The recent disclosures by Target and Neiman Marcus of the theft of millions of customers’ credit and debit card information and related personal information raise many public policy issues, stretching far beyond the immediate incidents that need to be addressed. At their core is the need to ensure the integrity of the nation’s payment system in the digital age, when not only financial institutions but also retail and other businesses are electronically intertwined and potentially exploitable via the internet.
Unfortunately, most of the legal and regulatory structure in this area is geared to the 1960s version of how people made payments. Credit card transactions were essentially paper-based, as were checks. Merchants cleared and settled credit card transactions through processors and the credit card companies (large batch files were then delivered to banks), and paper checks were cleared between banks in local clearinghouses or through the Federal Reserve. Now paper checks are on the decline, and there are essentially no substantive differences between how credit card and debit card transactions are initiated (transactions take place at the same point-of-sale terminals), accepted or processed, except for minor differences such as requiring a pin number in some cases for a debit card transaction. Additionally, now that checks are being truncated at the point of sale or being digitized as part of the clearing process, they too become electronically based and potentially hackable. As a consequence, virtually all transactions are now electronically based or are quickly converted from paper into electronic form. Consumer transactions at the point of sale are typically authorized in real time; holds are placed on accounts at banks; and merchants and businesses accumulate the actual transactions data throughout the day, which are then bulk transferred electronically to the bank or intermediate processor.
Despite the functional and technical similarities between credit and debt cards, there are in fact different customer liability rules for each because they evolved separately and historically were processed in different ways. For credit cards, consumers are liable for only the first $50 of unauthorized transactions, and there is no liability if the transaction takes place over the internet. In the internet credit card transaction no physical card is presented to the seller and the collected information is very much like that taken from Target. It is already clear that some of the information stolen from Target has been used on the internet. Perpetrators first make a small transaction, which, if successful, is quickly followed with attempts at larger purchases.
In contrast to credit cards, there is a sliding liability scale for debit cards, depending upon how quickly a consumer notifies his or her bank of a lost card. There is no liability if the bank is notified immediately and no unauthorized transactions have taken place; there is a $50 liability if the customer notifies the bank within two business days; there is a $500 liability if the bank is notified after two days but within 60 days, and unlimited liability thereafter. Despite the legal differences between credit and debit cards, some banks have waived some or all of these provisions; but in the Target case, only a few banks have reissued cards and deactivated en masse the accounts that had been compromised. Note that the customer’s legal liability is based upon what the customer does or does not do if a card is lost. Liability typically stops once the card loss is reported to the bank.
In the Target and Neiman Marcus situations, cards weren’t lost; customers didn’t know that their identities and card information had been breached, so they clearly face no liability for unauthorized transactions. As such, the main consumer issues in this case center on the prospective problems that result from stolen key identity information, not on liability for unauthorized transactions. Consumers will surely incur the inconvenience costs of closely monitoring their accounts, reporting unauthorized transactions, and dealing the uncertainty of when and how the stolen information may be used, if not immediately, then perhaps sometime in the future.
When such thefts occur, the current applicable legal and investigatory responsibilities are fragmented. At the federal level, the investigatory authority lies with the Secret Service, which is responsible for counterfeiting, financial fraud, and internet fraud, although the FBI sometimes gets involved as well. Prosecutory decisions, however, are decentralized and lie with the various US states attorneys general; and because of resource constraints, few cases are actually brought to a grand jury. This problem alone means that the risks that perpetrators incur by engaging in such activity are relatively low, even if the perpetrators are caught.
In addition to the Secret Service, local authorities can also be involved. The classic example was the 2004 theft of data from ChoicePoint, a Georgia company that provided data aggregation of confidential personal information that was then sold to businesses. In September 2004 the company discovered the theft of data in Southern California. The company reported the theft to local authorities, as it was required to do under California state law; but ChoicePoint did not disclose the theft to the individuals whose data had been taken. In fact, local law enforcement officials told ChoicePoint not to notify customers because of its ongoing investigation. It wasn’t until February 2005 that notification began, and the initial notifications were expanded significantly in response to public outrage. The total number of accounts was small by today’s standards, amounting to about 135,000.
