research-article

Should Credit Card Issuers Reissue Cards in Response to a Data Breach?: Uncertainty and Transparency in Metrics for Data Security Policymaking

Authors:

James T. Graves,

Alessandro Acquisti,

Nicolas ChristinAuthors Info & Claims

ACM Transactions on Internet Technology (TOIT), Volume 18, Issue 4

Article No.: 54, Pages 1 - 19

https://doi.org/10.1145/3122983

Published: 30 September 2018 Publication History

Abstract

When card data is exposed in a data breach but has not yet been used to attempt fraud, the overall social costs of that breach depend on whether the financial institutions that issued those cards immediately cancel them and issue new cards or instead wait until fraud is attempted. This article empirically investigates the social costs and benefits of those options. We use a parameterized model and Monte Carlo simulation to compare the cost of reissuing cards to the total expected cost of fraud if cards are not reissued. The ranges and distributions in our model are informed by publicly available information, from which we extrapolate estimates of the number of credit card records historically exposed in data breaches, the probability that a card exposed in a breach will be used for fraud, and the associated expected cost of existing-account credit card fraud. We find that automatically reissuing cards may have lower social costs than the costs of waiting until fraud is attempted, although the range of results is considerably broad.

References

[1]

Alessandro Acquisti, Allan Friedman, and Rahul Telang. 2006. Is there a cost to privacy breaches? An event study. In Proceedings of the 27th International Conference on Information Systems.

[2]

Douglas Akers, Brian Lamm, Jay Golter, and Martha Solt. 2005. Overview of recent developments in the credit card industry. FDIC Banking Review 17, 3 (2005), 23--35. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=882103.

[3]

Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel. 2017. Does the online card payment landscape unwittingly facilitate fraud? IEEE Security 8 Privacy 15, 2 (2017), 78--86.

Digital Library

[4]

America’s Community Bankers. 2007. ACB data breach survey highlights need for action by card networks and Congress. Retrieved from http://www.prnewswire.com/news-releases/acb-data-breach-survey-highlights-need-for-action-by-card-networks-and-congress-54632297.html.

[5]

Maria Aspan and Clare Baldwin. 2011. Sony breach could cost card lenders &dollar;300 mln. Retrieved from http://www.reuters.com/article/2011/04/29/sony-creditcards-cost-idUSN2826485220110429.

[6]

Authorize.Net. 2016. Pricing. Retrieved November 2, 2016, from http://www.authorize.net/solutions/merchantsolutions/pricing/.

[7]

Bureau of Justice Statistics. 2014. National Crime Victimization Survey: Identity Theft Supplement, 2012. Retrieved from

[8]

Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2003. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11, 3 (2003), 431--448. Retrieved from http://content.iospress.com/articles/journal-of-computer-security/jcs192.

Digital Library

[9]

Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004. The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9, 1 (2004), 70--104. Retrieved from

Digital Library

[10]

Cayan. 2010. Insights: Authorization fee. Retrieved November 2, 2016, from https://cayan.com/glossary/authorization-fee.

[11]

Identity Theft Resource Center. 2010. Identity theft: The aftermath 2009. Retrieved from http://www.idtheftcenter.org/ITRC-Surveys-Studies/aftermathstudies.html.

[12]

Fred Chong, Ruby B. Lee, Claire Vishik, Alessandro Acquisti, William Horne, Charles Palmer, Anup K. Ghosh, Dimitrios Pendarakis, William H. Sanders, Eric Fleischman, Hugo Teufel, III, Gene Tsudik, Dipankar Dasgupta, Steven Hofmeyr, and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-chairs’ report. Retrieved from https://www.nitrd.gov/nitrdgroups/index.php?title=National_Cyber_Leap_Year_Summit_2009.

[13]

Chris Churchill. 2008. TJX reacts to bank lawsuit. Times Union (Aug. 2008).

