How Do Cyberattacks Hurt Me? (2018-2019)

Background

Data breaches and computer hacks are occurring at an alarming pace, exposing consumers’ financial information—as well as other information—to misappropriation. Where does this data go? Why do we feel so exposed and vulnerable? Should we care, especially in light of the fact that we voluntarily turn over personal data to social media firms and financial institutions anyway? How do we describe the harms, and how do we find data that can document such harm? Little has been done to begin to analyze this inchoate form of anxiety as it pertains in particular to personal financial data.

One way to begin to assess harm is to consider “evidence of harm,” which is a term that has been deployed in other contexts and disciplines. Indeed, “evidence of harm” is a term of art coming from methodologies employed in different legal and policy realms. One useful policy realm is the realm of environmental policy.

Looking to the example of environmental policy sheds light on understanding the harms that occur from a misappropriation of financial data because of at least one similar feature: in both the environmental context and the financial context, parts of the harm are experienced further out in time from the original event, making the causal connection to the original event difficult to discern. As in the case of an environmental contaminant whose health and environmental effects may not be exhibited until many years have passed, some of the harms associated with misappropriated financial information—such as the effects on credit scores and the effects of impersonation involved in identity theft—may not exhibit themselves immediately.

Project Description

This Bass Connections project will explore the pathways and articulation of harm from consumer data breaches, particularly as such losses of personal financial information may have effects on our ability to access credit and be full economic citizens. The project’s primary objective is to discern and then depict harms to consumers from financial data breaches, as this knowledge is foundational to discussions regarding optimal policy design and intervention.

The project team will begin by reviewing various significant cyberattacks that involve personal financial information, the pathways through which this information gets transmitted and how the information is utilized by the hackers to harm consumers.

From here, the project team will articulate a list of potential harms and attempt to discern how to measure or consider proxies for the cost of these harms to consumers. Such costs will likely include: the costs involved in monitoring credit reports; the time and money spent engaged in attempting to put in place credit freezes; the cost that people incur when they resort to purchasing credit reporting services; the costs associated with adverse credit report actions; and the costs of restoring identity after a theft has led to a misuse of data. Next, team members will use accessible graphics to depict the potential harms.

A subsequent Data+ project in Summer 2019 will translate the graphical depiction into a model that can be utilized by firms and regulators to quantify the harms associated with data breaches, and more broadly understand the risks associated with particular forms of cybersecurity protection.

Anticipated Outcomes

Catalog and summary of consumer data breaches; webpage that contains this information; web-based graphic that depicts the impact of potential harms associated with consumer data breaches

Student Opportunities

Students will learn a variety of qualitative and quantitative research skills. Students will also have the opportunity to communicate their research findings both graphically and in written form on the Global Financial Markets Center’s blog: “The FinReg Blog.”

The team will meet once a week with the potential for additional meetings of team subgroups. In addition to the weekly meetings, team leaders and the graduate student project manager will regularly meet with selected undergraduates for mentorship and collaboration.

The team will include one graduate student serving as project manager and five graduate students and five undergraduate in such fields as computer science, environmental sciences, public policy, engineering, sociology, statistics, law, finance and data science. Some students with skills in graphic design will be necessary.

Students will be evaluated based on their ability to contribute and advocate in a sustained way, help the group move toward the delivery of the graphic, take assigned tasks to completion, be active rather than passive learners and articulate concepts that they had no prior knowledge of before this work.

Timing

Fall 2018 – Spring 2019

  • Fall 2018: Research and catalog major consumer data breaches. Begin to develop a webpage that summarizes this information. Begin to formulate an understanding of how these breaches harm consumers.
  • Spring 2019: Communicate significant findings from work done in the fall in a series of blog posts. Develop the web-based graphical depiction of harm.

Crediting

Independent study credit available for fall and spring semesters

Faculty/Staff Team Members

Sara Greene, Duke Law
Sarah Bloom Raskin, Rubenstein Fellows Academy*
Lee Reiners, Duke Law-Global Financial Markets Center*

Graduate Team Members

Aditya Eranki, Master of Engineering Mgmt-MEG

Undergraduate Team Members

Analese Bridges, Political Science (AB)
Alexandra Fisher, Public Policy Studies (AB), Religion (AB2)
Ethan Heerwagen, Economics (BS)
David Liu, Electrical & Computer Egr(BSE), Computer Science (BS2)
Sabrina Pin
Justin Sherman, Computer Science (BS), Political Science (AB2)
Katherine Whitson, Economics (BS), History (AB2)

* denotes team leader

Status

Active, New