What should have been clear is that the ChoicePoint theft raised broader concerns than those perceived by local Southern California law officials. Moreover, the crime was not one in which local law enforcement officials had particular expertise. Finally, since ChoicePoint was a Georgia company and operated across state lines, the breach was also investigated by the FTC, the SEC, and several US states attorneys general. What presented itself was a situation involving multiple overlapping legal authorities, some with little expertise in payments or problems related to identity theft, few resources for enforcement, and no overarching law governing what was clearly a national incident because of the scope of the loss exposure. Consumers were left to their own devices not only with regard to becoming informed but also with regard to re-establishing their identities.
More recently, firms involved in the payments processing business have even begun to purchase insurance against such breaches. However, sometimes insurance can cover only a small portion of the losses. In the case of the 2012 data breach experienced by Global Payments, Inc., the theft of data for somewhere between 1 million and 7 million cards has already cost the company $93 million; and as of January 2013, Global Payments expected to incur another $25 to $35 million in costs through 2013. Insurance covered only about $28 million of the losses. If the Global Payments breach in fact involved 7 million cards, then by analogy the losses in the Target case might reach 10 times or more the amount incurred by Global Payments.
The potential for mega fraud losses has escalated sharply with the recent explosion of the internet, which now provides a potential window into the data of millions and millions of citizens’ personal information. Such remote access can enable anyone — even far removed from the United States — to obtain credit and other pertinent information and use that information to steal funds. The experience of Target shows that, when such information is compromised, consumers will quickly stop transacting business at that enterprise and request cancellation and reissuance of their credit and debit cards — another form of a run on the payments system.
Consumer reactions can not only undermine the integrity of the payment medium but also create additional costs, not only to firms like Target but to the financial institutions that must deal with the losses, sort out consumer identity problems, and reissue millions of cards. Indeed, because of the data linkages between nonfinancial and financial institutions, a data theft and subsequent exploitation holds the potential to threaten the solvency of a financial institution if the resulting unauthorized transactions are large and concentrated. To date, these vulnerabilities have not been the focus of bank examiners or of those concerned with systemic risk. These recent thefts point to the vulnerability of the present system and to the systemic linkages that exist across both non-bank financial institutions and banks.
When such breaches occur, the allocation of losses becomes critical. Presently, loss allocation is confusing and only imperfectly defined as far as consumers are concerned and is not defined at all for non-financial businesses like they are for banks and credit card companies under current law or federal regulations. Indeed, while the Consumer Financial Protection Bureau has wide regulatory responsibility for consumer credit cards, it has no similar authority over business cards.
In terms of losses to businesses from data breaches, there may or may not be agreements between counterparties, but the already publicized disputes between Target and banks suggest there were not. To protect their business models, many banks are covering all consumer losses, even though they are not required to do so by law, in an attempt to insure the integrity of payments. But how much of the banks’ losses will ultimately be forced on Target or Neiman Marcus is uncertain. Already there are contentious disagreements over who owes whom for what, and one can envision a raft of class action suits by customers and financial institutions alike. Some have already been filed. For investors, this situation represents a heretofore unappreciated risk, seemingly unrelated to the core business of the enterprise. Financial institutions that incurred losses must now turn to the courts for redress (unless existing contracts had anticipated such problems), which is a lengthy and costly process.
The points of vulnerability are many, especially since many institutions have outsourced the actual processing and warehousing of data, and this trend is accelerating as more and more businesses move their computing into the cloud. Indeed, there are many potential weak links, beginning with the consumer at his or her desktop and extending to large businesses and merchants who collect and aggregate transactions data for deferred processing and maintain customer information, to payments intermediaries like Paypal, to specialized exchanges and automated clearinghouses for data, and finally, to banks themselves. Indeed, the littered trail along which people have left payments information covers a wide range of business from retailers, to airlines to online stores to car rental companies — the list is very large. So, while banks at the end of the chain may have very sophisticated methods to identify fraudulent transactions, there are still many points of entry through which potential damage can be done; thus the vulnerabilities are great.