[14]

Computer Security Institute. 1997. 1997 CSI/FBI computer crime and security survey. Computer Security - Issues and Trends (Spring 1997).

[15]

Benjamin Edwards, Steven Hofmeyr, and Stephanie Forrest. 2015. Hype and heavy tails: A closer look at data breaches. In 2015 Workshop of the Economics of Information Security (WEIS’15). Retrieved from http://www.cs.unm.edu/&sim;forrest/publications/weis-data-breaches-15.pdf.

[16]

Gaby Friedlander. 2014. Why 85% of data breaches are undetected. Retrieved from http://www.observeit.com/blog/why-85-percent-data-breaches-undetected.

[17]

Ashish Garg, Jeffrey Curtis, and Hilary Halper. 2003. Quantifying the financial impact of IT security breaches. Information Management 8 Computer Security 11, 2 (May 2003), 74--83.

[18]

Kevin M. Gatzlaff and Kathleen A. McCullough. 2010. The effect of data breaches on shareholder wealth. Risk Management and Insurance Review 13, 1 (2010), 61--83.

[19]

Martin S. Gaynor, Muhammad Zia Hydari, and Rahul Telang. 2012. Is patient data better protected in competitive healthcare markets? In 2012 Workshop on the Economics of Information Security (WEIS’12). Retrieved from http://weis2012.econinfosec.org/papers/Gaynor_WEIS2012.pdf.

[20]

Sanjay Goel and Hany A. Shawky. 2009. Estimating the market impact of security breach announcements on firm values. Information 8 Management 46, 7 (2009), 404--410.

Digital Library

[21]

Steve Gold. 2014. Home Depot card data breach undetected for four months. Retrieved from http://www.scmagazineuk.com/news/home-depot-card-data-breach-undetected-for-four-months/article/372794/.

[22]

Gary Gordon, Donald J. Rebovich, Kyung-Seok Choo, and Judith B. Gordon. 2007. Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement. Technical Report. Center for Identity Management and Protection, Utica College. Retrieved from http://www.utica.edu/academic/institutes/cimip/publications/index.cfm.

[23]

Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2011. The impact of information security breaches: Has there been a downward shift in costs? Journal of Computer Security 19, 1 (Feb. 2011), 33--56.

Digital Library

[24]

James T. Graves, Alessandro Acquisti, and Nicholas Christin. 2016. Big data and bad data: On the sensitivity of security policy to imperfect information. Chicago Law Review 83, 1 (2016), 117--137.

[25]

Kholekile L. Gwebu, Jing Wang, and Wenjuan Xie. 2014. Understanding the cost associated with data security breaches. In Pacific Asia Conference on Information Systems (PACIS'14). 386. Retrieved from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=13918context=pacis2014.

[26]

Robert Hackett. 2015. The hotly disputed black magic of data breach cost estimates. Fortune (April 2015). Retrieved from http://fortune.com/2015/04/24/data-breach-cost-estimate-dispute/.

[27]

Erika Harrell. 2015. Victims of Identity Theft, 2014. Technical Report NCJ 248991. Bureau of Justice Statistics. Retrieved from http://www.bjs.gov/content/pub/pdf/vit14.pdf.

[28]

Erika Harrell and Lynn Langton. 2013. Victims of Identity Theft, 2012. Technical Report NCJ 243779. Bureau of Justice Statistics. Retrieved from http://www.bjs.gov/index.cfm?ty=pbdetail8iid=5408.

[29]

Jay Heiser. 2002. Can information security surveys be trusted? Retrieved from http://searchsecurity.techtarget.com/feature/Can-information-security-surveys-be-trusted.

[30]

Tamara E. Holmes. 2015. Credit card fraud and ID theft statistics. Retrieved from http://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php.

[31]

Identity Theft Resource Center. 2016. Data breaches. Retrieved November 2, 2016, from http://www.idtheftcenter.org/id-theft/data-breaches.html.

