Payments Security: As Strong as the Weakest Link: Each Year, Millions of Americans Fall Victim to Identify Theft Because of Data Breaches. Several Economists Discuss the Payments Industry's Vulnerability to Breaches and Also Give Advice on Increasing Security

Article excerpt

Imagine receiving your monthly credit card statement and cautiously reviewing it as you do every month. But this time, as your eyes scan down the page, some of the purchases are unfamiliar. An entry for $532.78 at Barneys New York? Over $700 spent at NeimanMarcus.com? Your pulse quickens. You never visited these sites! You begin to panic as you realize that someone with extravagant fashion taste has stolen your credit card information. Along with the millions of Americans each year whose identities are stolen, you have been the victim of a data breach. (See the table for a yearly breakdown of exposed information records.)

Several major data breaches occurred in the first half of 2011 alone. In one breach that lasted from February through May, thieves tampered with PIN pads at Michaels Stores across the country. When the company finally discovered the breach, it had to replace 72,000 devices. In another incident, this one made public in April, Sony had to shut down its PlayStation Network when it discovered that personal data had been stolen from more than 77 million accounts. Given the unprecedented magnitude of this pilfered data, consumers I and politicians fiercely criticized Sony for failing to disclose 1 the breach until almost a week after learning of the incident.

Data breaches like these are becoming a disturbingly common feature of today's headlines, yet the experts still cannot calculate with any reasonable confidence their ultimate cost. It may be some time yet before it is possible to estimate the full extent of the financial losses from these breaches, as the stolen data work through the criminal supply chains that buy, sell, and use personal information for fraudulent purposes.

Meanwhile, what makes the payments industry vulnerable to fraud? What steps can the industry take to protect your data? Economists may be able to supply some of the answers.

Annual U.S. Data Breaches

Year     Data breaches  Number of records exposed

2007     446                          127,717,243

2008     656                           35,691,255

2009     498                          222,477,043

2010     662                           16,167,542

Q1 2011  112                            5,460,925

Source: Identity Theft Resource Center

The externalities of personal data collection

According to Will Roberds, a research economist and senior policy adviser at the Federal Reserve Bank of" Atlanta, personal data collection creates some consequences--or "externalities," in the parlance of economics--in the normal course of enabling consumer payments. An externality is an unintended side effect of a transaction imposed on those who are not party to the transaction. A positive externality, for example, is when your neighbors plant a rose garden for their own benefit, but you also benefit because you enjoy the beauty and fragrance of the flowers whenever you walk by their yard.

On the other side of the spectrum, Roberds says, is the negative externality that banks and other payments providers create whenever they verify payer identities by collecting personal data. "As more and more of that data is assembled and it becomes more and more extensive," says Roberds, "it becomes a [broad] target for theft by talented individuals who are able to access that data, use that [data] to construct pseudo-identities that allow them to illegitimately purchase goods and services, and thereby impose costs on everyone else who's working within the credit system." Because the banks and payments providers do not. bear the full cost, of this criminal activity--they cannot, reimburse victims for time spent dealing with identity theft, for example, nor for damaged reputations--they collect more personal data than they really have to. This over-collection of data continues in part because there are so many different, entities active in the payments system, making coordination difficult among the diverse parties. …