James T. Graves
Alessandro Acquisti
Skip Abstract Section
Abstract
When card data is exposed in a data breach but has not yet been used to attempt fraud, the overall social costs of that breach depend on whether the financial institutions that issued those cards immediately cancel them and issue new cards or instead wait until fraud is attempted. This article empirically investigates the social costs and benefits of those options. We use a parameterized model and Monte Carlo simulation to compare the cost of reissuing cards to the total expected cost of fraud if cards are not reissued. The ranges and distributions in our model are informed by publicly available information, from which we extrapolate estimates of the number of credit card records historically exposed in data breaches, the probability that a card exposed in a breach will be used for fraud, and the associated expected cost of existing-account credit card fraud. We find that automatically reissuing cards may have lower social costs than the costs of waiting until fraud is attempted, although the range of results is considerably broad.
- Alessandro Acquisti, Allan Friedman, and Rahul Telang. 2006. Is there a cost to privacy breaches? An event study. In Proceedings of the 27th International Conference on Information Systems.Google Scholar
- Douglas Akers, Brian Lamm, Jay Golter, and Martha Solt. 2005. Overview of recent developments in the credit card industry. FDIC Banking Review 17, 3 (2005), 23--35. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=882103.Google Scholar
- Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel. 2017. Does the online card payment landscape unwittingly facilitate fraud? IEEE Security 8 Privacy 15, 2 (2017), 78--86. Google ScholarDigital Library
- America’s Community Bankers. 2007. ACB data breach survey highlights need for action by card networks and Congress. Retrieved from http://www.prnewswire.com/news-releases/acb-data-breach-survey-highlights-need-for-action-by-card-networks-and-congress-54632297.html.Google Scholar
- Maria Aspan and Clare Baldwin. 2011. Sony breach could cost card lenders $300 mln. Retrieved from http://www.reuters.com/article/2011/04/29/sony-creditcards-cost-idUSN2826485220110429.Google Scholar
- Authorize.Net. 2016. Pricing. Retrieved November 2, 2016, from http://www.authorize.net/solutions/merchantsolutions/pricing/.Google Scholar
- Bureau of Justice Statistics. 2014. National Crime Victimization Survey: Identity Theft Supplement, 2012. Retrieved fromGoogle Scholar
- Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2003. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11, 3 (2003), 431--448. Retrieved from http://content.iospress.com/articles/journal-of-computer-security/jcs192. Google ScholarDigital Library
- Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004. The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9, 1 (2004), 70--104. Retrieved from Google ScholarDigital Library
- Cayan. 2010. Insights: Authorization fee. Retrieved November 2, 2016, from https://cayan.com/glossary/authorization-fee.Google Scholar
- Identity Theft Resource Center. 2010. Identity theft: The aftermath 2009. Retrieved from http://www.idtheftcenter.org/ITRC-Surveys-Studies/aftermathstudies.html.Google Scholar
- Fred Chong, Ruby B. Lee, Claire Vishik, Alessandro Acquisti, William Horne, Charles Palmer, Anup K. Ghosh, Dimitrios Pendarakis, William H. Sanders, Eric Fleischman, Hugo Teufel, III, Gene Tsudik, Dipankar Dasgupta, Steven Hofmeyr, and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-chairs’ report. Retrieved from https://www.nitrd.gov/nitrdgroups/index.php?title=National_Cyber_Leap_Year_Summit_2009.Google Scholar
- Chris Churchill. 2008. TJX reacts to bank lawsuit. Times Union (Aug. 2008).Google Scholar
- Computer Security Institute. 1997. 1997 CSI/FBI computer crime and security survey. Computer Security - Issues and Trends (Spring 1997).Google Scholar
- Benjamin Edwards, Steven Hofmeyr, and Stephanie Forrest. 2015. Hype and heavy tails: A closer look at data breaches. In 2015 Workshop of the Economics of Information Security (WEIS’15). Retrieved from http://www.cs.unm.edu/∼forrest/publications/weis-data-breaches-15.pdf.Google Scholar
- Gaby Friedlander. 2014. Why 85% of data breaches are undetected. Retrieved from http://www.observeit.com/blog/why-85-percent-data-breaches-undetected.Google Scholar
- Ashish Garg, Jeffrey Curtis, and Hilary Halper. 2003. Quantifying the financial impact of IT security breaches. Information Management 8 Computer Security 11, 2 (May 2003), 74--83.Google Scholar
- Kevin M. Gatzlaff and Kathleen A. McCullough. 2010. The effect of data breaches on shareholder wealth. Risk Management and Insurance Review 13, 1 (2010), 61--83.Google ScholarCross Ref
- Martin S. Gaynor, Muhammad Zia Hydari, and Rahul Telang. 2012. Is patient data better protected in competitive healthcare markets? In 2012 Workshop on the Economics of Information Security (WEIS’12). Retrieved from http://weis2012.econinfosec.org/papers/Gaynor_WEIS2012.pdf.Google Scholar
- Sanjay Goel and Hany A. Shawky. 2009. Estimating the market impact of security breach announcements on firm values. Information 8 Management 46, 7 (2009), 404--410. Google ScholarDigital Library
- Steve Gold. 2014. Home Depot card data breach undetected for four months. Retrieved from http://www.scmagazineuk.com/news/home-depot-card-data-breach-undetected-for-four-months/article/372794/.Google Scholar
- Gary Gordon, Donald J. Rebovich, Kyung-Seok Choo, and Judith B. Gordon. 2007. Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement. Technical Report. Center for Identity Management and Protection, Utica College. Retrieved from http://www.utica.edu/academic/institutes/cimip/publications/index.cfm.Google Scholar
- Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2011. The impact of information security breaches: Has there been a downward shift in costs? Journal of Computer Security 19, 1 (Feb. 2011), 33--56. Google ScholarDigital Library
- James T. Graves, Alessandro Acquisti, and Nicholas Christin. 2016. Big data and bad data: On the sensitivity of security policy to imperfect information. Chicago Law Review 83, 1 (2016), 117--137.Google Scholar
- Kholekile L. Gwebu, Jing Wang, and Wenjuan Xie. 2014. Understanding the cost associated with data security breaches. In Pacific Asia Conference on Information Systems (PACIS'14). 386. Retrieved from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=13918context=pacis2014.Google Scholar
- Robert Hackett. 2015. The hotly disputed black magic of data breach cost estimates. Fortune (April 2015). Retrieved from http://fortune.com/2015/04/24/data-breach-cost-estimate-dispute/.Google Scholar
- Erika Harrell. 2015. Victims of Identity Theft, 2014. Technical Report NCJ 248991. Bureau of Justice Statistics. Retrieved from http://www.bjs.gov/content/pub/pdf/vit14.pdf.Google Scholar
- Erika Harrell and Lynn Langton. 2013. Victims of Identity Theft, 2012. Technical Report NCJ 243779. Bureau of Justice Statistics. Retrieved from http://www.bjs.gov/index.cfm?ty=pbdetail8iid=5408.Google Scholar
- Jay Heiser. 2002. Can information security surveys be trusted? Retrieved from http://searchsecurity.techtarget.com/feature/Can-information-security-surveys-be-trusted.Google Scholar
- Tamara E. Holmes. 2015. Credit card fraud and ID theft statistics. Retrieved from http://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php.Google Scholar
- Identity Theft Resource Center. 2016. Data breaches. Retrieved November 2, 2016, from http://www.idtheftcenter.org/id-theft/data-breaches.html.Google Scholar
- Shirley W. Inscoe. 2012. Global Consumers React to Rising Fraud: Beware Back of Wallet. Technical Report. Aite Group.Google Scholar
- Jay Jacobs. 2014. Analyzing Ponemon cost of data breach. Retrieved from http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/.Google Scholar
- Javelin Strategy 8 Research. 2009. 2009 Identity Fraud Survey Report: Consumer Version. Technical Report. Retrieved from https://www.javelinstrategy.com/uploads/files/901.R_Identity_Fraud_Survey_Consumer_Report.pdf.Google Scholar
- Mark Jewell. 2004. IDs are a steal; thieves looking for credit numbers set their sights on big targets. Columbian (Aug. 2004), E.Google Scholar
- Andrew Johnson. 2011. Card fraud risk low from breach at Citi. American Banker (June 2011), 10.Google Scholar
- Karthik Kannan, Jackie Rees, and Sanjay Sridhar. 2007. Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce 12, 1 (2007), 69--91. Retrieved from http://www.jstor.org/stable/27751241. Google ScholarDigital Library
- Sean Micheal Kerner. 2014. UPS discloses data breach that went undetected for months. Retrieved from http://www.eweek.com/blogs/security-watch/ups-discloses-data-breach-that-went-undetected-for-months.html.Google Scholar
- Juhee Kwon and M. Eric Johnson. 2011. An organizational learning perspective on proactive vs. reactive investment in information security. In 2011 Workshop on the Economics of Information Security (WEIS’11). Citeseer. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.12978rep=rep1&type===pdf.Google Scholar
- Lynn Langton. 2011. Identity Theft Reported by Households, 2005-2010. Technical Report NCJ 236245. Bureau of Justice Statistics. Retrieved from http://www.bjs.gov/index.cfm?ty=pbdetail8iid=2207.Google Scholar
- Lynn Langton and Michael Planty. 2010. Victims of Identity Theft, 2008. Special Report NJC 231680. Bureau of Justice Statistics. Retrieved from https://www.bjs.gov/index.cfm?ty=pbdetail8iid=2222.Google Scholar
- Thomas M. Lenard and Paul H. Rubin. 2005. An economic analysis of notification requirements for data security breaches. Emory Law and Economics Research Paper 05-12. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=765845.Google Scholar
- Adam J. Levitin. 2010. Private disordering: Payment card fraud liability rules. Brooklyn Journal of Corporate, Financial, and Commercial Law 5, 1 (2010), 1--48. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1570867.Google Scholar
- T. Maillart and D. Sornette. 2010. Heavy-tailed distribution of cyber-risks. European Physical Journal B 75, 3 (2010), 357--364.Google ScholarCross Ref
- Maine Attorney General. 2014. Privacy, identity theft and data security breaches. Retrieved November 2, 2016, from http://www.state.me.us/ag/consumer/identity_theft/index.shtml.Google Scholar
- Maine Bureau of Financial Institutions. 2008. Maine data breach study. Retrieved from http://www.state.me.us/pfr/financialinstitutions/reports/index.htm.Google Scholar
- Maryland Attorney General. n.d. Maryland information security breach notices. Retrieved November 2, 2016, from http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx.Google Scholar
- Amalia R. Miller and Catherine Tucker. 2010. Encryption and data loss. In 2010 Workshop on the Economics of Information Security (WEIS'10). Retrieved from http://weis2010.econinfosec.org/papers/session1/weis2010_tucker.pdf.Google Scholar
- New Hampshire Office of the Attorney General. n.d. Security breach notifications. Retrieved November 2, 2016, from http://doj.nh.gov/consumer/security-breaches/.Google Scholar
- Office of Management and Budget. 2013. Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002.Google Scholar
- Office of Management and Budget. 2014. Annual Report to Congress: Federal Information Security Management Act.Google Scholar
- Open Security Foundation. 2016. DataLossDB. Retrieved November 2, 2016, from http://datalossdb.org/.Google Scholar
- Kweku-Muata Osei-Bryson, Myung Ko, and Humayun Zafar. 2012. Financial impact of information security breaches on breached firms and their non-breached competitors. Information Resources Management Journal 25, 1 (Jan. 2012), 21--37. Google ScholarDigital Library
- Pennsyvania State Employees Credit Union v. Fifth Third Bank. 2005. 317 F. Supp. 2d. 398. (E.D. Pa. 2005).Google Scholar
- Ponemon Institute. 2015. 2015 Cost of Data Breach Study: Global Analysis. Technical Report. Retrieved from http://www-03.ibm.com/security/data-breach/.Google Scholar
- Nathaniel Popper. 2014. Breach at Neiman Marcus went undetected from July to December. New York Times (Jan. 2014). Retrieved from http://www.nytimes.com/2014/01/17/business/breach-at-neiman-marcus-went-undetected-from-july-to-december.html.Google Scholar
- Privacy Rights Clearinghouse. 2016a. Chronology of data breaches: FAQ. Retrieved from https://www.privacyrights.org/chronology-data-breaches-faq.Google Scholar
- Privacy Rights Clearinghouse. 2016b. Data breaches. Retrieved November 2, 2016, from https://www.privacyrights.org/data-breaches.Google Scholar
- PYMNTS. 2015. OPM data breach undetected for a year. Retrieved from http://www.pymnts.com/news/2015/opm-data-breach-undetected-for-a-year/.Google Scholar
- Ann Ravana. 2007. Banks start credit card reissue. Bangor Daily News (Feb. 2007), 4.Google Scholar
- Donald J. Rebovich, Kristy Allen, and Jared Platt. 2015. The New Face of Identity Theft: An Analysis of Federal Case Data for the Years 2008 through 2013. Technical Report. Center for Identity Management and Protection, Utica College. Retrieved from https://www.utica.edu/academic/institutes/cimip/New_Face_of_Identity_Theft.pdf.Google Scholar
- Sasha Romanosky, Alessandro Acquisti, and Richard Sharp. 2010. Data breaches and identity theft: When is mandatory disclosure optimal? TPRC. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989594.Google Scholar
- Sasha Romanosky, Rahul Telang, and Alessandro Acquisti. 2011. Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management 30, 2 (March 2011), 256--286.Google ScholarCross Ref
- Julie J. C. H. Ryan and Theresa I. Jefferson. 2003. The use, misuse, and abuse of statistics in information security research. In Proceedings of the 24th Annual National ASEM.Google Scholar
- Scott D. Schuh and Joanna Stavins. 2014. The 2011 and 2012 surveys of consumer payment choice. Federal Reserve Bank of Boston Research Paper Series Research Data Reports 14-1. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2564165.Google Scholar
- Adam Shostack and Andrew Stewart. 2008. The New School of Information Security. Pearson Education. Retrieved from https://books.google.com/books?id=TWvC32p5M5YC. Google ScholarDigital Library
- Adam Shostak. 2011. A critique of Ponemon Institute methodology for “churn.” Retrieved from http://newschoolsecurity.com/2011/01/a-critique-of-ponemon-institute-methodology-for-churn/.Google Scholar
- Eric Stark. 2004. Computer hackers are stealing bank card information, but there is protection and some banks have been aggressive. Sunday News (July 2004), 1.Google Scholar
- Art Swift. 2014. Americans rely less on credit cards than in previous years. Retrieved from http://www.gallup.com/poll/168668/americans-rely-less-credit-cards-previous-years.aspx.Google Scholar
- Synovate. 2007. Federal Trade Commission—2006 Identity Theft Survey Report. Retrieved from https://www.ftc.gov/reports/federal-trade-commission-2006-identity-theft-survey-report-prepared-commission-synovate.Google Scholar
- ThreatTrack Security. 2014. Malware analysts have the tools they need, but challenges remain. Retrieved from http://www.bankinfosecurity.com/whitepapers/malware-analysts-have-tools-they-need-but-challenges-remain-w-1026.Google Scholar
- U.S. Census. 2012. 2012 Statistical Abstract of the United States.Google Scholar
- Verizon Enterprise Solutions. 2015. 2015 Data Breach Investigations Report. Technical Report. Retrieved from http://www.verizonenterprise.com/DBIR/2015/.Google Scholar
Index Terms
- Should Credit Card Issuers Reissue Cards in Response to a Data Breach?: Uncertainty and Transparency in Metrics for Data Security Policymaking
Recommendations
Cloning credit cards: a combined pre-play and downgrade attack on EMV contactless
WOOT'13: Proceedings of the 7th USENIX conference on Offensive TechnologiesRecent roll-outs of contactless payment infrastructures-particularly in Austria and Germany - have raised concerns about the security of contactless payment cards and Near Field Communication (NFC). There are well-known attack scenarios like relay ...
Data mining for credit card fraud: A comparative study
Credit card fraud is a serious and growing problem. While predictive models for credit card fraud detection are in active use in practice, reported studies on the use of data mining approaches for credit card fraud detection are relatively few, possibly ...
Securing credit card transactions with one-time payment scheme
Traditional credit card payment is not secure against credit card frauds because an attacker can easily know a semi-secret credit card number that is repetitively used. Recently one-time transaction number has been proposed by some researchers and ...
Comments