The Target breach raises many policy issues that extend far beyond this specific incident. The risk is that Congress — which has already indicated it will hold hearings on the breach — will rush to judgment and pass legislation to protect consumers without full appreciation or consideration of the broader issues. Indeed, the most significant issues are not related to consumers at this point. Consumers are essentially protected from loss, although not from inconvenience due to uncertainty, loss of ability to use their cards, and concern about other unauthorized use of their information.
The overarching issues concern threats to the payment system itself and the risks that breached information will be used to commit wholesale electronic theft that might threaten the solvency of a major financial institution, be it a bank, investment bank, insurance company, etc. Additionally, such insolvency could have systemic implications for the financial system as a whole. The systemic risks are further amplified by the complex interrelationships among traditional business firms, operators of the private-sector payments-transfer infrastructure, and financial firms. A hack of customer data held by a nonfinancial firm or payments processor could result in losses that can quickly bleed over into the financial system if data are compromised and transactions are initiated and consummated before the breach is discovered or reported. While this scenario may sound farfetched to some, major US corporations accumulate and store huge volumes of transactions and personal information; and it is not clear that they have the same kinds of fraud detection and protections as major financial institutions do. Additionally, these firms engage in significant cash management activities that involve the financing of short-term holdings of assets that are rolled over frequently. If those rollovers were disrupted or suddenly diverted by an outside compromise of the company’s computer resources, those flows could generate significant risks for financial institutions involved in those financings. It goes without saying that small community and regional banks are likely to be even more vulnerable since they can’t afford the sophisticated systems that large institutions have installed. Perhaps even more fundamental is the risk that, should their data be compromised, the public will lose confidence in the electronic payment systems, which would represent a huge shock to the financial system. Lastly, we can’t minimize the threat that terrorists or a rogue foreign government might intentionally breach a financial or nonfinancial institution’s systems and cause its collapse.
Given the magnitude of the potential damage that data breaches could visit on the US financial infrastructure, the question is, what should be done? Obviously, before any legislative actions are taken, the issues and risks need to be clearly identified. One logical step toward that end would be to convene another fact-finding and study commission along the lines of the 1970s Hunt Commission (Electronic Funds Commission) to gauge the dimensions of the problem. The commission should be charged with identifying potential risks, recommending changes in security measures that financial and nonfinancial firms should make, considering what role the Federal Reserve should play (because of its current involvement in electronic payments and large scale funds transfer systems like Fed Wire), proposing loss-sharing rules to eliminate uncertainty and costly litigation, reviewing and making recommendations to modernize federal rules regarding debt and credit transactions, and considering what efforts should be undertaken internationally to curb unscrupulous use of the internet. In fact, given that there is already more than one internet, the commission should consider the feasibility of creating a separate commercial internet with limited and supervised access, like a restricted access toll road. The commission should be broadly representative and include participants from a wide range of banks, retailers, internet-reliant companies, including the large players like Amazon, Google, Apple, etc., and perhaps even representatives from the NSA (an agency that certainly knows how to penetrate and hack systems). The issues are many, deep, and far-reaching and can only be suggested here. But as a nation we should be proactive and seize the opportunity to address the issues now in order to reduce potentially grave vulnerabilities.
From the perspective of investors, as mentioned previously, the Target episode certainly will result in losses, and lawsuits have already been filed. Target’s stock price dropped 4 points after the true scope and nature of the data breaches were revealed. Processors and data partners of Target will surely also face similar litigation and losses. The event highlights a risk that clearly has not been on investors’ minds. Such uncertainty implies more volatility, especially for the more vulnerable segments of the payments process and infrastructure.
