Screw identity theft protection. It's at best pointless and at worst a scam to get you to pay to continue the "protection" after the initial period expires.
They should instead have a minimum fine per-user that gets paid in cash directly to the impacted individuals. Paying $10 x 1M accounts would make businesses wake up to this problem much faster. Maybe even have the fine be tiered based on the level of data that was compromised:
Agreed. If one wants to change the business's behavior there has to be financial penalty to incentive them to get their act together. Currently, there's zero regulatory compliance required with little to no impact to the company other than momentary bad PR that is not withstanding.
They should instead have a minimum fine per-user that gets paid in cash directly to the impacted individuals. Paying $10 x 1M accounts would make businesses wake up to this problem much faster. Maybe even have the fine be tiered based on the level of data that was compromised: