Data breaches and data system risks
Statement No. 349

The large data breaches at Target and a number of other retail merchants in recent weeks have been viewed in the media as principally a consumer protection concern.  The Shadow Financial Regulatory Committee believes that the issues go far beyond the consumer and threatens the payments system as a whole.  The recent data breaches raise numerous policy issues that extend far beyond this specific incident. There is the potential that Congress will rush to judgment and pass legislation to only expand consumer protections.  But this is not sufficient because such breaches could wreak havoc with retail payments and also move through the payments processing chain.  Vulnerable institutions include not just financial institutions but also retail firms and non-financial businesses that are electronically intertwined and potentially exploitable via the internet.  

The potential for gigantic fraud losses has escalated sharply with the recent explosive growth of the internet, which now provides a potential window into the data of many millions of citizens’ personal information. Remote internet access can enable anyone – even far removed from the United States – to obtain credit and other pertinent information and use that information to steal funds. Experience shows that when such information is compromised, consumers may rationally pull back and request cancellation or reissuance of existing cards, or resort to cash— essentially abandoning the payments system.  Thus, hacker attacks can undermine the integrity of the payment medium and result in additional costs both to firms like Target and to the financial institutions that must resolve the losses, sort out consumer identity problems, and reissue millions of cards. 

There are many points of vulnerability to the payments system, especially since many institutions have outsourced the actual processing and warehousing of data.  This trend in outsourcing is accelerating as more and more businesses move their computing into the cloud, which may or may not embody adequate data encryption procedures. While banks at the end of the payments chain may have very sophisticated methods to identify fraudulent transactions, there are still many points of entry outside of commercial banks through which potential damage can be done. A recent Verizon Business Solutions survey points out that less than 11% of non-financial firms have installed protections that meet minimum industry standards that industry cyber security experts assert are not now sufficient given current hacker technology.

The overarching issues concern risks to the payment system itself and the threat that breached information will be used to commit wholesale electronic theft.  This can threaten the solvency of a major financial institution, such as a bank, an investment bank, an insurance company, or a major non-financial firms whose demise could have huge real side ripple effects to the economy. The risks are further amplified by the complex interrelationships among non-financial business firms, operators of the private-sector payments-transfer infrastructure, and financial firms. If confidence in electronic payments systems can’t be trusted, large efficiency losses would result.

Given the magnitude of the damage that data breaches could inflict on the US financial infrastructure, what should be done? Because of the potential for systemic risk, the Shadow Financial Regulatory Committee concludes that the issues should be addressed and given a high priority by policy makers including, perhaps, the Financial Stability Oversight Council (FSOC).  Policy makers need to identify the potential risks, recommend improvements in security measures that financial and nonfinancial firms should make, propose loss-sharing rules to eliminate uncertainty and costly litigation, review and make recommendations to modernize federal rules concerning debt and credit protocols, and consider what efforts should be undertaken internationally to curb unscrupulous use of the internet.

Also Visit
AEIdeas Blog The American Magazine

What's new on AEI

AEI Election Watch 2014: What will happen and why it matters
image A nation divided by marriage
image Teaching reform
image Socialist party pushing $20 minimum wage defends $13-an-hour job listing
AEI on Facebook
Events Calendar
  • 20
  • 21
  • 22
  • 23
  • 24
Monday, October 20, 2014 | 2:00 p.m. – 3:30 p.m.
Warfare beneath the waves: The undersea domain in Asia

We welcome you to join us for a panel discussion of the undersea military competition occurring in Asia and what it means for the United States and its allies.

Tuesday, October 21, 2014 | 8:30 a.m. – 10:00 a.m.
AEI Election Watch 2014: What will happen and why it matters

AEI’s Election Watch is back! Please join us for two sessions of the longest-running election program in Washington, DC. 

Wednesday, October 22, 2014 | 1:00 p.m. – 2:30 p.m.
What now for the Common Core?

We welcome you to join us at AEI for a discussion of what’s next for the Common Core.

Event Registration is Closed
Thursday, October 23, 2014 | 10:00 a.m. – 11:00 a.m.
Brazil’s presidential election: Real challenges, real choices

Please join AEI for a discussion examining each candidate’s platform and prospects for victory and the impact that a possible shift toward free-market policies in Brazil might have on South America as a whole.

Event Registration is Closed
No events scheduled this day.
No events scheduled this day.
No events scheduled this day.
No events scheduled this day.