[32]

Shirley W. Inscoe. 2012. Global Consumers React to Rising Fraud: Beware Back of Wallet. Technical Report. Aite Group.

[33]

Jay Jacobs. 2014. Analyzing Ponemon cost of data breach. Retrieved from http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/.

[34]

Javelin Strategy 8 Research. 2009. 2009 Identity Fraud Survey Report: Consumer Version. Technical Report. Retrieved from https://www.javelinstrategy.com/uploads/files/901.R_Identity_Fraud_Survey_Consumer_Report.pdf.

[35]

Mark Jewell. 2004. IDs are a steal; thieves looking for credit numbers set their sights on big targets. Columbian (Aug. 2004), E.

[36]

Andrew Johnson. 2011. Card fraud risk low from breach at Citi. American Banker (June 2011), 10.

[37]

Karthik Kannan, Jackie Rees, and Sanjay Sridhar. 2007. Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce 12, 1 (2007), 69--91. Retrieved from http://www.jstor.org/stable/27751241.

Digital Library

[38]

Sean Micheal Kerner. 2014. UPS discloses data breach that went undetected for months. Retrieved from http://www.eweek.com/blogs/security-watch/ups-discloses-data-breach-that-went-undetected-for-months.html.

[39]

Juhee Kwon and M. Eric Johnson. 2011. An organizational learning perspective on proactive vs. reactive investment in information security. In 2011 Workshop on the Economics of Information Security (WEIS’11). Citeseer. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.12978rep=rep1&type===pdf.

[40]

Lynn Langton. 2011. Identity Theft Reported by Households, 2005-2010. Technical Report NCJ 236245. Bureau of Justice Statistics. Retrieved from http://www.bjs.gov/index.cfm?ty=pbdetail8iid=2207.

[41]

Lynn Langton and Michael Planty. 2010. Victims of Identity Theft, 2008. Special Report NJC 231680. Bureau of Justice Statistics. Retrieved from https://www.bjs.gov/index.cfm?ty=pbdetail8iid=2222.

[42]

Thomas M. Lenard and Paul H. Rubin. 2005. An economic analysis of notification requirements for data security breaches. Emory Law and Economics Research Paper 05-12. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=765845.

[43]

Adam J. Levitin. 2010. Private disordering: Payment card fraud liability rules. Brooklyn Journal of Corporate, Financial, and Commercial Law 5, 1 (2010), 1--48. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1570867.

[44]

T. Maillart and D. Sornette. 2010. Heavy-tailed distribution of cyber-risks. European Physical Journal B 75, 3 (2010), 357--364.

[45]

Maine Attorney General. 2014. Privacy, identity theft and data security breaches. Retrieved November 2, 2016, from http://www.state.me.us/ag/consumer/identity_theft/index.shtml.

[46]

Maine Bureau of Financial Institutions. 2008. Maine data breach study. Retrieved from http://www.state.me.us/pfr/financialinstitutions/reports/index.htm.

[47]

Maryland Attorney General. n.d. Maryland information security breach notices. Retrieved November 2, 2016, from http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx.

[48]

Amalia R. Miller and Catherine Tucker. 2010. Encryption and data loss. In 2010 Workshop on the Economics of Information Security (WEIS'10). Retrieved from http://weis2010.econinfosec.org/papers/session1/weis2010_tucker.pdf.

[49]

New Hampshire Office of the Attorney General. n.d. Security breach notifications. Retrieved November 2, 2016, from http://doj.nh.gov/consumer/security-breaches/.

[50]

Office of Management and Budget. 2013. Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002.

[51]

Office of Management and Budget. 2014. Annual Report to Congress: Federal Information Security Management Act.

[52]

Open Security Foundation. 2016. DataLossDB. Retrieved November 2, 2016, from http://datalossdb.org/.

[53]

Kweku-Muata Osei-Bryson, Myung Ko, and Humayun Zafar. 2012. Financial impact of information security breaches on breached firms and their non-breached competitors. Information Resources Management Journal 25, 1 (Jan. 2012), 21--37.

