How Do Cyberattacks Hurt Me? (2018-2019)

Background

Data breaches and computer hacks are occurring at an alarming pace, exposing consumers’ financial information—as well as other information—to misappropriation. Where does this data go? Why do we feel so exposed and vulnerable? Should we care, especially in light of the fact that we voluntarily turn over personal data to social media firms and financial institutions anyway? How do we describe the harms, and how do we find data that can document such harm? Little has been done to begin to analyze this inchoate form of anxiety as it pertains in particular to personal financial data.

One way to begin to assess harm is to consider “evidence of harm,” which is a term that has been deployed in other contexts and disciplines. Indeed, “evidence of harm” is a term of art coming from methodologies employed in different legal and policy realms. One useful policy realm is the realm of environmental policy.

Looking to the example of environmental policy sheds light on understanding the harms that occur from a misappropriation of financial data because of at least one similar feature: in both the environmental context and the financial context, parts of the harm are experienced further out in time from the original event, making the causal connection to the original event difficult to discern. As in the case of an environmental contaminant whose health and environmental effects may not be exhibited until many years have passed, some of the harms associated with misappropriated financial information—such as the effects on credit scores and the effects of impersonation involved in identity theft—may not exhibit themselves immediately.

Project Description

This Bass Connections project will explore the pathways and articulation of harm from consumer data breaches, particularly as such losses of personal financial information may have effects on our ability to access credit and be full economic citizens. The project’s primary objective is to discern and then depict harms to consumers from financial data breaches, as this knowledge is foundational to discussions regarding optimal policy design and intervention.

The project team will begin by reviewing various significant cyberattacks that involve personal financial information, the pathways through which this information gets transmitted and how the information is utilized by the hackers to harm consumers.

From here, the project team will articulate a list of potential harms and attempt to discern how to measure or consider proxies for the cost of these harms to consumers. Such costs will likely include: the costs involved in monitoring credit reports; the time and money spent engaged in attempting to put in place credit freezes; the cost that people incur when they resort to purchasing credit reporting services; the costs associated with adverse credit report actions; and the costs of restoring identity after a theft has led to a misuse of data. Next, team members will use accessible graphics to depict the potential harms.

A subsequent Data+ project in Summer 2019 will translate the graphical depiction into a model that can be utilized by firms and regulators to quantify the harms associated with data breaches, and more broadly understand the risks associated with particular forms of cybersecurity protection.

Anticipated Outcomes

Catalog and summary of consumer data breaches; webpage that contains this information; web-based graphic that depicts the impact of potential harms associated with consumer data breaches

Timing

Fall 2018 – Spring 2019

  • Fall 2018: Research and catalog major consumer data breaches. Begin to develop a webpage that summarizes this information. Begin to formulate an understanding of how these breaches harm consumers.
  • Spring 2019: Communicate significant findings from work done in the fall in a series of blog posts. Develop the web-based graphical depiction of harm.
Hand over data

/faculty/staff Team Members

  • Meredith Edelman, Kenan Institute for Ethics
  • Sara Greene, Duke Law
  • Sarah Bloom Raskin, Rubenstein Fellows Academy*
  • Lee Reiners, Duke Law-Global Financial Markets Center*

/graduate Team Members

  • Aditya Eranki, Master of Engineering Mgmt-MEG
  • Mokshada Hemant Mahajan, Master of Engineering Mgmt-MEG
  • Matthew Phillips, Juris Doctor

/undergraduate Team Members

  • Analese Bridges, Political Science (AB)
  • Alexandra Fisher, Public Policy Studies (AB), Religion (AB2)
  • Ethan Heerwagen, Economics (BS)
  • David Liu, Electrical & Computer Egr(BSE), Computer Science (BS2)
  • Sabrina Pin
  • Justin Sherman, Computer Science (BS), Political Science (AB2)
  • Katherine Whitson, Economics (BS), History (AB2)