Agreed. I think 2 years is appropriate. I had separately registered for CIFAS prior to this incident and from memory that is active for 2 years which is when they expect most fraud to occur after data loss.