Digital Library

[54]

Pennsyvania State Employees Credit Union v. Fifth Third Bank. 2005. 317 F. Supp. 2d. 398. (E.D. Pa. 2005).

[55]

Ponemon Institute. 2015. 2015 Cost of Data Breach Study: Global Analysis. Technical Report. Retrieved from http://www-03.ibm.com/security/data-breach/.

[56]

Nathaniel Popper. 2014. Breach at Neiman Marcus went undetected from July to December. New York Times (Jan. 2014). Retrieved from http://www.nytimes.com/2014/01/17/business/breach-at-neiman-marcus-went-undetected-from-july-to-december.html.

[57]

Privacy Rights Clearinghouse. 2016a. Chronology of data breaches: FAQ. Retrieved from https://www.privacyrights.org/chronology-data-breaches-faq.

[58]

Privacy Rights Clearinghouse. 2016b. Data breaches. Retrieved November 2, 2016, from https://www.privacyrights.org/data-breaches.

[59]

PYMNTS. 2015. OPM data breach undetected for a year. Retrieved from http://www.pymnts.com/news/2015/opm-data-breach-undetected-for-a-year/.

[60]

Ann Ravana. 2007. Banks start credit card reissue. Bangor Daily News (Feb. 2007), 4.

[61]

Donald J. Rebovich, Kristy Allen, and Jared Platt. 2015. The New Face of Identity Theft: An Analysis of Federal Case Data for the Years 2008 through 2013. Technical Report. Center for Identity Management and Protection, Utica College. Retrieved from https://www.utica.edu/academic/institutes/cimip/New_Face_of_Identity_Theft.pdf.

[62]

Sasha Romanosky, Alessandro Acquisti, and Richard Sharp. 2010. Data breaches and identity theft: When is mandatory disclosure optimal? TPRC. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989594.

[63]

Sasha Romanosky, Rahul Telang, and Alessandro Acquisti. 2011. Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management 30, 2 (March 2011), 256--286.

[64]

Julie J. C. H. Ryan and Theresa I. Jefferson. 2003. The use, misuse, and abuse of statistics in information security research. In Proceedings of the 24th Annual National ASEM.

[65]

Scott D. Schuh and Joanna Stavins. 2014. The 2011 and 2012 surveys of consumer payment choice. Federal Reserve Bank of Boston Research Paper Series Research Data Reports 14-1. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2564165.

[66]

Adam Shostack and Andrew Stewart. 2008. The New School of Information Security. Pearson Education. Retrieved from https://books.google.com/books?id=TWvC32p5M5YC.

Digital Library

[67]

Adam Shostak. 2011. A critique of Ponemon Institute methodology for “churn.” Retrieved from http://newschoolsecurity.com/2011/01/a-critique-of-ponemon-institute-methodology-for-churn/.

[68]

Eric Stark. 2004. Computer hackers are stealing bank card information, but there is protection and some banks have been aggressive. Sunday News (July 2004), 1.

[69]

Art Swift. 2014. Americans rely less on credit cards than in previous years. Retrieved from http://www.gallup.com/poll/168668/americans-rely-less-credit-cards-previous-years.aspx.

[70]

Synovate. 2007. Federal Trade Commission—2006 Identity Theft Survey Report. Retrieved from https://www.ftc.gov/reports/federal-trade-commission-2006-identity-theft-survey-report-prepared-commission-synovate.

[71]

ThreatTrack Security. 2014. Malware analysts have the tools they need, but challenges remain. Retrieved from http://www.bankinfosecurity.com/whitepapers/malware-analysts-have-tools-they-need-but-challenges-remain-w-1026.

[72]

U.S. Census. 2012. 2012 Statistical Abstract of the United States.

[73]

Verizon Enterprise Solutions. 2015. 2015 Data Breach Investigations Report. Technical Report. Retrieved from http://www.verizonenterprise.com/DBIR/2015/.

