Credit monitoring post-breach: $10-$30 retail, $4-$12 enterprise bulk.

Credit monitoring is a service that watches the three major US credit bureaus (Experian, Equifax, TransUnion) for changes that may indicate identity theft. Typical monitored events include new credit-card applications, new loan inquiries, new account openings, address changes, fraud alerts placed on the file, and credit-score changes beyond a threshold. When a monitored event occurs, the service alerts the consumer through email, push notification, or both, allowing the consumer to investigate and dispute fraudulent activity.

Higher-tier credit-monitoring products add dark-web monitoring (scanning underground marketplaces for the consumer's personal data), identity-restoration services (case-management support to help victims of identity theft restore their financial standing), identity-theft insurance (typically $1M coverage for direct expenses incurred restoring identity), and credit-lock or credit-freeze services. The progression from basic to comprehensive coverage scales the per-consumer cost proportionally.

The post-breach use case is somewhat different from the general-consumer use case. Post-breach monitoring is typically time-limited (1-4 years) and is offered specifically to detect fraud arising from the breached data. The breached entity pays for the service, the consumer enrols voluntarily, and the consumer continues to bear primary responsibility for fraud detection and response.

Direct-to-consumer credit monitoring products are sold by the three bureaus, several specialist vendors, and increasingly by banks as a value-added service. Retail pricing typically runs:

Enterprise bulk pricing for breach-response engagements is dramatically lower. The major breach-response platform vendors (Experian Data Breach Resolution, Kroll, AllClear ID, IDX) offer one-year basic credit monitoring at approximately $4-$8 per enrolled individual when bundled with breach-notification services. Two-year commitments run $6-$12 per enrolled individual total. Four-year commitments (the Equifax FTC settlement standard) run $12-$24 per enrolled individual total.

The retail-vs-enterprise gap reflects three factors: bureau-side bulk pricing through master agreements with the major breach-response vendors, lower service intensity (most enrolled individuals never trigger an alert and the average service cost per enrollee is low), and the marketing economics where the breached entity is captive demand rather than retail-acquisition channel.

The actual cost to the breached entity depends critically on the enrolment rate. Most credit-monitoring offers as breach remediation are opt-in: the breach notification letter includes a code or URL the consumer uses to enrol, with enrolment voluntary. Observed enrolment rates run 5% to 25% across major breach settlements. The Equifax 2017 settlement had notably higher enrolment (approximately 30-40%) due to extensive media coverage that drove awareness. The T-Mobile 2021 settlement saw enrolment rates around 15-20%.

For breach-cost budgeting, the rule of thumb is approximately 15% enrolment of the affected population for typical breaches, with media-attention adjustment up to 30% for high-profile cases. For a 100,000-individual breach offering two years of monitoring at enterprise rate of $8 per year per enrolled individual, expected cost is approximately 100,000 x 0.15 x 2 x $8 = $240,000.

The enrolment-cost asymmetry creates an interesting settlement-design feature. Plaintiffs prefer to value the settlement at the full retail value of the offered monitoring (e.g. $360/individual for two-year LifeLock Ultimate Plus equivalent), producing a headline class-value of $36M for a 100,000-individual breach. The breached entity's actual expected cash outflow is $240K, two orders of magnitude lower. The gap has been the source of considerable critique of class-action settlement economics in the academic literature.

The Equifax FTC settlement in 2019 set the four-year credit-monitoring precedent for mega-breaches. The settlement structure offered affected consumers four years of free credit monitoring through Experian (with extension to additional years through Equifax) or alternatively up to $125 in cash compensation. The four-year duration was unprecedented for a class settlement and reflected both the unusual record sensitivity (147M consumers, full PII including SSN) and the FTC's judgment that two years was insufficient for the long-tail fraud risk.

Subsequent mega-breach settlements have generally returned to two-year monitoring as the standard, with the four-year Equifax structure as the outlier rather than the new norm. The Capital One $190M settlement offered three years, reflecting a compromise position. The T-Mobile $350M settlement offered two years. The Change Healthcare 2024 OCR investigation, when settled, will probably require at least two years and possibly more given the unprecedented record count.

The unit cost of multi-year monitoring is meaningfully lower per year than one-year monitoring due to bureau bulk pricing on multi-year master agreements. A four-year commitment at approximately $5-$6 per individual per year produces all-in per-individual cost of $20-$24 for the full enrolment, only modestly higher than the two-year $12-$16 figure. The economics of extending the monitoring period are favourable for the breached entity once the basic enrolment infrastructure is in place.

Basic credit monitoring has become commoditised in the post-breach context. The major breach-response vendors offer largely equivalent products at largely equivalent enterprise bulk pricing. The competitive differentiation has shifted to higher-tier services: dark-web monitoring (scanning underground marketplaces for the affected consumer's data), identity-restoration case-management (live support to walk fraud victims through dispute, freeze, and recovery processes), identity-theft insurance ($1M-$2M coverage for direct expenses), and family or business-owner coverage extensions.

For high-sensitivity breaches (PHI, financial-account credentials, SSN with extensive linked data), the more comprehensive identity-restoration services have become increasingly common as part of the post-breach remediation package. The enterprise per-individual cost runs approximately $15-$30 per year for comprehensive coverage versus $4-$12 for basic monitoring. The cost premium is justifiable when the breached data poses high actual fraud risk rather than primarily theoretical risk.