor for exposed information continuously. 

Identity Protection: Identity protection services monitor employee credit files and issue an alert anytime someone uses their personal information, tries to open an account in their name, or makes a credit inquiry, among other things. 

Because most victims of identity theft don’t realize their identity was stolen until months, if not years, after the fact, identity monitoring services allow them to react to fraud faster. Services like these also help victims undo damage to their credit/recover lost money. 

Many identity protection services offer additional features, like dark web security monitoring. However, identity monitoring services do not stop bad actors from stealing an employee’s identity in the first place. These services are reactive, not proactive. 

Dark Web Security Monitoring: Dark web security monitoring services search for employees’ personal information on the dark web. The dark web is where most stolen data is sold and bought. 

However, even if a dark web security monitoring vendor finds employees’ data on the dark web, there is no way for them to remove it. This is because darknet sites are hosted on “bulletproof” hosting services impervious to removal requests and/or legal threats. 

The most that dark web services can do is alert employees that their information is out there and suggest that they replace their passwords.

Reputation Management: Reputation management services use “reverse SEO,” a reputation management tactic that involves pushing negative search results lower and replacing them with positive results. 

These services are popular among brands and people who have negative reviews/reputations. 

Reputation management services do not remove online information. Rather, they bury negative information. This isn’t about privacy. It’s about PR. 

Integrated Suites of Security, ID Protection, and Privacy: Some vendors offer integrated suites of security, ID protection, and privacy features for one low price. 

However, the problem with these services is that they tend to do one or two things well while neglecting the rest. For example, a service that promises to monitor credit files and the dark web for employee data plus remove them from data brokers will not be able to opt employees out of as many data brokers (or as effectively) as a service dedicated purely to data broker removal. 

Privacy Protection vs. Other People-Protective Solutions 

The main difference between privacy protection services (aka data broker removal) and other people-protective solutions (i.e., ID protection, dark web security monitoring, reputation management, and bundled solutions) is that privacy protection is the only solution type designed to stop threats. The other services react to them.

Privacy protection services look for and remove employee information from data broker sources before their personal data can be used for nefarious purposes. Other solutions alert employees after bad actors have already done something with their personal information. 

That’s not to say that enterprise solutions such as identity theft and dark web monitoring are pointless. They can be invaluable in helping employees and the organizations they work for to limit the effects of identity theft/password cracking attacks/etc. However, for organizations that want to make attacks less likely to happen in the first place, a proactive approach is a must.