Consumer harm from data breaches is a black box

Data privacy and security concerns are red-hot right now, with near daily headlines about yet another breach. Often missing from the conversation, however, is information about the nature and prevalence of harms consumers actually experience as a result of poorly protected data. We appear to enjoy speculating about what might happen to consumers more than documenting what does and has happened. And yet, there is no better guide to prioritizing remedial action than clear documentation of the consequences of shortcomings, their frequency and their severity.

The Center for Financial Inclusion at Accion, an action-oriented think tank focused on financial inclusion, examines issues around data protection among financial service providers around the world, with an emphasis on those serving the base of the pyramid. From the financial inclusion point of view, we need to understand the financial losses that customers experience — primarily theft and fraud — when data breaches occur.

While we have been able to explore security vulnerabilities by working with the computer scientist Patrick Traynor of the University of Florida, we have found it more difficult to find good data on the consumer side. How often do consumers experience theft and fraud, how harmful are these events to consumers and financial institutions when they do occur, and how do they relate to security lapses or poor policies among financial institutions and their regulators? Without this data, we as a sector can only view part of the problem. We are unable to analyze the link between security system measures and actual consumer harm. It’s as though we have lost the car keys but are only able to look for them under the streetlight.

It sounds overly simplistic to say that a data breach leads to negative consequences only when those who obtain personal information actually use it. But while the breach of data from millions of bank accounts makes front-page news, we know startlingly little about the number of uses of those identities or the amounts of money lost. One estimate of incidence comes from the Identity Theft Resource Center, a nonprofit dedicated to assisting victims. It cites 1.6 billion record breaches since 2005, but only 16.7 million identity theft victims. A quick hallway poll of my own colleagues revealed many experiences of fraud, generally through idiosyncratic events rather than massive ones, underlining the fact that hackers and fraudsters tend to rip people off quietly and often individually. When this happens, victims themselves may not know how or when their personal data was tapped. As an industry, we are short of information about the pathways hackers use to turn data breaches into monetary thefts.

Where could the industry begin to gather this information?

Cybercrimes units among law enforcement agencies undoubtedly have a great deal of information about the incidence of theft resulting from fraudulent uses of personal data. In theory, their financial forensics can work backward from a monetary theft to the data breach that made it possible. But we need to ensure that such units address losses by ordinary consumers and not just big ticket white collar crimes. We also need to ensure that law enforcement knowledge translates into useful advice for financial institutions and regulators.

Large banks and major card providers also have masses of relevant information and expertise. They have invested enormous resources over decades to identify and cope with fraud, creating fraud detection systems and workforces dedicated to assisting customers who are victims, and they still write off millions of faulty transactions. While it may be expensive, that very investment is a major source of their business success: It makes it possible for consumers to trust that when their credit card information is stolen, they will not be liable. But what about smaller financial institutions and new market entrants that cannot afford the sophistication of major card providers? They need to know more about how consumers experience fraud and theft. It would be valuable for the regulators, researchers and industry associations that monitor the financial sector and have a stake in its success to gather more systematic demand-side research to document these consumer experiences — and that information needs to be publicly available so that financial service providers and their consumers can benefit from it.

These recommendations are a starting point to better inform consumers and the financial services industry about the risks associated with data breaches, and how they can be prevented and addressed. Better information on the incidence and severity of consumer harms can enable financial service providers and policymakers to weigh trade-offs between data protection investments and the risks associated with incomplete protection. As a result, they can target remedial actions more effectively, avoiding both over-spending and running unacceptable risks — with better outcomes for consumers.