Data breaches and data system risks
Statement No. 349

The large data breaches at Target and a number of other retail merchants in recent weeks have been viewed in the media as principally a consumer protection concern.  The Shadow Financial Regulatory Committee believes that the issues go far beyond the consumer and threatens the payments system as a whole.  The recent data breaches raise numerous policy issues that extend far beyond this specific incident. There is the potential that Congress will rush to judgment and pass legislation to only expand consumer protections.  But this is not sufficient because such breaches could wreak havoc with retail payments and also move through the payments processing chain.  Vulnerable institutions include not just financial institutions but also retail firms and non-financial businesses that are electronically intertwined and potentially exploitable via the internet.  

The potential for gigantic fraud losses has escalated sharply with the recent explosive growth of the internet, which now provides a potential window into the data of many millions of citizens’ personal information. Remote internet access can enable anyone – even far removed from the United States – to obtain credit and other pertinent information and use that information to steal funds. Experience shows that when such information is compromised, consumers may rationally pull back and request cancellation or reissuance of existing cards, or resort to cash— essentially abandoning the payments system.  Thus, hacker attacks can undermine the integrity of the payment medium and result in additional costs both to firms like Target and to the financial institutions that must resolve the losses, sort out consumer identity problems, and reissue millions of cards. 

There are many points of vulnerability to the payments system, especially since many institutions have outsourced the actual processing and warehousing of data.  This trend in outsourcing is accelerating as more and more businesses move their computing into the cloud, which may or may not embody adequate data encryption procedures. While banks at the end of the payments chain may have very sophisticated methods to identify fraudulent transactions, there are still many points of entry outside of commercial banks through which potential damage can be done. A recent Verizon Business Solutions survey points out that less than 11% of non-financial firms have installed protections that meet minimum industry standards that industry cyber security experts assert are not now sufficient given current hacker technology.

The overarching issues concern risks to the payment system itself and the threat that breached information will be used to commit wholesale electronic theft.  This can threaten the solvency of a major financial institution, such as a bank, an investment bank, an insurance company, or a major non-financial firms whose demise could have huge real side ripple effects to the economy. The risks are further amplified by the complex interrelationships among non-financial business firms, operators of the private-sector payments-transfer infrastructure, and financial firms. If confidence in electronic payments systems can’t be trusted, large efficiency losses would result.

Given the magnitude of the damage that data breaches could inflict on the US financial infrastructure, what should be done? Because of the potential for systemic risk, the Shadow Financial Regulatory Committee concludes that the issues should be addressed and given a high priority by policy makers including, perhaps, the Financial Stability Oversight Council (FSOC).  Policy makers need to identify the potential risks, recommend improvements in security measures that financial and nonfinancial firms should make, propose loss-sharing rules to eliminate uncertainty and costly litigation, review and make recommendations to modernize federal rules concerning debt and credit protocols, and consider what efforts should be undertaken internationally to curb unscrupulous use of the internet.

Also Visit
AEIdeas Blog The American Magazine

What's new on AEI

Defeating ISIS: AEI experts weigh-in before the president’s address on Wednesday
image Degrading, defeating, and destroying the Islamic State
image Wealth Building Home Loan: Building wealth through homeownership and retirement savings
image The $3 iPhone
AEI on Facebook
Events Calendar
  • 15
  • 16
  • 17
  • 18
  • 19
Tuesday, September 16, 2014 | 5:00 p.m. – 6:00 p.m.
The Constitution as political theory

Please join us for the third-annual Walter Berns Constitution Day Lecture as James Ceasar, Harry F. Byrd Professor of Politics at the University of Virginia, explores some of the Constitution’s most significant contributions to political theory, focusing on themes that have been largely unexamined in current scholarship.

Wednesday, September 17, 2014 | 8:10 a.m. – Thursday, September 18, 2014 | 1:30 p.m.
Third international conference on housing risk: New risk measures and their applications

We invite you to join us for this year’s international conference on housing risk — cosponsored by the Collateral Risk Network and AEI International Center on Housing Risk — which will focus on new mortgage and collateral risk measures and their applications.

Event Registration is Closed
Thursday, September 18, 2014 | 2:15 p.m. – 3:00 p.m.
Speaker of the House John Boehner on resetting America’s economic foundation

Please join us as Speaker John Boehner (R-OH) delivers his five-point policy vision to reset America’s economy.

Event Registration is Closed
Friday, September 19, 2014 | 9:15 a.m. – 11:00 a.m.
Reforming Medicare: What does the public think?

Please join us as a panel of distinguished experts explore the implications of the report and the consumer role in shaping the future of Medicare.

Event Registration is Closed
No events scheduled this day.
No events scheduled this day.
No events scheduled this day.
No events scheduled this day.