Cited By

Lan FJiang Y(2024)Optimization Exploration of Digital Identity Authentication Algorithm Based on BlockchainApplied Mathematics and Nonlinear Sciences10.2478/amns-2024-17049:1Online publication date: 5-Jul-2024
https://doi.org/10.2478/amns-2024-1704
Meng T(2023)Research on the influence of new media on the ideological and political education of college students in the background of the Internet and countermeasuresApplied Mathematics and Nonlinear Sciences10.2478/amns.2023.2.000609:1Online publication date: 19-Jul-2023
https://doi.org/10.2478/amns.2023.2.00060
Mushtaq EZameer ANasir R(2023)Knacks of a hybrid anomaly detection model using deep auto-encoder driven gated recurrent unitComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109681226:COnline publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109681
Show More Cited By

Index Terms

Should Credit Card Issuers Reissue Cards in Response to a Data Breach?: Uncertainty and Transparency in Metrics for Data Security Policymaking

Recommendations

Cloning credit cards: a combined pre-play and downgrade attack on EMV contactless
WOOT'13: Proceedings of the 7th USENIX conference on Offensive Technologies

Recent roll-outs of contactless payment infrastructures-particularly in Austria and Germany - have raised concerns about the security of contactless payment cards and Near Field Communication (NFC). There are well-known attack scenarios like relay ...
Data mining for credit card fraud: A comparative study

Credit card fraud is a serious and growing problem. While predictive models for credit card fraud detection are in active use in practice, reported studies on the use of data mining approaches for credit card fraud detection are relatively few, possibly ...
Securing credit card transactions with one-time payment scheme

Traditional credit card payment is not secure against credit card frauds because an attacker can easily know a semi-secret credit card number that is repetitively used. Recently one-time transaction number has been proposed by some researchers and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Internet Technology

ACM Transactions on Internet Technology Volume 18, Issue 4

Special Issue on Computational Ethics and Accountability, Special Issue on Economics of Security and Privacy and Regular Papers

November 2018

348 pages

ISSN:1533-5399

EISSN:1557-6051

DOI:10.1145/3210373

Editor:
Munindar P. Singh
Department of Computer Science, North Carolina State University

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 September 2018

Accepted: 01 July 2017

Revised: 01 April 2017

Received: 01 November 2016

Published in TOIT Volume 18, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

DHS
NSF IGERT

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
507
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lan FJiang Y(2024)Optimization Exploration of Digital Identity Authentication Algorithm Based on BlockchainApplied Mathematics and Nonlinear Sciences10.2478/amns-2024-17049:1Online publication date: 5-Jul-2024
https://doi.org/10.2478/amns-2024-1704
Meng T(2023)Research on the influence of new media on the ideological and political education of college students in the background of the Internet and countermeasuresApplied Mathematics and Nonlinear Sciences10.2478/amns.2023.2.000609:1Online publication date: 19-Jul-2023
https://doi.org/10.2478/amns.2023.2.00060
Mushtaq EZameer ANasir R(2023)Knacks of a hybrid anomaly detection model using deep auto-encoder driven gated recurrent unitComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109681226:COnline publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109681
Chan EPalmeira M(2021)Political ideology moderates consumer response to brand crisis apologies for data breachesComputers in Human Behavior10.1016/j.chb.2021.106801121:COnline publication date: 1-Aug-2021
https://dl.acm.org/doi/10.1016/j.chb.2021.106801
Shahraki AAbbasi MHaugen Ø(2020)Boosting algorithms for network intrusion detection: A comparative evaluation of Real AdaBoost, Gentle AdaBoost and Modest AdaBoostEngineering Applications of Artificial Intelligence10.1016/j.engappai.2020.10377094(103770)Online publication date: Sep-2020
https://doi.org/10.1016/j.engappai.2020.103770

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents